Faced with daily threats, it is perhaps understandable that many businesses think that cyber security is a technology problem, and thus one with a technical answer.
The problem is, it’s not necessarily so: security consists of both technical issues and people. John Killilea, technical director of managed security provider CommSec, said that both matter, but that it cannot be viewed simply as an IT issue.
“It’s the people side more than anything. Anyone can buy the tools we use, but they need to do it properly. You maybe have an IT team that is doing a lot of different things, but only monitoring for an hour a day. What we offer is a dedicated team.”
Killilea is not dismissing the need for keeping up to date with technology; simply stating that they need to be properly deployed and used in an effective manner with the tools aiding the security professionals.
“Definitely you need tools to be able to do it. There’s too much information to look at yourself,” he said.
The tools produce output, especially as artificial intelligence (AI), has begun to be applied to cyber security, but they need to have a person at the helm.
“There’s definitely a large human element: tools will categorise threats as low, medium or high, but it requires a human to check it, to verify it,” he said.
The right service for the client
Ask anyone in the sector today and they will tell you that the days of traditional anti-virus (AV) software being sufficient protection are long behind us.
The question then is, what comes next?
Killilea said that the only reasonable answer is to use the software, which is improving incrementally, in a strategic manner and to take the question of security seriously.
“I can’t see a breakthrough in terms of someone coming up with a new kind of software solution that just gets rid of the threat. It will be a case of the security companies coming out with better tools as well as greater awareness in companies of the threats, senior level recognition of the threats,” he said.
Many businesses today have a chief information officer at board level, and this has helped bring the security issue to the top table, but many organisations still need to do more to think about business risk.
“PCI compliance and GDPR help, but you also have to understand the business risk. It’s more than an IT problem,” he said.
CommSec’s typical customers are businesses with around 100 to 500 users. This, said Killilea, is because of the nature of how different business sectors approach security in today’s environment: an environment of feast and famine. It’s a feast for the criminals, and a famine for anyone wanting to hire in-house cybersecurity staff.
“We do have customers that are smaller, but from a managed services point of view it would typically be aimed at that size [of business].
“If you go to the very top end, the big international banks, they would have their own people and can compete with the likes of us to get the right people. Smaller businesses can’t,” he said.
Killilea said that one emerging area that is important for CommSec is “threat hunting”.
“A piece of malware could sit there for months gathering information. With threat hunting, we’d try to stop the attacking from happening,” he said.
This more active approach to security is intended to make sure that malware doesn’t sit undetected.
“If you look at data breaches in the past, the time between the attack starting and being deleted could be weeks or months. In the case of the Sony breach, it was nearly a year. There’s a definite need of better monitoring. We’re trying to find things before something happens.”