P RE D I C T I V E I NTELLIGEN CE
“My mandate was to do everything
necessary to protect the university
community,” the Head of Information
Security reported. “We invested in
technological solutions, but with 30
years of IT experience, I know that
you need to invest in people, not just
processes and technology. You need to
make them human firewalls.”
He added: “Look at it this way. You can
put five locks on your door, but if you
leave the keys under the doormat, the
locks don’t do much good. Fortifying the
human firewall is my utmost priority. The
human element is the most important
part of your defence.”
“Hey, is this the right payment?”
The cyber-programme director of
a multinational utility echoed these
remarks. “My CISO often states that if
he had to cut all of his budget, down to
The human element
is the most important
part of your defence.
the bare bones, all that he would choose
to spend on would be awareness and
response,” he said.
“We had a scenario where, all the way
up to the CEO, they were ready to make
a treasury payment until somebody
finally picked up the phone and said,
‘hey, is this the right payment to be
made?’ And it was blocked.”
Referring to constant changes in attack
techniques and the need for defensive
adjustments, he added, “I’m reminded
of a quote from Alice in Wonderland,
when the White Queen was saying, ‘In
order to keep up, you have to run as
fast as you can.’”
Removing phishing emails
‘sometimes in five or 10 minutes’
An operational risk consultant with a
global financial company shared with us
34
Kamel Tamimi, Principal Security
Consultant, Cofense Inc
an example of employees helping the
SOC stop phishing threats in minutes.
“I don’t think security is going to be
improved by the next best technology we
put in place, whether it’s an appliance or
a firewall or something that blocks at the
proxy,” she said. “For example, we had a
Word document with macros slip through
our filters, so we just need to teach the
humans that own our email addresses to
be extra-vigilant.”
She continued: “We see some
departments reporting as high as 60%
in phishing simulations, but they also
report [real] malicious emails that go to
our cyberdefence teams – and they get
them out of the network sometimes in
five or 10 minutes.”
“That’s a return on investment.”
Noting the futility of investing in
technology while users remain untrained,
a cybersecurity awareness evangelist
at one of California’s largest companies
said: “In one corner you’ve got US$10
million in defence perimeter equipment
and on the other side, of course, you’ve
got ‘Dave.’ A machine cannot apply a
non-linear approach to a problem. A
machine is just conditioned to do one
thing. But a human-being with instinct
can make decisions that are a lot more
intricate.”
His company too relies on employees
to report actual phishing threats. “Last
month, we saw 33 reported threats
come into our IR inbox,” he said.
“When you consider that a breach
could cost six million dollars, that’s a
return on investment.”
“What did you do to prevent this?”
The last word comes from another global
financial company: “To not focus on
phishing would be pretty negligent on
any company’s part,” said the company’s
Issue 10
|
www.intelligentciso.com