MENU

Interview :Understanding the cyber resilience strategy

March 1, 2019 • Features, Security, Top Stories

Senior Vice President and General Manager at Mimecast Limited, Michael Madon

Technology has become deeply ingrained in our lives. The way businesses handle the risks posed by their technology is changing. As with anything, adaptability is survivability.

Cyber resilience is a set of practices and perspectives that mitigate risk within the processes and workflow of normal operations in order to protect organisations from their own technology and the people who would try to exploit it.

Senior Vice President and General Manager at Mimecast Limited, Michael Madon, gives insight on some of the concerns around data security the importance of a cyber resilience strategy in the cloud.

What are some of the cyber-security trends that we need to look out for in 2019?

In 2019, attackers are likely to shift their attention away from large enterprises that can afford and are starting to implement comprehensive cybersecurity, to smaller businesses and industries with historically lean IT. The small business sector is attractive for their IP, cash flow and relatively limited security maturity, making it easier to breach their defences. In a similar vein, larger companies in lean IT verticals like manufacturing and construction may have the scale but are not as likely to have a comprehensive cybersecurity apparatus in place.

Criminals also realise that targeting a large, well-protected organisation doesn’t only mean that their efforts are likely to be wasted because security is more advanced, but if a threat is stopped, the security team could very well publicise the threat, making the criminals’ tool sets worthless. That’s not to say that enterprises are off the hook. Organisations with advanced IT infrastructure are increasingly becoming targets for state actors.

At the tactical level, existing attack methods, such as phishing, will be made even more effective thanks to improved social engineering and better data correlation. Flawless phishes are likely to give business owners sleepless nights, intensifying the need for awareness training to fix gaps in the human firewall.

What are the biggest cyber threats that we need to take precautions against?

Research shows that human error is involved in 90%+ of all security breaches. So, the biggest threat to your organisation isn’t a specific attack method, it’s your well-meaning employee who makes a simple security error and lets the bad folk in. Cybercriminals know this, and they will target your employees aggressively and from many angles.  The attack vectors like phishing, impersonation fraud and ransomware have become so advanced and so sophisticated that it’s becoming increasingly difficult for the average user to identify an attack.

Despite the most advanced protections that can be put in place, despite the best threat intelligence that can be brought to bear, organisations remain vulnerable because of their employees’ basic lack of security awareness. However, it is possible to raise awareness, to create an engaged and responsible workforce and security culture, to bolster your defence by creating a “human firewall.”

The problem is most security awareness training programs just don’t work. It’s in the design. Overwhelmingly, if companies have a program in place at all, it’s once-off or irregular, boring and can be described as a tick-in-the-box for compliance purposes. Security awareness needs to be ingrained into an organisation’s culture. Employees must know what to do, care enough to improve, and then do what’s right when it matters. So, the most important thing is to make training engaging and persistent.

Why is it important for government CIOs to invest in cybersecurity and data analytics in 2019?

A succession of high-profile government data breaches has cast a stark light on the importance of effective public sector cybersecurity policies and protections. Without fully functional public institutions such as revenue collection, freight handling, military defence, and social grant disbursement, governments will find it hard to instil confidence among its various stakeholders and service delivery to citizens, businesses and public institutions will be impeded.

Government should prioritise cyber resilience as the first line of cyber defence. Cyber resilience refers to an organisation’s ability to continue to operate or deliver services despite adverse cyber events. And its first port of call in this regard should be greater awareness among its hundreds of thousands of employees regarding the different types of cybersecurity threats, how to spot them, and how to prevent them.

Data analytics, but more specifically threat intelligence, has become an essential weapon in the cyber war. There is so much data available to help understand which threats exist and how they’re evolving. But without action, this data is useless. Being actionable means understanding data and using that information to increase the ability to be cyber-resilient. It’s a lens to future threats and a means to be preventative. The key to actionable threat intelligence that matters is to keep it simple—ignore noisy feeds that don’t have value and apply context to your organisation.

What advice would you give to the end user in securing their cloud?

  • Be suspicious by default. When faced with something fishy (pun intended) Stop. Think.  Verify. Don’t trust any email and look out for warning signs. Look for spelling errors, check the sender’s address to make sure it’s legitimate and don’t click on links within emails – rather go directly to the website.
  • Be password smart – don’t re-use passwords across multiple services
  • Use two-factor authentication (2FA) wherever possible: This makes it harder (but not impossible) for criminals to use your username and password against you if your credentials have previously been stolen.
  • Don’t store confidential information – or any company data for that matter – in a public cloud. These cloud platforms are understandably prime targets for criminals because of the vast amount of data they hold, and you don’t want to risk having valuable company data breached because of a poor decision you made.
  • Always be cyber-aware. Cybersecurity is not only the responsibility of your IT team, it’s everybody’s responsibility and users need to make sure security is constantly top of mind. Cybercrime doesn’t only have consequences for your company it can impact you personally as well. The attitude around training needs to change from one of compliance to one of commitment where security is part of your life.
  • How can organisations raise awareness and training for staff to ensure that cyber protection and data security are maximised?

Security training typically fails because it doesn’t reflect how people work and learn today. It’s delivered too infrequently, it’s long, dull, dry, and boring and employees often feel targeted, rather than supported. When training is unengaging and unenjoyable, people don’t learn.  If they are not armed with the knowledge of what to look out for and what to do when the situation arises, they will make mistakes.

Organisations should consider a solution like Mimecast Awareness Training. The programme uses a continuous, virtuous cycle that changes behaviour and lowers risk. The foundation of the platform is engagement through humour, which is the key to improving awareness and knowledge. Only by getting employees to understand both what’s at stake and what to do about it can you change their attitudes and drive a lasting, positive shift in security culture. To accomplish these objectives, Mimecast Awareness Training focuses on four key areas.

  • Engaging training – video-based training modules developed by professionals from the TV and film industry are delivered to all users monthly. These 3 to 5-minute video-centric modules take a best-practice, “micro-learning” approach, driving retention by delivering persistent learning in manageable and digestible blocks. Core to training is humour. The videos are built to be informative but also fun. Rather than being threatening they’re funny and employees look forward to training, rather than dreading it. They will pay attention and most importantly, they will learn.
  • Real-world testing – regularly evaluates employees and tracks indicators across the three root causes of human error – knowledge, awareness, and attitude. These tests are used to assess how seriously employees take security; assess their knowledge of the concepts each training module delivers which reinforces key concepts; and tests how well they can spot a phishing email with real-life examples of phishing attacks.
  • Employees and company risk scoring – lets you focus on the greatest areas of risk and need by using a predictive model to determine who your riskiest employees are based on both behaviour and how likely they are to be attacked. Armed with this information, you can direct training resources to those who need it most, dramatically improve outcomes, and substantially reduce risk.
  • Custom, Personalised Training and Other Remediation – Based on individual employee profiles, training can be delivered with more regularity, and behaviours can be flagged so your team can provide one-to-one coaching when needed. Customised scenarios can be created to continuously assess and train high-risk employees, and system permissions can also be adjusted for those who don’t respond well to training.
  • With cyber attacks becoming more sophisticated, how can organisations ensure that they best secure their data?

Organisations need to ensure that their entire IT infrastructure is protected with effective and layered security solutions. And with email being the number-one vector used to execute cyberattacks like malware delivery, phishing, Business Email Compromise, and for spreading threats that are already internal to an organisation, protecting this vital business application is a non-negotiable.

The only way for organisations to get ahead of cybercriminals and holistically protect their business is to adopt a new approach to email security. It’s time to accept that a defence-only security strategy is no longer enough and will lead to consequences like intellectual property loss, unplanned downtime, decreased productivity and increased vulnerabilities. Organisations need to embrace Cyber Resilience for email. This includes having:

  • An understanding of emerging threats and how companies are remediating.
  • The right security services in place before an attack happens – focused on prevention as well as those focused on adapting after an attack happens.
  • A well trained, cyber aware workforce.
  • A durability plan to keep email – and business operations dependent on email – running during an attack or failure.
  • The ability to recover data and other corporate IP after an incident or attack occurs.

The ability to adapt to continually evolving and escalating cyber threats is critical, but it’s a task made immensely challenging by a global shortage of skilled security professionals. This places the spotlight on end-user training: without the relevant security skills in place, it becomes even more important for cybersecurity to be a shared responsibility across the organisation.

By Neo Sesinye
Follow Neo Sesinye on Twitter
Follow IT News Africa on Twitter

Comments

comments


Comments are closed.

« »