At a recent roundtable event, a panel of experts discussed the evolving cybersecurity landscape and how organisations can ensure their data is protected when using cloud service providers.
Paul O’Donnell, strategic account director at data protection platform OwnBackup, says businesses cannot assume their data is being protected by the cloud provider if their software is delivered by a third party.
He says organisations need a shared responsibility model, where cloud service providers are responsible for the security of the cloud and customers are responsible for the data stored in the cloud. “There can be worrying security gaps if there are no controls and audits in place to understand where data is going and who has access to it,” he adds.
Mark Harrison, director of cybersecurity at Ricoh Europe, agrees that it is important that businesses do their own due diligence to understand where data resides.
“A company could sign up to a SaaS provider and assume the provider hosts the data, but that provider will usually sign up to another larger cloud provider who ultimately hosts the data; potentially in a different region or country to where the SaaS provider is located,” he says. “Due diligence should always ensure the final location of the data is understood along with what type of risk the organisation is willing to accept. There’s always some kind of trade-off when outsourcing data hosting in this way.”
Many organisations are currently debating whether to buy in or build their security platforms. Bernie Wright, CISO at Clearbank, says businesses must ask vendors important questions about how data will be stored and backed up, and who will have access to it.
“In the early stages of the business, we tended to build platforms ourselves, but today we look at what we can buy in best of breed. We always do our own due diligence of the third parties we have arrangements with,” he says. “As a finance company, we have to educate some clients about security in the cloud because there is still the assumption that everything is on-premise.”
Since the end of the Covid pandemic, there has arguably been an acceleration in outsourcing of SaaS security because many organisations do not have the resources or talent to sustain things in-house.
Director of security advisory services at BT Group, Tristan Morgan, says whatever route is chosen, security policies and processes must align with what people are doing at work.
“BT has a digital unit with a range of teams who are working to write code and develop apps. Without the right framework and training, it’s easy to lose control of data very quickly,” he says. “A business’s backup systems must also recognise that there is a lot of obsolete and legacy data in things such as CRM systems, which still represents a risk even if you’re no longer actively using it.”
Businesses are also being urged to look closely at their operational security. Paul Hingley, head of cybersecurity at Siemens GB & Ireland, says that when his company audits its customers, it finds that around 95% have not qualified their data, let alone considered an on-premise or cloud security solution. He says cloud technology is preferable for data analysis and business intelligence, but if organisations haven’t qualified their data, they will not be in a position to determine and validate their choice of data management from a security perspective
Cybersecurity’s image problem
There was a view that organisations need to do more to cultivate a security culture so employees take the risks more seriously and any perceived fear doesn’t hinder business innovation.
Ian Usher, deputy global head of threat intelligence at NCC Group, says security cannot be solved by technology alone, and businesses must not underestimate the human element.
“Individuals need to appreciate they have a level of responsibility and understand what could go wrong. This has to be balanced with avoiding a blame culture,” he says. “It can be hard to measure whether things are working. Is it by the number of people who report a phishing email or by how many people diligently update their passwords?”
At defence company BAE Systems, the workforce understands the concept of security but, when it comes to cybersecurity, employees need more than a corporate rule book, says its CISO Mary Haigh. She agrees that organisations must avoid creating a culture where people hide security problems.
“If organisations spend all of their time being compliance-driven, they do not have the energy or time to be innovative and to think about how to secure new technologies that could help the business,” she says. “Compliance is a licence to operate and vital, but so too is agility so they can adapt as the threats change. Everyone needs to understand the sheer pace of change and not be frightened by it.”
Unfortunately, companies often do not consider the importance of having a cybersecurity culture until they have a serious incident.
“Once they have a breach, a board often realises that cybersecurity deserves equal weight as cost management and revenue forecasting on board meeting agendas as they contribute equally to the success of the company,” says Ricoh Europe’s Harrison.
One way to create a positive culture is to find creative ways to educate employees about security. Naveena Balam, VP risk and compliance at Onfido, says training should be engaging and that her company uses gamification and short videos to convey important messages.
“The information security training includes showcasing different relatable everyday scenarios, for example, around a phishing email where people are taught to look out for easy/various spelling mistakes or a suspicious email reply address,” she says.
Ultimately cybersecurity must demystify itself internally to shake off its image problem. This includes using more accessible language and being able to explain clearly why it’s important.
Clearbank’s Wright says his team holds regular company-wide meetings where employees learn about recent real-life security examples and the impact they have had.
If the industry becomes better at communicating, it might help solve some of the skills shortages. BT’s Morgan is convinced that many people within BT have transferrable skills. Those working in its call centres, for example, are used to dealing with clients and looking at data on a daily basis.
Haigh from BAE Systems agrees and says there is still a widespread opinion that people need a STEM (science, technology, engineering and maths) background to work in cyber.
“Of course, that is valuable, but so too are other skills. We recently hired an operations lead for our team who has a healthcare background. She managed care homes through the Covid pandemic and the supply of PPE, so she has skills in crisis management when under pressure,” says Haigh.
Siemens GB & Ireland’s Hingley recruits cyber engineers from various sectors including universities but finds that the recruits with engineering experience have the most relevant skills. He also pointed out that everyone’s skills need to be kept up-to-date and relevant to technology advancements. Siemens employees attend regular refresher security courses. “We also audit every business unit three times a year,” he says. “This demonstrates to us how our businesses are managing their product and solution security and ensures everyone is attending their mandatory training.”
The future of cybersecurity
So where do the experts see the cybersecurity debate moving and how are the criminals’ tactics evolving?
The panel expects some of the biggest security challenges for individual businesses to come from their own supply chain. Meanwhile, the growth of AI, and in particular ChatGPT, could provide opportunities as well as threats.
Balam at Onfido, a global identity verification provider, says new technology will continue to play a major role in identifying and preventing fraud.
Ricoh Europe’s Harrison expects cybercriminals to increase destructive attacks on more public institutions such as hospitals and other national infrastructure providers, instead of focusing solely on stealing or ransoming data.
What we have seen, says NCC Group’s Usher, is criminals investing more time recruiting people within an organisation to provide passwords or circumvent security measures.
Ultimately businesses need security systems that are agile so they can evolve as security threats develop. “They must become better at understanding what data they have, where it is and where the threats will come from, internally and externally,” says O’Donnell.
Indeed, criminals will always hunt out the weakest link.