• Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
  • Events
  • Whitepapers
  • Spotlights
  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
  • Newsletters
  • Sign in
  •  
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
     
    • You are currently accessing Computing via your Enterprise account.

      If you already have an account please use the link below to sign in.

      If you have any problems with your access or would like to request an individual access account please contact our customer service team.

      Phone: +44 (0) 1858 438800

      Email: customerservices@incisivemedia.com

      • Sign in
     
  • Follow us
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • Events
    • Upcoming events
      event logo
      Deskflix Financial Services

      oin us for this episode of Deskflix to hear from industry experts and peers on their 2020 best practices, what they’ve learnt for 2021 and how they plan to overcome the next wave of disruption.

      • Date: 03 Mar 2021
      event logo
      Good listeners: Why conversational interfaces are now a must-have

      This webinar, featuring dedicated research, will explore how conversational interfaces can add value to your digital initiatives today. We discuss the benefits of putting the AI to work and the value of the conversational channel itself.

      • Date: 17 Mar 2021
      • Virtual Event,
      event logo
      Deskflix IT Leader's Summit

      Six months on from our inaugural IT Leaders’ Festival, Deskflix IT Leaders’ Summit is a chance to take stock and reflect on the first quarter of 2021. How did you overcome the obstacles of 2020? Was progression as expected? What were your biggest threats and biggest growth opportunities?

      • Date: 24 Mar 2021
      event logo
      Architect for the unknown: Is your database built for a crisis?

      This webinar, in which we’ll reveal Computing’s latest research in this area, reflects on how prepared our respondents’ data architecture was going into the pandemic and the role databases have to play in the ability to react and pivot in a crisis.

      • Date: 25 Mar 2021
      View all events
  • Whitepapers
    • LATEST WHITEPAPERS
      Darktrace 120x194
      Cyber AI Response: Threat Report 2019

      This white paper details 7 case studies of attacks that were intercepted and neutralised by Darktrace cyber defense AI, including a zero-day trojan in a manufacturing company's network. Learn how Darktrace Antigena AI Response modules fight back autonomously, no matter where a threat may emerge, extending to the Cloud, Email and SaaS.

      Download
      Darktrace 120x194
      Cyber AI & Darktrace Cloud

      This white paper explores how cloud is a security blind spot for many organisations who struggle with the limited visibility and control in this new environment, where their existing security tools are often not applicable.

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Spotlights
    • Spotlights

      Welcome to Computing's Spotlight section, where we focus in on particularly important themes and topics of enterprise IT.

      Intel logo

       

      Endpoint Management and Security Hub

  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
Computing
Computing
  • Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
 
  • You are currently accessing Computing via your Enterprise account.

    If you already have an account please use the link below to sign in.

    If you have any problems with your access or would like to request an individual access account please contact our customer service team.

    Phone: +44 (0) 1858 438800

    Email: customerservices@incisivemedia.com

    • Sign in
 
 

Sponsor content:

What's this?

This content has been provided by our sponsors and is a paid advertisement.
  • Strategy

CISOs will use higher budgets to address human error

Three-quarters of CISOs expect their budget to increase this year, and plan to invest in training and visibility after the explosive and uncontrolled growth of IT estates in 2020

CISOs will use higher budgets to address human error
CISOs will use higher budgets to address human error
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
0 Comments

Security leaders still consider ransomware to be the biggest threat facing them today, despite a year of social engineering attacks dominating news headlines.

The finding comes from a new report by Proofpoint, drawn from a survey of 150 UK and Ireland CISOs and CSOs. The research also shows that more than half of respondents believe human error is the biggest risk to their business, which begs the question: why ransomware?

It's mostly because the two types of attack are not separate, says Proofpoint Resident CISO Andrew Rose.

"If I want to get into your organisation and commit some really big financial fraud, what I may well do is I would steal some credentials from your organisation, log in as one of your members of staff and then pretend to [be someone] … So, you've stolen an account to start that fraud and you've done that through social engineering … If you want to do a ransomware attack, a good way to do that is to actually steal someone's credentials, log on as them and use their credentials to actually apply malware…

"Social engineering is endemic to both of those attack paths, whether you're trying to steal money or whether you're trying to implement code and put ransomware down there."

Social engineering is widely accepted to be the easiest way into an organisation, which speaks to the success of IT in other areas. Security professionals have done a great job in securing the environments they're responsible for, leaving attackers with one obvious access point.

Still, infrastructure attacks are not unheard of. Criminals were quick to exploit a vulnerability in Pulse VPN last year; but when organisations began to apply patches, they quickly pivoted back to people.

Singling out your VAPs

With the majority of businesses worldwide operating remotely, it has become more important than ever to know who your most at-risk employees are - something more than two in five CISOs struggle with.

Rose advises using a Venn diagram of Vulnerability, Attack and Privilege:

"Who are the staff who are going to constantly click, and who hasn't done their training this year? … You tend to get certain people in certain roles who fit into that, unfortunately: they're the ones who are incentivised to open the things and engage with the emails that come in … So, all that comes into that Vulnerability piece. That's the first piece.

"The Attack piece is quite simply, who gets attacked the most? Because certain people, when you look at the analysis, really do attract the attention of the attackers … That might link back to a very open LinkedIn profile, which says 'I'm head of payroll' or something like that…

"The final piece of the puzzle is the Privilege. So, who has those access rights? Who has access rights to have admin permissions within the system? Who has access rights to the sensitive information? Who's got access to all the financial abilities to pay cheques, pay invoices, etc?"

The people at the centre of the diagram will be the most vulnerable people in your organisation. There is no single way to protect them; one of the ‘joys' of security is that the answer to every problem is contextual, and it's up to the CISO to craft a bespoke solution.

Don't call it awareness training

Education is one solution. Only about a third (28 per cent) of CISOs in Proofpoint's survey said they run a comprehensive training programme more than twice a year, although nearly three-quarters (73 per cent) want to improve on the training they offer.

Training is good, but Rose says the language needs to change; referring to it as ‘security awareness' is outdated.

"The analogy I constantly use on this one is smoking. Smoking has 100 per cent awareness that it's dangerous for you because it's written on every packet, but still people smoke. So how do you change awareness into behaviour? And how do you change behaviour into culture? That's what these CISOs need to focus on: this isn't about security awareness anymore, it's about behaviour."

Changing behaviour is key to lowering your risk. Social media companies like Facebook and Instagram don't get repeat visitors purely through awareness; they make a concerted effort to change behaviour, to turn visiting a site into part of your day. Awareness is only the first step, and the same applies to security.

"Awareness is the first piece, and it'll give you some return, but don't stop there. So many CISOs do that … You haven't finished, you have to change it and start to call it a culture programme or behavioural programme."

There is good news on this front: three-quarters of CISOs in Proofpoint's survey expect their budgets to rise over the next two years, and half say they'll invest in training as a top priority. Rose also expects a significant investment in consolidation and visibility.

Businesses have undergone dramatic changes since March 2020. Massive cloud adoption, acceleration of digital transformation and - typically - a spike in shadow IT are just a few of the common results. Rose stresses that CISOs cannot and will not rest easily until they're confident that they have control.

"Lots of CISOs have just not got that deeper confidence that everything is done. They've ticked off some of the big risks, but it's like, 'We're not finished here. I need to go back and look at what we did in 2020 and make sure the controls we put in place are still there, they're still working, people haven't bypassed them; that shadow IT hasn't come in and given me a new data feed that I've never seen before, that I've got no control over'.

"If budgets recover in 2021, as we sort of expect them to, I think you'll see CISOs going back and investing in things like data leak prevention and insider threat management, to make sure they've got full visibility of how the organisation's changed in the past 12 months. They'll bring more training back in, and they'll look at compliance issues, as well."

Security is a massively broad area; from the people physically guarding the data centre, to the ones building your code base. As the sun begins to peek out and news about the pandemic continues to improve, CISOs and CSOs deserve both time and support to make sure their own reports can be equally uplifting.

  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
  • Topics
  • Strategy
  • Proofpoint
  • Human error
  • CIO Interview
  • Budgets
blog comments powered by Disqus
Back to Top
  • Contact
  • Delta
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • YouTube

im_logo

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017
Loading