Blaming employees for a cyber security attack is toxic

CIOs and CISOs need to move on from the way cyber security have been done for the last 50 year.

CIOs and CISOs have a lot on their plate right now and a lot of things to think about. But security is more than just some ransomware or encrypting a file on someone’s device; if left unchecked it can impact the whole business.

According to VMWare’s 2020 Australian Cyber attack Landscape the pandemic has only exacerbated the cyber security needs.

In an interview of 250 CIOs and CISOs, they reported increase in use of both cyber attack volume and breaches during the past 12 months in Australia. This has prompted increased investment in cyber defence, with Australian businesses using an average of more than eight different cyber security tools,

The research found an increase in both cyber attack volume and breaches during the past 12 months in Australia. This has prompted increased investment in cyber defence, with Australian businesses using an average of more than eight different cyber security tools, the survey found.

According to the CIO/CISO respondents:

  • 94 per cent said attack volume has increased in the last 12 months, the survey found.
  • 96 per cent said their business has suffered a security breach in the last 12 months. The average organisation said they experienced two breaches during that time, the survey found.
  • 88 per cent said attacks have become more sophisticated, the survey found.
  • 96 per cent said they plan to increase cyber defence spending in the coming year according to the survey.
  • OS vulnerabilities and third-party application attacks were the leading cause of breaches, according to the survey, both with 18 per cent respectively, followed by web application attacks.
  • Australian companies said they are using an average of seven different security technologies to manage their security program, the survey found.

Kevin Reed chief information security officer at Acronis told CIO Tech Asia, security now a “real measure of business continuity”.

“If you don’t do if you don’t do your security properly, you can negatively affect your whole business,” he said. “This is not a minor thing, it’s really critical for many, many organisations, because it is so essential to them now that they just cannot afford any more to be complacent.”

Reed said organisations are now dependent on a system properly functioning and it has become critical for CIOs or anyone in the company to make sure that these systems continue to run.

“[If] it [cyber security] doesn’t work, you cannot do business anymore,” he said. “When I was on the IT side, my job was to ensure — and it was my main responsibility — to ensure that the service keeps running no matter what — whether this is a hacking attack or the datacentre runs out of electricity/fuel and not powered anymore.

From the business perspective, as soon as it affects a business this is then business issues, not the making.”

Reed has a 20 to 25 years of experience in security and, and IT infrastructure in general. Before joining cloud backup and recovery company, he was CIO at e-commerce platform company, Lazada, where he was responsible for the IT infrastructure.

“I think the important challenge that I face and I see this from both sides of it, is that it’s very hard for many organisations to properly incorporate security into all processes that they have,” he said. “Whether its mapping out operations or even high level business decisions. In some organisations security is an afterthought and because of that, they fail to adequately protect their networks or their systems.”

Reed said when it comes to cyber security, it’s not the “attack itself”, but the aspects to it. A system is destroyed and if that IT system is destroyed then then you cannot provide services anymore — whether you’re a government or private organisation – they can’t continue normal operations.

According to Reed confidentiality is also a noticeably big issue in cyber security. “For example espionage exists in cyber security,” he said. It’s a big problem and its a problem for government organisations and commercial entities – where espionage exists as well.

Some companies may decide to steal some proprietary information. We’ve seen situations where an IT company’s source code was compromised; and then leaked to external parties. It was always by a malicious attacker.”

However, Reed believes there’s no “secret sauce in IT security at all”. Even with advanced artificial intelligence and machine learning in place for cyber security, close to “80 per cent” — definitely more now – an attack occurs because someone has received an email; clicked on the link; and the whole company is attacked.

“I’m rather unorthodox here in a way that I think this perception of people as the weakest link is wrong,” he said. “I am a cyber security professional, but 20 years of experience in either for me, it is very hard sometimes to distinguish the real email from a phishing one and I spend my life looking at them.”

According to Reed blaming people whose main job is not distinguishing a phishing email is “just toxic”. “You can’t simply expect people to do that,” he said. “Like you can’t expect me to run a marathon in one hour and set a world record if I have only trained for two hours for it.”

Reed said the industry must realise the people who send out phishing emails and hack into corporations spend their daily life finding ways to “polish” their techniques.

“[Cyber criminals] are not a mythical thing. These are real people; they have real families; they studied somewhere; they live somewhere; they have their apartment; and they probably have to pay their bills,” he said. “These are real people who make this they’re day job. They spend eight hours or 10 hours a day trying to work out how to make you to click a link.”

Reed said the security industry in general “just places the bar too high” in blaming the end user and they shouldn’t expect people to “run a marathon in one hour”.

“As an industry we’re in a bad shape when it comes to antivirus protection spending,” he said. But It will get much better. Look at spam, it was a gigantic problem back in 2000. Now spam is largely a solved problem. I see current challenges like phishing, will be worked on and eventually develop AI/machine learning to be mature and useful end users.”

For CIOs and CISOs, Reed believes its important for them to start rethinking cyber security policies.

“[Take] passwords for [example], I have spent the past 20 years using password protection. It is now at 22 or 24 word/characters,” he said. “At Acronis we migrated from the idea of using passwords to using passphrase instead. Instead of telling people like you must use a random password that you cannot remember. I now go out and tell our employees don’t do that; use a passphrase — choose four words or five words. It’s much easier to remember and is equally secure.”

Reed said the security industry made a few “silly decisions back in 70’s” and 50 years later they are still using those same methods.

“We will need to concede at some point we are past best practices,” he said. “We now know more about attackers. We also now know how to protect ourselves from them. My problem is CIOs and CISOs make decisions based on their company’s compliance framework. These were designed in the 90’s but the whole industry has shifted. The cloud as a term did not exist, back then it literally meant cloud in the sky.”

 

Back then the big thing and even up until recently protecting the perimetre meant having the best firewalls and putting in intrusion detection systems, said Reed.

Then COVID-19 came, and everyone is remote working. A concept that existed before but only on occasion.

“[The] fancy firewall that you spent thousands or hundreds of thousand dollars on is no longer of use. Now you need to protect your endpoint,” he said. “This doesn’t t have to be inside of your perimetre because no-one works in the office.”

According to Reed an Acronis survey found 50 per cent of all global businesses admitted they weren’t ready to switch to remote work, had IT security affected

“I feel like [remote working] [lock-downs] is going to either pattern for the until 2021 or at least until we get a vaccine, and 70 per cent herd immunity,” he said.  “We as CIOs/CISOs need to adapt our organisations to this new reality. That means protecting home protection for the end user and teaching them about cyber security. We should be responsible for that as well.”

Reed recommends CIOs/CISOs address all Five Vectors of Cyber Protection – safety, accessibility, privacy, authenticity, and security of data – something all cyber security vendors are starting to lean the same way.

 

 

Tags:

Leave a Comment

Related posts