CLOUDSEC takeaway – Cyber security is not just an IT issue [Link - Trend Micro Blog]

After attending CLOUDSEC 2016, I was asked to create a guest blog on the Trend Micro blog site, including standout statistics and take-away lessons: http://blog.trendmicro.co.uk/cloudsec-takeaway-cyber-security-is-not-just-an-it-issue/

===========================

With a fantastic turnout at CLOUDSEC 2016, attendees comprised of security and IT practitioners from numerous industries. Despite these varying sectors, one thing became abundantly clear: the same issues are keeping IT security professionals awake at night – securing cloud environments, securing privileged access accounts and user education.

Many enlightening statistics were shared. Trend Micro’s research found that in the last two years, 44% of UK businesses were hit by ransomware attacks, and a third (33%) of their employees were affected by the infection. We also heard that over $2.3 billion was lost to phishing attacks over the past three years (FBI), though the real figure is likely to be higher.

While this makes the somewhat abstract world of cyber threats very real indeed, if there’s one point to take away from CLOUDSEC, it’s that cyber security isn’t just an IT issue. When the entire workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced.

Everyone needs best practice training 

Organisations can defend against cyber-attacks; they don’t have to be victims. While in any organisation the CIO ultimately takes responsibility for cyber security, the rest of the organisation needs to accept responsibility too and not just shrug their collective shoulders. Regardless of seniority, companies should invest in best practice training when using a corporate network.

Best practice knowledge should percolate through the entire organisation from board directors, to employees and IT people involved in daily operations. It should explain why businesses have approved channels for storing data, the risks of using personal cloud storage platforms for data storage, and the need to question email content if it arouses suspicion – even if it’s from the CEO’s office.

Employees must understand the importance of cyber defences within the context of the business and how to safeguard against internal and external intrusions. Are they aware of the importance of setting difficult to crack passwords, as well as understanding that password variations of existing passwords are a source of vulnerability when used in other parts of the network? Do they know that in the last six months or so, ransomware attacks have spiralled as ransomware-as-a-service kits became commonplace on the dark web?

Serious business implications

The whole organisation must realise the possible business implications of a major hack – spiralling revenues, lost customers and plummeting share price, and this could all happen well after the event. Furthermore, jobs could be on the line if declining income hits the business badly.

Despite the growing evidence suggesting otherwise, many organisations still believe they won’t be hacked. With that said, however, if cyber security education is a part of the organisational culture, the chances of a serious breach are dramatically reduced.

The Right Train of Thought [Link - Computing Security]

I was asked to contribute to an article for Computing Security, focusing on IT security practices on how an effective cybersecurity strategy must include employee training: http://www.btc.co.uk/Articles/index.php?mag=Security&page=compDetails&link=7074

===========================

INSIDER THREATS

Any effective cybersecurity strategy should include information about how employees can safeguard against, not only external threats, but insider threats too, cautions Andrew Tang, service director, security, MTI Technology. "It also needs to include perimeter protection, but, as companies are increasingly working with cloud-based solutions, remotely and from various devices, it also needs to be sophisticated and fool-proof. Companies should invest in training all employees, regardless of seniority, on best practice when using a corporate network.

"Staff should understand how to protect against internal and external intrusions, as well as how to stay safe when accessing and sharing sensitive corporate data, opening emails from non-trusted sources and why businesses have approved corporate channels for storing data. It shouldn't just be a case of setting procedures and guidelines; staff should understand the consequences and risks of misuse or misjudgement when accessing corporate networks," he says.

"Employees should also be educated on the importance of password setting, as those that use a variation of the same password across different platforms leave the network vulnerable to attack. IT can also implement two-way authentication to add an extra layer of protection," adds Tang. "While the CIO should ultimately be responsible for implementing and monitoring employee guidelines and policies around cyber security, they should work closely with the HR team and heads of departments to ensure that safe computer usage becomes company culture. When a workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced."

User education and management - ’10 Steps to Cyber Security’

The governments ‘10 Steps to Cyber Security’ guidelines flags user education as a vital component in any security policy focusing specifically on acceptable and unacceptable behaviours. In fact, we think education provides the building blocks for good security. 

User education is about raising awareness about the risks and dangers that can arise from a slack approach to security. This can be anything from bringing USB sticks into the workplace and plugging them into computers or a lack of understanding about social engineering and phishing. 

The weakest link

Within this context, the weakest link in the business can be employees that lack IT security knowledge. Leading-edge technology can be irrelevant if employees are not aware or educated on a comprehensive security policy. 

Spear phishing attacks, for instance, can be particularly damaging. A few years ago, RSA, a high profile security company, and its cryptography keys were compromised in spear phishing attack. 

The company was breached after attackers sent two different targeted phishing emails to four workers at its parent company, EMC. The emails contained a malicious attachment that was identified in the subject line as 2011 Recruitment plan.xls. One of the recipients eventually opened the infected spreadsheet that led to the breach. In this respect, education is crucial. 

Do not avoid awareness 

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. However, that didn’t matter. The malware had been unleashed. Once a spear phishing email makes it through filters and other similar technologies, the user element really comes into play, which is what the hackers were depending on.

When educating users, awareness is only the first step. Training must also be used. It provides people with a fixed body of knowledge which they can be tested on. 

Strength in depth

Training can take place in incremental steps or be focused on specific business requirements. It doesn't need to be a sweeping one-size fits all programme, it can be bespoke, targeting a specific department or focusing on remediating certain behaviours. 

One thing is certain, a trained and educated workforce will dramatically reduce the chances of your organisation ending up as headline news or seeing its valuable customer information for sale on the dark web.