Are cybersecurity risks increased by our new work culture?
Much has been written recently on the cybersecurity risk of remote working; larger attack surfaces, a more informal environment and increased threats were all contributing factors
This is an edited version of an article originally appeared on Robert Demi
While some people think our work environments are now more vulnerable, others point out that companies are improving at preventing attacks. The truth is probably somewhere in the middle, but it’s clear that the inherent cyber risk has increased.
According to an Interpol study in August 2020, “a further increase in cybercrime is very likely in the near future”. The influential law enforcement body also suggested that remote working vulnerabilities would be exploited by cybercriminals. Businesses are responding quickly to this perceived threat. A recent survey of Robert Demi revealed that 44% of CTOs believe “maintaining IT security” and “protecting company information” will be a priority in the first half of 2021.
This rapidly changing situation presents challenges for everyone. On the one hand, security officials are able to tackle these issues with a growing list of technologies at their disposal, but on the other hand, the threats they face are evolving and changing all the time. This means that it is increasingly difficult for them to understand how well their businesses are protected; filling in the gaps and fighting fires will not get them far.
Facilitate understanding of cybersecurity
The key to helping everyone move forward is to phrase these challenges in language that makes sense to business leaders, not just tech professionals. The industry is very good at talking about cybersecurity in terms of products and solutions, but assessing risk through the eyes of people or, more specifically, ‘threat actor characters’, can help everyone understand better. risks in a more human-centered way. .
Internally, it is common for well-meaning users to bypass controls in order to be able to do their jobs; for example, if someone wants to send a large document to a client, they will likely find a file transfer service to do the job, but it might not be secure. In addition, opportunistic insiders are sometimes too happy to undermine security, but are not so criminal that they would bypass established controls. In situations where these controls are missing, however, they will see a green light. An opportunistic insider wouldn’t take ten pounds out of someone’s wallet, but he could keep the money if he was lying on the sidewalk.
External threat actors range from the more sophisticated, such as organized crime syndicates, to the unsophisticated, who use well understood but easily detectable methods. Most managers expect to be attacked by sophisticated attacks because they are highly coordinated and more difficult to protect, but lower-level phishing scams and malicious URLs can also create a lot of noise for businesses if they are not. not processed quickly.
Our experience shows that businessmen, the real owners of risk, engage much better with these personas than technical executives, like the “kill chain”. Once these players are understood, defining risk scenarios and acting on them becomes much easier.
From understanding to action
At this point, a company’s risk assessment becomes a framework to help it move forward; by discovering and defining the problems, it is possible to develop and provide the right solutions. This could include providing new technology to help remove noise from external threats, but it could also include new controls that also help change the behavior of people within companies.
Once business leaders understand how threat actors work and how they impact real issues like confidentiality, integrity, availability, and confidentiality, it’s easier to think about security differently. When they explore these challenges in different teams, it can be engaging and productive for everyone; it also means that the case for change is made with the whole business in mind.
As businesses navigate the changing cybersecurity landscape, it’s important for them to frame their challenges in language business leaders can understand. Threatening actor characters and storylines shatter the perception of security as a specialist subject and build team buy-in. Business leaders can bring in people to help them do this and work with security professionals to help transfer the knowledge and improve the skills of others, creating an opportunity for shared understanding and mutual understanding. greater awareness in the future.
In a world where cybersecurity threats evolve rapidly and professionals are in high demand, this people-centered approach is helping more people understand the risks businesses face – and ultimately enables them to move forward together.