Cy­ber-se­cu­rity means em­pow­er­ing staff — right down to the care­taker

Sunday Independent (Ireland) - Business & Appointments - - FRONT PAGE - Ail­ish O’hora

THE cas­tle wall — the ul­ti­mate in safety and pro­tec­tion. And not just as a medieval fortress. For many years now, the cas­tle has been used as a metaphor to teach the ba­sic con­cepts of cy­ber-safety and se­cu­rity. But such a sim­plis­tic ap­proach to cy­ber-se­cu­rity is no longer ap­pro­pri­ate, now that cy­ber-at­tacks are not just hap­pen­ing more fre­quently but are also be­com­ing more so­phis­ti­cated.

“The method of get­ting into the cas­tle is dif­fer­ent, it’s no longer the front door,” said Joseph Car­son, cy­ber-se­cu­rity strate­gist at Thy­cotic, which is a provider of priv­i­leged ac­count man­age­ment (PAM) so­lu­tions.

“The new cy­ber-se­cu­rity perime­ter must in­cor­po­rate an iden­tity fire­wall built around em­ploy­ees and data us­ing Iden­tity and Ac­cess Man­age­ment tech­nol­ogy con­trols, which em­pha­sise the pro­tec­tion of priv­i­leged ac­count cre­den­tials and en­hanc­ing user pass­words across the en­ter­prise with multi-fac­tor au­then­ti­ca­tion.”

Once hack­ers are in, though — what­ever the route — it would seem that they go for some of the fastest and eas­i­est tar­gets.

Re­cent re­search from Thy­cotic shows that th­ese tar­gets are of­ten priv­i­leged ac­counts.

Ac­cord­ing to the firm’s 2017 Black Hat sur­vey of 250 hack­ers, car­ried out to get their per­spec­tive on what works and what doesn’t when it comes to pro­tect­ing crit­i­cal data, one third of them choose priv­i­leged ac­counts, while 27pc said that get­ting ac­cess to email ac­counts was the eas­i­est way to un­lock sen­si­tive in­for­ma­tion.

“Priv­i­leged ac­counts are the keys to the king­dom, whether it’s a busi­ness or per­sonal. We’re talk­ing about key in­for­ma­tion, the Coca Cola se­cret sauce.

“De­pend­ing on the type of com­pany, it could be cus­tomer lists, IP, credit card in­for­ma­tion.

“What­ever it is, it’s the core in­for­ma­tion that en­ables an or­gan­i­sa­tion to keep run­ning.”

In ad­di­tion, the same sur­vey showed that 73pc of hack­ers found that tra­di­tional perime­ter se­cu­rity, like fire­walls and an­tivirus, were now ir­rel­e­vant or ob­so­lete.

Ac­cord­ing to Car­son, the tra­di­tional view that cy­ber-se­cu­rity was the re­spon­si­bil­ity of the IT depart­ment is no longer true; nor is it fair.

“From the board­room down to the front of­fice and/or jan­i­tor, any­one who has ac­cess to tech­nol­ogy is re­spon­si­ble,” he said.

“And the most sen­si­tive in­for­ma­tion needs the most ag­gres­sive form of pro­tec­tion.

“We look at set­ting bound­aries but the ap­proach is wrong. It should be twofold — both data-cen­tric and peo­ple-cen­tric.

“While many com­pa­nies have taken some se­cu­rity steps, we need to stop mak­ing soft­ware like it’s 1999.”

Ac­cord­ing to Car­son, data-cen­tric means un­der­stand­ing what data is of value to the com­pany and un­der­stand­ing that value. What is the core?

But the ap­proach must also ad­dress the key role that em­ploy­ees can play in the de­tec­tion and aware­ness of cy­ber-se­cu­rity, he ex­plained.

While the same Black Hat sur­vey showed that 80pc of hack­ers blamed hu­mans for se­cu­rity breaches, Car­son added that em­ploy­ers have to take re­spon­si­bil­ity and sup­port their staff.

It is, he said, in­cum­bent on em­ploy­ers to re­mem­ber that staff are also vic­tims when hack­ers hit and or­gan­i­sa­tions have to em­power and en­able their work­ers, rather than pun­ish them.

“We must in­crease our cy­ber-se­cu­rity aware­ness to help us pro­tect and se­cure both our per­sonal as­sets and our com­pany as­sets.

“The time for a peo­ple-cen­tric cy­ber-se­cu­rity ap­proach is now, which means that cy­ber-se­cu­rity is ev­ery­one’s re­spon­si­bil­ity,” he said.

“The pro­tec­tion and se­cu­rity of em­ploy­ees’ work and per­sonal lives are no longer sep­a­rate. They have been in­ter­twined with evolv­ing trends of so­cial net­works, the in­ter­net of things and un­lim­ited con­nec­tiv­ity.”

Car­son is just one of the speak­ers at Dublin In­for­ma­tion Sec 2017 cy­ber-se­cu­rity con­fer­ence, which takes place on Novem­ber 1 at the RDS.

He will ad­dress The Anatomy of a Priv­i­leged Ac­count Hack, de­tail­ing the process hack­ers use to breach the tra­di­tional cy­ber-se­cu­rity perime­ters of or­gan­i­sa­tions, from SMBS to the en­ter­prise.

Other speak­ers in­clude: Jeanette Man­fra, the US as­sis­tant sec­re­tary for cy­ber-se­cu­rity; Brian Ho­nan, chief ex­ec­u­tive at BH Con­sult­ing; and Bradley C Birken­feld, banker and whistleblower. Dublin In­for­ma­tion Sec 2017, Ire­land’s cy­ber-se­cu­rity con­fer­ence, ad­dresses the crit­i­cally im­por­tant is­sues that threaten busi­nesses in the in­for­ma­tion age. For more on INM’S Dublin In­fosec 2017 con­fer­ence, go to: in­de­pen­­fosec2017

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.