The expert view: Staying one step ahead of the hackers
1 May 2018 |
Cyber security threats are fast moving and ever evolving, said Raj Rajamani, of SentinelOne, introducing a Business Reporter breakfast briefing at London’s Savoy Hotel. Companies must be alert to new threats, such as attackers seeking to hijack computers to mine cryptocurrency, while still maintaining defences against long-established attack vectors.
Mr Rajamani asked attendees, all senior business executives, how they stay a step ahead of the attackers in the modern cyber security world.
Attendees agreed that emerging threats are a concern. One, from a market-leading global corporation, was increasingly concerned about the risk from nation-state attacks. Citing the recent warning from the National Cyber Security Centre on the threat of cyber-attacks from Russia, he said the links between some governments and organised crime were a concern.
Other attendees agreed. One, from the banking sector, said her company had begun to look at the risk of being the victim of ‘collateral damage’ in a nation state attack aimed at causing economic disruption.
The ongoing expansion of cloud services presents security challenges of its own, many of which can be avoided with appropriate planning. An executive from the legal sector said that cloud services are often extremely secure, but companies often overlook the fact that applications running on them might not be.
Though it seems obvious, it is also vital to check the terms and conditions before moving anything to the cloud. One attendee said that his company, in the health sector, had required a cloud service to change how it operated before they could sign up because regulations prohibit them from moving data outside of the UK. Another attendee warned that, with some suppliers, it is important to check that you still retain full ownership of your data once it is on a cloud service.
Remote working is another trend bringing emerging challenges, often because companies have not considered its full implications. The recent extreme weather conditions in Britain made it impossible for many call centre staff at one attendee’s company to get to work. However, they were couldn’t work from home either because the company had not given them the necessary access – which was a corporate culture decision as much as it was a security one.
Often, it takes an incident for companies to realise that they have a problem. A delegate said that he often found that his board had difficulty understanding the need to protect against a threat unless it had already caused a problem. They tended to dismiss threats that they had not experienced first-hand.
Most delegates deal with that by running test scenarios in which senior management must roleplay their responses to a simulated event. The ideal format is to have an external facilitator run this because that person will be more comfortable putting board members on the spot and keeping them focused on their decision making.
An attendee told how, in one exercise, they had hired an actress to mingle during a security awareness event and approach staff members, pretending that she knew them. In around eight out of 10 cases, she was able to get them to divulge personal information.
Training and awareness is part of the picture, but it is also vital that the security team has a good feed of incoming intelligence. Increasingly, sorting through this information is becoming a job for machine learning and, such is the increasing speed of attacks that all attendees said they are already looking at machine learning as a first line of threat defence.
Even small actions can be effective in terms of threat intelligence; for example, simply telling senior executives that you are aware of a new threat and formulating a response can reassure them and prevent further questions.
That said most of those at the briefing said security professionals must focus on improving their communication skills. The most successful CISOs are those who can talk the language of the business – often because their background is with the business and not IT.
When security specialists do communicate, they are too often negative, said attendees. Being ‘metric obsessed’, as one delegate put it, and focusing purely on attacks prevented is not always the best way to communicate with the business. Better, they suggested, too focus on what has been enabled.
On a more practical level, attendees agreed that security professionals need to stop sending emails with links in them because, having spent so much time training colleagues not to open links in emails, this sends a confusing message.
Overall, having the right tools is just part of the process of staying a step ahead of the attackers. An effective CISO also needs to plan the right training program, talk the language of the business and stay abreast of emerging threats. These tasks are not getting easier.