COVER STORY have things like COVID happening and all of the social anxiety that comes with that such as financial pressures and job insecurity . This gives the attacker the great advantage right now of being able to create emotional situations where people will switch off logic and immediately click and open an attachment , because they ’ re worried .
However , the cloud intensifies this . When you move to the cloud , the data moves outside of your perimeter . So , you have to visualise that all these great data assets you have are currently within your organisational perimeter . If you make a mistake , the worst thing that can happen is you ’ ve left this database unsecured ; however , it ’ s not so bad because everybody within your perimeter is a trusted individual . When you start to move date into the cloud , suddenly that same misconfiguration leaves that data open to everybody on the Internet and that ’ s a very different proposition . So , you have to be really careful with databases , with file sharing and all those aspects of human collaboration , because it ’ s now outside your perimeter .
If attackers can steal your credentials and steal your identity , they ’ ll sail right past your encryption and right past access permissions . This is why we talk about staff becoming the new enterprise perimeter . The problem now is that using social engineering to steal identities gives attackers straight access to the data – they can then monetise that and use it for their own profit , or use it against you as an organisation .
How would you define peoplecentric security ? controls , or pulling up zero-day exploits to try and get in . They look at the people who use this technology and do their research – rather than trying to scan all your firewalls , they will try and identify the people in your organisation who perhaps have access to critical data and start to use social engineering attacks against them , because if they can steal the identity , they can access the data .
Defenders also need to think about people-centric security and how they defend the identities of their organisation and staff . That ’ s what the people-centric story is about – ensuring that the defenders start to consider protecting the people because that ’ s the new perimeter .
How would you advise that CISOs take a people-centric security approach ?
More than 99 % of attacks now require human interaction – attackers need someone to click on a link or open an attachment . Therefore , there ’ s a huge part that your staff can play in defending your organisation . For an organisation to focus on people-centric is to start initially thinking about email because that ’ s where the vast majority ( 94 %) of these threats come from . Step one is to stop all attacks coming in via email .
Step two is to educate your staff . And this is not just about security awareness .
The example I commonly use is smoking – a pack of cigarettes has ‘ smoking kills ’ written on the side , so everybody buying cigarettes know the dangers involved . They have 100 % awareness and yet still , people smoke . It ’ s not just about awareness , it ’ s about behaviour . It ’ s about going beyond just having a security awareness campaign .
The final step of that journey is about protecting the data wherever it may be , on premise or in the cloud .
How can CISOs instil a security culture in their organisation ?
It begins with buy in from the top . If your CEO isn ’ t representing good security behaviour , nobody else will . And then it ’ s about communicating all the right things to do . It ’ s about why it ’ s important and what can happen if you don ’ t follow it and about reinforcing communication with continual drip-feed , with triggers to remind people to do the right thing .
People want to do the right thing , but they often focus on just doing the job which can deviate from security best practice . So , you need to keep reminding them to do the right thing and remembering the messages you ’ ve instilled in them by triggering them . Continual reinforcement of the message is the way to slowly turn that ship around and build that strong security culture . u
Fundamentally , it ’ s recognising that people are the new enterprise perimeter .
Commonly , a security manager would look at their organisation and understand that they have controls in place , such as firewalls , intrusion detection , anti-malware and backup . These take a lot of feeding and watering , a lot of configuration to make sure they ’ re secure and working properly . However , the attacker realises there ’ s no point bashing their head against these
www . intelligentciso . com | Issue 30
53