Cyber-security means empowering staff — right down to the caretaker
THE castle wall — the ultimate in safety and protection. And not just as a medieval fortress. For many years now, the castle has been used as a metaphor to teach the basic concepts of cyber-safety and security. But such a simplistic approach to cyber-security is no longer appropriate, now that cyber-attacks are not just happening more frequently but are also becoming more sophisticated.
“The method of getting into the castle is different, it’s no longer the front door,” said Joseph Carson, cyber-security strategist at Thycotic, which is a provider of privileged account management (PAM) solutions.
“The new cyber-security perimeter must incorporate an identity firewall built around employees and data using Identity and Access Management technology controls, which emphasise the protection of privileged account credentials and enhancing user passwords across the enterprise with multi-factor authentication.”
Once hackers are in, though — whatever the route — it would seem that they go for some of the fastest and easiest targets.
Recent research from Thycotic shows that these targets are often privileged accounts.
According to the firm’s 2017 Black Hat survey of 250 hackers, carried out to get their perspective on what works and what doesn’t when it comes to protecting critical data, one third of them choose privileged accounts, while 27pc said that getting access to email accounts was the easiest way to unlock sensitive information.
“Privileged accounts are the keys to the kingdom, whether it’s a business or personal. We’re talking about key information, the Coca Cola secret sauce.
“Depending on the type of company, it could be customer lists, IP, credit card information.
“Whatever it is, it’s the core information that enables an organisation to keep running.”
In addition, the same survey showed that 73pc of hackers found that traditional perimeter security, like firewalls and antivirus, were now irrelevant or obsolete.
According to Carson, the traditional view that cyber-security was the responsibility of the IT department is no longer true; nor is it fair.
“From the boardroom down to the front office and/or janitor, anyone who has access to technology is responsible,” he said.
“And the most sensitive information needs the most aggressive form of protection.
“We look at setting boundaries but the approach is wrong. It should be twofold — both data-centric and people-centric.
“While many companies have taken some security steps, we need to stop making software like it’s 1999.”
According to Carson, data-centric means understanding what data is of value to the company and understanding that value. What is the core?
But the approach must also address the key role that employees can play in the detection and awareness of cyber-security, he explained.
While the same Black Hat survey showed that 80pc of hackers blamed humans for security breaches, Carson added that employers have to take responsibility and support their staff.
It is, he said, incumbent on employers to remember that staff are also victims when hackers hit and organisations have to empower and enable their workers, rather than punish them.
“We must increase our cyber-security awareness to help us protect and secure both our personal assets and our company assets.
“The time for a people-centric cyber-security approach is now, which means that cyber-security is everyone’s responsibility,” he said.
“The protection and security of employees’ work and personal lives are no longer separate. They have been intertwined with evolving trends of social networks, the internet of things and unlimited connectivity.”
Carson is just one of the speakers at Dublin Information Sec 2017 cyber-security conference, which takes place on November 1 at the RDS.
He will address The Anatomy of a Privileged Account Hack, detailing the process hackers use to breach the traditional cyber-security perimeters of organisations, from SMBS to the enterprise.
Other speakers include: Jeanette Manfra, the US assistant secretary for cyber-security; Brian Honan, chief executive at BH Consulting; and Bradley C Birkenfeld, banker and whistleblower. Dublin Information Sec 2017, Ireland’s cyber-security conference, addresses the critically important issues that threaten businesses in the information age. For more on INM’S Dublin Infosec 2017 conference, go to: independent.ie/infosec2017