CyberSecurity Connect, kicked off in Monaco on Wednesday (13 November) evening with an introduction by organisers Aurore Domage, business development and sales director DG Consultants Comexposium, and Martin Smith, chairman and founder, SASIG, emphasising the nature of the event as users and vendors meeting on an equal, peer to peer level to share best practice. This was swiftly followed by a high level keynote and panel representing government and public sector, the private sector and law enforcement, promoting the theme of resilience. As the proceedings were under Chatham House rules, the individuals can't be identified, but suffice to say, they were senior players and hugely authoritative.
The nature of resilience was discussed - with one audience member challenging whether such a thing existed, but the panel insisted it most certainly did, or what would you call the ability to withstand and recover operations from a successful attack, and ensure your staff continued to do their jobs, and get back to operations as normal as quick as possible?
Responsibility and accountability were tackled with a consensus that it rested primarily with the board, but each player had to be accountable for their own role - with the analogy of a car used. If you are stopped by the police for an unroadworthy car, it is your responsibility to have kept it in good repair, and whether you had chosen to drive knowing it might break down or to invest in repairs. Likewise, you would hold your garage responsible if it had carried out repair works, but that would not absolve you of ultimate responsibility. If there had been failures of compliance, or poor GRC, these too would have named people responsible.
Delegates were directed to some of the resources provided by the NCSC, such as the Board Toolkit which details what CISOs should ask, with expected answers. Its ACD tool was also described as excellent for protecting active cyber-defence with automated defence, and it was suggested that it needs wider deploymnet. Getting 'notification of a breach' clauses in third party contracts was also advised, with alarming stories of suppliers simply not informing those they supplied that they had suffered major breaches.
While doing the basics was once again repeated, it was noted that this did not mean doing the easy stuff, as the basics could often be quite difficult, including even the first step of knowing who all your suppliers were, let alone their suppliers, and the terms of those contracts, and introducing DMARC was also advised.
While the session touched on user training and online courses, this morning's keynote, Why cybercriminals know more about your employees than you do, noted how it's not awareness but behaviour that needs to be altered, with Andrew Rose, senior VP, chief security officer at Vocalink, Mastercard, using the analogy of smoking - everyone is aware it kills, but still people smoke.
Adenike Cosgrove, cyber-security strategy EMEA at Proofpoint emphaised how nearly 100 percent of attacks are now human focused, with attackers having focussed on the computer between 1995 and 2015, but now again primarily targetted people via social engineering. Most threats now come via email as most other areas very protected, however, while only seven percent of security budgets are spent on email but 90 percent of threats come via email.Defenders don't focus on people, attackers do, and we can identify the Very Attacked People - who may not be the CEO and in one instance was the head of PR due to sensitive project announcements about to be made - and by identifying them we can adjust our protective actions to increase their defences, eg introducing multi-factor for just this group and not necessarily the whole organisation.
Rose pointed out that there is now a huge focus by attackers on Office 365 and other cloud apps, and mobile platforms are particularly being focussed on. He described three factors that do need to be considered to change staff behaviour:
Motivation - think about the consequences, and provide both carrot and stick. If a manager is seen to believe in security, staff are more likely to. And if peers do right thing, others are more likely to as peer pressure can change behaviour.
Ability - knowledge, practice, simplicity. People need to know how to report, and you must make it easy or they are less likely to do it.
Triggers - can be hot or cold reminders. But you need hot triggers that are in your face such as a red banner that this email is external, treat this email differently.