Cybersecurity has to be a high priority for businesses of all sizes in 2021. Most of all, they must share knowledge and collaborate to counter the criminals, who are becoming increasingly sophisticated, according to an expert panel
Adrian Asher, CISO and cloud architect, Checkout.com
Darren Guccione, CEO and co-founder, Keeper Security
Emma Smith, Global cybersecurity director, Vodafone
Shubhanga Prasad, Director, strategy, OakNorth Bank
Helen Rabe, Senior director, global cybersecurity, Abcam
What does the cybersecurity landscape look like in 2021?
DG: The coronavirus pandemic has been catalytic in forcing organisations to move to distributed remote work environments. This shift served up a buffet table for cybercriminals to ramp up their attacks, which increased from the dark web up to 600%. Ransomware-as-a-service is a huge issue now. It’s prolific, pervasive, cartel-based organised crime in the worst and darkest way possible. They are attacking everything and no company, regardless of size or industry, is safe. However, 80% of the attacks are targeted to smaller entities, because of a lack of time and budget, they don’t have sophisticated IT architectures or staff.
ES: Between companies, we certainly shouldn’t be competing in security. All of us need the whole ecosystem of companies – no matter how big, or small – to be secure, resilient to cyberattacks, which will require quite a bit of collaboration and support. We see a continuing increase in supply chain compromise to attack maybe more sophisticated companies, so it’s in all of our interests to keep the whole ecosystem as safe and secure as possible. Additionally, smaller companies must understand which services are the most attractive to attackers and which are the most important to protect for their business.
AA: When, as a society, we went to predominantly working at home, it exposed the inefficiencies of the security logon process; two-factor authentication, for instance, is a poor use of a worker’s time. What has become clear is that many firms have cumbersome remote working authentication processes that have impacted productivity. It’s been a risk and an opportunity to get on top of that.
HR: The circumstances meant we had to engage more proactively with our end users during the pandemic. They came to us with more direct questions about managing cybersecurity in both their professional and personal lives, and it’s good that awareness is growing. I have never been a proponent of the statement, ‘the human is the weakest link,’ and I think the phrasing must change. The human is the one of our primary lines of defence. There is a mindset shift needed so that security becomes a lifestyle choice and that people adopt these behaviours with less reluctance.
SP: Ultimately, everyone is responsible for ensuring the cyber defences of the organisation. Great security solutions help put locks in place, but it’s a balance. You don’t want to impose too much on the users or workers, but you need to be secure. There is no correct answer, but companies must keep calibrating their defences because cyber threats constantly evolve.
How has the role of chief information security officer (CISO) evolved over the past 18 months?
ES: Cybersecurity in an organisation should be like a football team; it can’t all be left to the goalkeeper, or CISO. We need the whole team tackling the opposition at every possible line; otherwise, we’ll never win the game. Some basics must underpin the strategy – patching, hardening, vulnerability management, user-access management and passwords. These are all layers that make up a strong security posture. But companies need to be proactive and use detection or threat analysis tools, because prevention is better than the cure. Increasingly, I think the core role of the CISO is to distil a complex topic to something easy for the c-suite to comprehend to drive transparency and reporting on cybersecurity. ‘Watermelon reporting’ – where something looks green but is red when you slice into it – is not good enough.
HR: Traditionally, most CISOs started off technically strong, but now I see many of us as strategic thinkers who can engage and reassure many stakeholders across the business. We’re hybridised in our role; we need to understand the technology at some level, but we’re not in the grassroots of it. I spent a great deal of my time last year with a lot of end user engagement, for example, advising people working in remote locations on the benefits of using the VPN and guiding them on best practice behaviours that protect our assets. As a result, the collaboration between non-technical business teams and the cybersecurity team has become stronger.
SP: CISOs have certainly had to enhance the employees’ knowledge of cybersecurity, sometimes across continents. It is a skill to know how to speak to different people at the right level – including the c-suite – so they understand what you need to tell them. We have found that gamifying training has helped engagement.
AA: If you speak to your board about cybersecurity, you have to do so in a language they understand. As a CISO, you should always make it easier for people to do the right thing. If you are putting up security controls and people are trying to get around them, your controls are wrong. They have to be as seamless as possible. Ideally, they will be very strong, but completely hidden to not impact productivity.
What are the tools businesses need to combat cybercrime?
AA: Passwords should be killed as soon as possible, and that includes PINs. It’s crazy that we rely on humans to try and remember something that a computer is going to find hard to guess. It’s an ineffective use of human computing power. Organisations should be looking to innovate in this area, so there is continuous authentication, zero trust, and session establishment, and it’s all seamlessly going on in the background.
SP: As a bank, we are hyper-obsessed about our customer experience, and we are looking to innovate around passwords and security. We are working with cybersecurity fintechs to use smartphones for behavioural authentication, allowing access if the user is in the expected geolocation and types in a pattern on their device as expected.
DG: Innovation in this space is essential, but for the moment having a password management platform is the first key step to improving cyberhygiene, especially given the proliferation of the cloud and the demand for more strong passwords. It is virtually impossible to create and remember passwords for dozens of different applications from a human perspective. The Keeper Security platform enables the end-user to authenticate into any website app or system in a second without transacting with a password.
HR: Cybersecurity training is a critical element, unfortunately it can be soporific and dry, so it needs to engage your end user. Our culture is young and dynamic, so we have boosted engagement in the last year by using anime videos to raise awareness and gain interest in the wider security education and training programme. These have helped to contextualise security, and we extended the training to friends and family, to improve awareness and cyberhygiene. This approach has made a huge difference.
ES: In addition to challenges, new technologies also create positive opportunities. For example, 5G connectivity brings high reliability, low latency and new security features.
For more information please visit https://keeper.io/protect