When conversations about technology come up between the IT security pros working on the ground and company executives, there's often a massive disconnect – neither party knows how to fluently speak the others’ language.
The IT administrator will talk about the benefits of a particular technology – its features and requirements – but all the C-suite really wants to know is how that technology stops bad things happening and affects the management of risk that could impact the business.
This has been a problem for years. Gartner VP and Fellow Ken McGee, who interviewed thousands of C-suite executives as part of a study, concluded that IT pros and executives aren’t on the same page. He compared the disconnect to carbon dioxide, in that it's "odorless, colorless and killing [his] clients." It’s a problem that many organizations don’t know exists. What's really striking about this disconnect is that now, the stakes for collaboration between both parties have actually never been higher, yet we still can’t see the problem.
It’s been pointed out that as soon as Target CEO Gregg Steinhafel resigned following the company’s historic data breach, the relationship between all CEOs and IT, particularly CIOs, forever changed. It showed that CEOs and CIOs are now duly responsible for devising an IT strategy, and both will endure backlash if something goes wrong. As one executive recruiter told the Wall Street Journal, "Boards expect that CEOs will no longer keep CIOs at arm’s length and say ‘I’ve got somebody who does that'."
With that in mind, here is some advice to help IT pros on the ground and the C-suite start to speak the same language, specifically as it relates to email security:
To the IT Team: Avoid 'Bottom-Up' Warnings
Gartner's Chief of Research, Risk and Security Paul Proctor says that many IT security pros get into trouble when they're so focused on the granular elements of security – what upgrades may need to be made, what security failures they need to avoid – that they fail to see the big picture and the actual impact on the business as a whole.
As Proctor describes it, this "bottom-up" form of communication might start with a security officer telling a CEO something like, "If we don't patch vulnerabilities, then that's going to be bad for business." From the CEO’s perspective, what this statement doesn't do is frame the importance of patching within the larger context of the business. It fails to connect that best practice and its actual impact on the bottom line.
When it comes to email security specifically, perhaps instead of just urging a CEO to adopt Targeted Threat Protection and multi-layered malware protection, an IT security pro may want to explain that 91 percent of all hacks begin with email-based phishing, and then mention specific consequences of a breach – the costs associated with detection and clean-up, further breach mitigation, notification of customers and clients, reimbursements for damages, and the long-term reputation damage.
That’s the type of big-picture language that will be better understood by the CEO and C-suite.
To the CEO and Board Members: Look Beyond IT and Build a Culture of Security
Whenever there's a security failure, it's natural for the CEO to assign blame to the IT team, the staff members closest to the breach. The problem is that successful attacks can originate from plenty of other sources outside of the IT department.
It's up to senior management to ensure that security becomes entrenched in the culture of the company and isn’t solely the responsibility of IT. The IT team may operate the email security tools, but the burden of prevention ought to be shared by all.
Cyber-criminals are more sophisticated than ever – they look for, and are often able to exploit, any weakness. If IT and the executive aren’t speaking a common language, it makes cyber-criminals’ efforts to detect vulnerabilities that much easier. By presenting a united front, businesses are better able to keep the organization safe.
To learn more about email security, please view our on-demand webinar, “The Human Firewall: Strengthening Human Security.”
Question: what’s happened between this year’s IP EXPO Europe and last year’s? Answer: the security arms race has gone into overdrive.
Twelve months seems a short time, but in that period attacking techniques have matured markedly – now hackers are regularly employing sophisticated social engineering techniques in email and instant messages to trick staff. Also, the payload is now becoming more varied with a renewed focus on weaponized attachments used to infiltrate organizations.
So, what’s the next step to protect your organization?
Neutralizing these relentless and sophisticated attacks demands a deep commitment to security. It means investing in the right technology of course but I believe that it's employees who could be the strongest allies of IT managers in fighting back against these threats.
We have seen this before. The security and intelligence services rely on sophisticated surveillance technology but the vigilance and support of the general public is a key line of defense in the battle against terrorists and criminals.
Comprehensive and regular employee awareness programs are an important line of defense in an organization. Building this human firewall will be one of the themes I’ll be addressing in my presentations at IP EXPO this year.
I’ll also be focusing on how migrating to Office 365 presents an opportunity but also significant risks that need to be considered.
Details of my two presentations are below:
- ‘Office 365: Risk or Reward? Or Both?’ at 1:00 pm on Wednesday the 7th of October in the Network & Cloud Infrastructure Theatre
- ‘What's Stopping You Being the next Big Data Breach?’ at 1:40 pm on Thursday the 8th of October in the Cyber Threat Protection Theatre
If you'd like to find out more, drop in to see us (Stand #CC19, in the Cyber Security Europe section) to talk about the risks surrounding on-premises and Office 365 email infrastructure. You can register here for free (a saving of £35) if you enter your details before 7.00 pm, UK time, on Tuesday the 6th of October.
When it comes to enterprises finding innovative ways to neutralize widespread email-based attacks, I’ve made the case before that it's employees – the same “weak links” who unknowingly click on malicious email URLs and attachments – who could actually be the strongest allies of IT managers in fighting back against these threats.
There’s one caveat, though. The “human firewall” will not be as successful if employees are merely aware that email-based threats exist. Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.
Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.
To explore the problem further, last week I hosted a webinar, "The Human Firewall: Strengthening Email Security," where I was joined by Mimecast Product Manager Steve Malone and Forrester Research Analyst Nick Hayes.
Here are three takeaways from the webinar:
1. Shore Up Your First Line of Defense
Picture your cybersecurity infrastructure. At the core is all the sensitive data you're trying to protect. The first line of defense should be your cybersecurity technology. This is critical. Technology is not a security guarantee, but if you have the right controls in place, like Targeted Threat Protection, then fewer threats will actually break through.
This is important because your next line of defense comprises your employees – the “human firewall.” If your technology is working correctly, employees won’t be overwhelmed by a wave of continuous threats; they'll be less likely to fall victim to the few that may enter your infrastructure.
2. Appeal to Employees' Ability and Motivation
So, what happens when a threat actually does reach your “human firewall”? Are your employees properly trained to recognize and react to it? The answer depends on how well they were trained.
To illustrate how to educate employees, Nick gave the hypothetical example of a mobile phone ringing and explained there were two reasons why someone wouldn't answer it – either they didn't have the ability to do so (too busy) or didn't have the motivation (just didn't feel like talking).
Applying the example to cybersecurity training, "ability" refers to whether employees have learned how to recognize and respond to threats, while "motivation" refers to whether they understand the consequences of whatever action they take, right or wrong.
The best training stresses both, and does so in compelling language that employees will remember.
3. Link Desired Behaviors to Necessary Knowledge
Once employees understand the threats at bay, the next step is to teach them new behaviors. To get to that point, employees need context. You first have to identify their current behaviors putting your organization at risk. This could be, for example, clicking on malicious links or attachments.
Once those behaviors are clear, determine the desired alternatives. So, instead of clicking on a malicious link, you'd want your employees to recognize a link or attachment as being malicious and then flag it to the IT department. By working backwards from that point, you would know exactly the knowledge you would need to impart upon your employees about email-based threats.
The Writing is on the Firewall
While it may seem farfetched that IT departments can build a savvy, well-trained army of cyber defenders from the same employees who previously snuck shadow IT into the workplace and jeopardized enterprise security, the process works. We've seen the technology and the “human firewall” go hand-in-hand to protect organizations that were previously vulnerable. And it can work for your company too.
To learn more, please play our on-demand webinar, "The Human Firewall: Strengthening Email Security."
It’s long been said that when botnets first appeared, they were the first usable forms of cloud computing. Now with hindsight they fit the NIST definition of cloud computing very well and have become rapidly scalable and on-demand.
More recently criminal malware has taken a turn towards being more akin to enterprise-grade software through its entire lifecycle. It’s not unusual to find your rental of a botnet now comes with 24x7 support and channel reseller margins. Buying exploit kits, renting botnets, and using enterprise-grade cloud technology, Crime-as-a-Service (CaaS) has become part of the latest breed of XaaS, offering the same benefits of cost and complexity reduction as well as lower barriers to entry. Using CaaS gives anyone an instant criminal business model in the cloud.
What we know today, is that CaaS is starting to have its own marketplace, run by well organized criminal mega-gangs; support contracts for purchasers are not uncommon.
CaaS has been given much publicity since the 2014 Internet Organized Crime Threat Assessment (iOCTA) report from Europol described the commercialization and availability of the technology and how it’s impacting legitimate enterprises in real time.
The rise of CaaS is another step on the roadmap of the crimeware that has been instrumental in many of the most recent attacks, where Zeus and its variants like Citadel and Gameover have led to significant loss of data. What we know today is that CaaS is starting to have its own marketplace, run by well-organized criminal mega-gangs; support contracts for purchasers are not uncommon, nor are healthcare and pension plans for employees.
This threat takes how we think about our own protection to a new level. The high-profile breaches of the last twelve months all managed to evade well known or best of breed corporate defenses, so it’s no surprise that enterprise IT managers and CIOs are starting to lose sleep about their next big breach. In many cases, this fear is born out of a realization that platforms like CaaS have become rapidly more advanced than the protections they have within their own environments.
Targeted Threat Protection is once again at the top of the agenda, for C-level managers, as well as those who deploy and run the technology. The sophistication of the attacks means we can no longer sit back and wait for our protection to do its job. We all need to become much more actively defensive – not offensive, but active in our defenses.