We have set the bar too low in favour of usability over cybersecurity
The cybersecurity threat is present and growing. If you work in cybersecurity, it’s your job to work with IT to build the necessary moats around systems to protect the enterprise. But I have real concerns that the cybersecurity criminals are winning the battle. There is a lot of focus on training users to enable them to spot phishes. This is time well-spent – after all, the Nash Squared Digital Leadership Report found that there has been an 83% rise in phishing attacks – but you’ve got to realise that user training on its own is never going to solve the problem. There is always someone in the business whose job it is to take attachments from people they don’t know, after all. As a cybersecurity consultant, I’ve run many simulated phishing attacks and I’ve been able to get in almost every time. It’s child’s play in many cases for a sophisticated attacker.
Systems are more important than people
The key lies not in relying on your people, but on your systems. There are some clear and simple rules that I always recommend organisations to follow. Firstly, you need a robust collection of email security validation standards. These come pretty much turned on by default in systems such as Microsoft 365 and Gmail – so don’t turn them off. They establish protocols such as determining whether an email has come from a known user, for example.
Secondly, you need strong security around the user’s ability to execute attachments. Users should never be able to execute an attachment by clicking on it – this should open it in a viewer instead. But this is something that few organisations follow. You also need good ‘Generation 3’ software with endpoint detection and response (EDR) or extended detection and response (XDR) capability on your desktop that minimises the risk of users actually executing malware through an attachment.
It goes without saying that businesses also need top tier anti-malware and antivirus software on their desktop environments. Unfortunately, many organisations are still using malware protection products that essentially date from the 1990s. Hackers are continually working on and testing their attack tools and can find loopholes in old defence systems. You really have to ensure that you are using updated and modernised antivirus software.
Then there is application control. You can’t let users download any application they want from the internet into your corporate environment. So, don’t ever give general users administrative privileges – it’s one of the first things hackers will look for. Again, this is something that few organisations follow rigorously enough.
Alongside this, you need application controls in place. This means having software running on your systems that only allows certain executable software to run. But I’ve seen this not being sufficiently followed even in the biggest corporate organisations. They may have elaborate and sophisticated cybersecurity programmes in place – but still have much too lax a policy around users downloading applications.
Correcting the usability/security balance
It all comes down to the balance between the user experience and cybersecurity. I fear that the bar has fallen too low. The pendulum has swung too far towards the user. CISOs need to exert their influence to get the balance redressed. Of course, every business wants to support a good user environment and not slow down work and productivity by having too many checks and barriers. But the measures I’ve outlined above won’t have a great impact on most users. They will only have a significant effect on people who are downloading applications and software from the internet and outside sources very frequently. For them, practical solutions can be agreed. The measures just make good security sense.
It’s all part of taking a threat-based approach. See the threats and act on them. I always ask my clients – have you done all the things possible to minimise your risk from hacking? The answer has to be yes!
More incursions than we know
Otherwise, organisations are likely to fall foul of the two main threats. The first, and biggest, comes from external attackers. Ransomware attacks have become a big problem. I see a couple of cases every month among my clients. But attackers are also trying to get in so they can exfiltrate data and information and sell it on the dark web. This is where we’re really losing the war. Because often the cyber criminals are getting in and organisations aren’t even aware. There are far more attacks going on than we know. Criminals are gaining access, utilising the user’s privileges to move around inside systems, then exfiltrating data out on a path that the company already uses – so they don’t see it. They don’t have good logging to spot or track misuse; where they do have good logging, they may not actually be looking at it. I’ve known instances here in the US where the first a business has known of it is when the FBI have come to them and said: “Is this data yours? It’s for sale on the dark web…”
The second threat is your own people. Not so much malicious insider activity (which in my experience is actually relatively rare), but much more frequently human error that leads to people mistakenly sending sensitive or confidential data outside the organisation. That’s why controls over data protection and distribution are so important.
I worked for 30 years at the Central Intelligence Agency (CIA) and was honoured to become the CISO. It was a big responsibility – but in many ways I was onto a good thing. I had a very closed environment to manage, users who were generally willing and accepting of the need for security, and a large (though not unlimited) budget. Commercial CISOs have it tougher: they have a more open environment, less willing and accepting users, and tight budgets to work within.
But they simply have to rise to the challenge. Cybersecurity is an ongoing battle. You can never relax your defences. The CISO has to keep working with the organisation to ensure that bar stays as high as it can be.
Biggest challenge, biggest opportunity
I’m staying with the cyber theme because that is how I view the world after 38 years in security! The biggest challenge facing the tech sector is that if we don’t change the trajectory of the cyber threat, technology will hit a wall because people will simply no longer trust it. I support the introduction of legislation to hold manufacturers of computer software and hardware more accountable and responsible for security. They have to do more to keep security high and the attackers out. I’ve briefed US Congress on this. But I’m not sure legislation will ever happen.
There is a positive I can point to, though – the cloud. If they do it right, organisations that move their systems to the cloud have the opportunity to dramatically increase their security. It can be an opportunity to take a ‘greenfield’ approach and start again. To their credit, I’ve seen a number of organisations that have a done a great job moving to the cloud and making themselves significantly more secure.
This article was originally published in The State of Digital 2022 and is part of the Digital Leadership Report series. Other articles in the publication discuss a CIO's remit, talent attraction, diversity, and ESG in IT.
Crimson can help you recruit Cyber Security professionals and find Cyber Security jobs, find out more here.
Crimson is an IT consultancy, an IT solutions provider, an IT recruitment agency, and a Microsoft Gold Partner with offices in Birmingham and the City of London.