Assume breach in the hybrid working age

Security leaders from across sectors joined a roundtable this month to discuss the new realities of cyber risk in a hybrid working world where breaches must now be assumed

It is now clear the end of the pandemic will not see a return to the working models of the past, as organisations work on designing new hybrid working practices. Exactly how that is defined differs from company to company. For the security experts who participated in this roundtable discussion, it’s the cyber risk implications of this shift that matters most.

The pandemic meant the need to access data at all costs, remotely and via the cloud, was suddenly a matter of business survival. In many companies, it even changed the perception of what data is, as the mindset of security departments evolved from needing to secure all endpoints, servers and devices, to recognising a new reality where the device is merely the place where the data sits. The true value is in the data. And even then, the question is no longer just what data is where, but who’s using it, what for and how much are they trusted?

In terms of core infrastructure, even before the pandemic many enterprise organisations were already treating all employees as remote workers, on the cloud, regardless of where they worked. When the perimeter suddenly extended to people’s bedrooms and lounges, however, it exposed the void between technology and culture. With workers likely to be more relaxed, perhaps even careless, when at home, the Covid-19 crisis has presented an urgent need for more persona-based activity around data access, as well as a strong mindset shift driven by education about threats, behaviours and vulnerabilities.

“The perimeter model has been dead for years and arguably so is the model of locking things down,” says roundtable panellist Joseph Da Silva, CISO at Electrocomponents. “We now must assume breaches will happen. Things will go wrong and our stakeholders need to understand we won’t be able to fix everything because this is a risk game. The key now is how do you respond to it and are you prepared? At the moment most of our security models are built from a technology perspective, how do you prevent X and Y? The user is typically a much lower consideration. Cybersecurity has got to become much more human centric at the design stage.”

Achieving that human centricity means building security around humans, not the other way around, and striking the appropriate balance between a frictionless user experience and keeping a necessary level of security and least privilege. It’s a tricky subject, not least because CISOs are keen to now be seen as enablers, not blockers, to the wider business.

Education can minimise human error but not eliminate it altogether, so security measures must still be robust. Equally, however, if users reject a process, it becomes unusable, and constantly prompting employees to prove who they are can soon cause authentication fatigue. Again, getting the right balance requires a different mindset, adopting the thought processes of attackers to think about their lateral movement once they have gained access.

Once you assume they’re in, it changes the way you think about how to protect the business, and you end up protecting from the inside out rather than the outside in

“Once you assume they’re in, it changes the way you think about how to protect the business, and you end up protecting from the inside out rather than the outside in,” says David Higgins, EMEA technical director, CyberArk. “Meanwhile there are things we can do in terms of striking that balance. A lot of consideration has to be had around identities and how they’re used consistently but also securely whilst maintaining user experience. We have to be more intelligent in how we go through authentication, analysing behavioural patterns and using more data sources than the standard username-password combination.”

Steve Bond, group head of cybersecurity at William Hill, adds: “We’ve got lots of good technical controls and there are lots of technologies out there, but if we want people to start adopting more secure behaviours and practices, we need to think about how we’re asking them to do that. We need to ensure it’s easy for them to do and that it fits with how they work. That is by far the biggest barrier to the adoption of better security practices and controls in William Hill. User experience is the most important aspect of everything we are doing.”

As well as mastering the balance between security and user experience in this new world of assumed breach, which relies on preparedness rather than prevention, CISOs must also act as a cultural change agent across the business. Departmental silos are a cybercriminal’s best friend, so security leaders must transcend the entire organisation and playbook the scenarios for a real business recovery, not a security recovery, in the event of a cyber attack. The close alignment between the security and business strategy is absolutely fundamental.

“I often hear people ask: how are you going to build a security culture? But the question should be: how are you going to build more security into your business culture?” says Kevin Brown, managing director of security at BT. “The last 18 months has shone a spotlight on the role of the CISO as a business enabler – a transition, almost, from guard dog to guide dog. The business must recognise why security matters. It’s now known that security is seen as a core business differentiator, as consumers want to know how you’re looking after their data. An understanding of this across the business is key to building the right culture.”

The technical recovery, in many instances, will actually be relatively straightforward following an attack. The business recovery is more of a challenge, and that’s where it’s critical that all of the people involved are working collaboratively, with strong alignment between the technology department, the security department and the rest of the business.

“When one team is left to deal with the recovery, they tend to divert their attention to what they know best, which, for a technology team, is the technical recovery,” said Karl Hoods, CDIO at the Department for Business, Energy and Industrial Strategy. “Earlier this year I helped the Harris Federation, a group of 50 schools, with 40,000 students, recover from a ransomware attack and it required a whole organisational approach.

“Nowadays responsibility for security is much more integrated across organisations and it has to be that way or else you end up with a risk appetite and a set of controls which are misaligned. The days of the technical or security team working in isolation should be long gone.”

Ultimately, the CISO must become a diplomat. Security is the glue that drips down between all the cracks of a business and joins all of the departments together. Businesses have seen the hugely damaging impact of supply chain attacks in the last year, and mustn’t let their own departments fall to the same fate. That means permeating across the business to ensure security is thoroughly integrated, and utilising the latest in technologies like identity.

“Identity is where I see the next battlefield,” says Craig McEwen, CISO at Anglo American. “You look at zero trust approaches and the other models of how people access what is now no longer a perimeter-based network – all of these ideas and future ideas are going to coalesce around identity. If you can get identity right, you can enable and facilitate future iterations of development in terms of how people work. Identity is where it ultimately lies.”

For more information please visit cyberark.com

Promoted by CyberArk