Cyber Security: Giving people the power
It doesn’t matter what security tools you have if your behaviours leave you open to breaches – which is why CommSec puts so much emphasis on training and awareness, writes Quinton O’Reilly
No matter what kind of service you offer, people will always be at the heart of it. Security tools can only go so far, and from that, training and security awareness should always be part of any security programme.
Attackers will always find a way around them, which is why companies should have a good security culture, said John Killilea, security consultant at CommSec. “You can have all the technology in place that you want, but if the user still clicks on a link in an email or still visits those dodgy websites, you’re going to have problems,” he said. “It’s a constant race between the security industry and the attackers. Once new technology is found and implemented, the attackers are immediately finding ways around it, so you are reliant on your users to be part of that process.
“Security awareness and training is a critical part of that – not just what they should do, but why. They have responsibilities to the company to protect their assets; you wouldn’t leave a laptop lying around the place or a company phone, and the same should apply to company information. Users are part of that and they need to be aware that they should be doing their best to secure the company assets.”
One particular problem within the security industry is the over-reliance on passwords to protect accounts. Since the average person would have access to numerous accounts, they would use simple, easy-to-remember passwords for each of them. The obvious problem with this that they’ll be easy for an outside party to guess or hack, and overcoming the issue passwords face is something that the industry has been trying to change for a while.
“Nobody has solved it properly, but lots of companies are trying to find ways to address that,” said Killilea. “Biometrics is one way. I know companies that have implemented that so they no longer know the passwords for their actual systems, they’re using fingerprint scanners instead.
“Traditionally, users don’t pick strong passwords. There have been numerous data breaches where user credentials have been stolen and put up on the internet. One of the by-products of that is security analysts analysed those data dumps and found the common, bad passwords people use are ‘12345’ and stuff like that.
It’s clear that passwords don’t provide a good level of security, but unfortunately at the moment, they’re all that’s available to us. Passwords are here for now, but there’s a general acceptance that they’re not the best way to do it, and I think that will change over time. Eventually, passwords will become a thing of the past.”
There’s still a bit to go before we reach that time, though. Until then, other methods will have to be taken to ensure an imperfect system doesn’t significantly damage a company, as breaches can and will occur.
Breaches are more common than you would think; the issue is highlighted by GDPR, which requires companies to notify the DPC of any breach that occurs. While no company is ever 100 per cent secure, you can take measures to ensure the likelihood and potential damage when it occurs is as low as possible.
One area that might be overlooked is third-parties. Every business is availing of another company’s services, be it as a supplier, trader, manufacturer or service provider to name a few. If they’re not following proper security protocols and they get hit, then a ripple effect can occur, and anyone linked can be put in danger.
“There have been publicly known data breaches in large, well-known companies as a result of a supplier,” said Killilea. “For a supplier, it might be them having access to the network so the company might have a strong level of security, but the supplier didn’t, so the attackers found a way from there to get into the main company.
“When you’re engaging with a supplier and they have access to your network, it’s important to do a security assessment of them or ask them to provide what security controls they have in place to you as part of your engagement. It opens a level of due diligence on the financial side of it so it’s important you do that from a security side as well.”
That overall diligence is the type of philosophy that drives CommSec and Killilea in particular. At one point, security companies were product-focused, selling a product like an antivirus or firewall was the order of the day. That approach is long gone.
“Selling a security product is almost the end of the path in terms of what we do,” he said. “We always look at the customer and see how we can help them, what we can do in the short term to identify any immediate gaps or risks and then how we can help in the long term to plan out their security strategy.
“That’s probably the difference between the MSP and the traditional approach years back where security was very much a product-driven industry selling products and providing services and support around that. Now it’s a more complicated affair where security companies guide you through the various steps from monitoring to availing of a managed Security Operation Centre (SOC).
“We can provide expertise in specific areas of security and then we can also manage products for them, as well as selling to them, we can help them to manage it on an ongoing basis if that’s what they want to, and put together an overall plan, leveraging our threat intelligence. So because we’re working with different customers, we can see activity happening in different places.
“If we see something happening on one network with one customer, we’re immediately looking at that across all of our customers, so we’re leveraging that, and that’s something an individual customer can’t do because they don’t have that level of visibility that we have.”