As the threat landscape becomes ever more varied and innovative, human error and ignorance among workforce are presenting enormous gaps in fortification a conference of UK senior IT security staff has heard.
Setting the scene at the Directors’ Cybersecurity Masterclass based at its London HQ, Phil Swindle VP security architecture of BT proposed that the threat landscape had changed significantly over last year with the telco experiencing a spike in attempts to cause P1 or serious incidents. BT he said was under attack from three main sources —hacktivists, cyber-criminals and state actors —leading to the company making commensurate ‘significant’ investment in increasing its own security capabilities. These investments were in excess of those currently being made by the companies who rely on BT to defend them from the same or similar threats.
Martin Smith, founder and chairman of The Security Awareness Special Interest Group (SASIG), and organizer of the event, urged delegates to shift gear in how they protect their businesses, especially in the wake of the successful TalkTalk attack in the UK. Yet he warned that firms should not simply rush out and buy more technology insider to gain added protection.
Instead he suggested that human error and ignorance among workforce was presenting enormous gaps in fortification. “Cybercrime is not a tech issue; it’s a business issue,” he said. “There is too much focus on technology and too much reliance on IT departments. Cybercriminals’ greatest strength is that we all believe what we are told. The vast majority of breaches and events occur at most basic level of defenses and most attacks succeed by subverting physical security.”
For Smith, the key was to shift the focus to personnel related issues, describing dealing with inside threats as “the final frontier in cybersecurity.” He added: “There is a lack of focus on people issues at the heart of our problems with security; your security department should be your entire workforce. Often it is the breach of trust that we must fear not the breach of security. Security should influence every stage of the employment lifecycle.”
Taking on board these issues in a panel event comprising senior security management from the UK and North America, Richard Starnes, CISO of Kentucky Health Cooperative, told delegates that security had to be ‘the way we do things round here’. Yet he cautioned as to where firms went looking for solutions. “One of the problems with security is that everyone wants a silver bullet: there is no such thing,” he remarked.
Starnes also advised delegates to be wary of being reassured by compliance. “The US Federal government is no good at information security yet they are writing frameworks,” he stated. “If you take a look at all of the companies recently breached all most all were compliant. Compliance is like nailing jelly to a wall.”