Strategies CISOs need to put in place to deal with a rising volume of attacks were discussed by a panel of security leaders during a webinar. Set up by cybersecurity firm F-Secure, the session was built upon the latest findings from its CISOs’ New Dawn report, which surveyed 28 senior information security leaders across the US, UK and Europe about how their roles have changed as a result of the COVID-19 pandemic.
The discussion began by highlighting the how cyber-criminals have ramped up the targeting of employees since the shift to remote working during COVID-19. Indeed, the report found employees were the most popular attack vector in the past year. Marc Ashworth, CISO at First Bank, explained that a lot of these attacks were based around phishing, and therefore investing in email security and stepping up training exercises for staff is critical. At First Bank, he said controls have been introduced recently “to help signify an external email versus an internal email,” alongside other help for staff in detecting potentially malicious messages.
Michael Greaves, security advisor, managed detection and response at F-Secure noted, while these kinds of preventive steps are important, even with the best will in the world, organizations have to accept there is a high likelihood of mistakes being made when it comes to phishing. “Things are going to get past those controls and you want to have something in place to stop the consequences of that leading to a mass incident across your environment,” he outlined.
Focusing on staff and the security culture within an organization is the most important aspect, according to Chani Simms, SHe CISO founder & CEO. “Often I see the problem lies with people, right from the leadership level to employee level where there’s a lack of awareness,” she noted. To address this, awareness training has to be conducted regularly to engender the right security culture. “You can’t just have one security awareness session a year and then think your security is going to be better,” she stated.
The technological investments to protect organizations in the current threat environment were also highlighted by the panel. Sims emphasized the importance of opting for a secure by design strategy, which means when building an IT infrastructure, “you have to think of security in every layer.” She added: “if you don’t build your IT infrastructures securely, problems can happen.” It is also about creating platforms that ensure when a breach occurs, there are other controls that stop it getting worse.
In the view of Erka Koivunen, CISO at F-Secure, managed detection and response (MDR) technology is a vital component of security by design. “It nicely completes the security control framework because it provides me with visibility to those dark spots,” he said, adding it enables the “same visibility a potential attacker has to my estate.”
Ultimately, when deciding upon the right security technologies to invest in, Ashworth emphasized the importance of CISOs assessing a range of factors relating to the individual circumstances of their organization. “It’s about measuring the risk and the cost benefit,” establishing “where are those gaps that you might have in your organization that can cause the risk and weighing that from a budget standpoint to determine where you need to allocate those limited funds,” he explained.