Companies need to accept that, in combatting advanced persistent threat (APT) attacks, staff - not technology - are their biggest risk and that, with data breaches so prevalent, how well you manage a breach is just as important as trying to prevent it.
That was the advice given to the almost 300-strong audience at the opening session of Tuesday's SC Congress event in London.
High-level speakers such as (ISC)² EMEA managing director John Colley, and Becky Pinkard, director of the security operations centre at Pearson, agreed that educating staff can make companies safer from APT attacks than spending on traditional security technology.
Colley said: “The bad guys have realised there are two big vulnerabilities in every system - the code and the people. We're finding computer code is full of bugs; and on the people front we're seeing lots of attacks now require things like spear phishing, which is an attack on the person.”
Colley said that people are probably the biggest vulnerability within any organisation but with the right threat education, that vulnerability can be turned into an asset.
Pinkard agreed that in the face of APTs, “We have an issue where we need to continue to train people.” But she acknowledged: “Nobody likes security awareness, security awareness is boring.”
So, Pinkard said, companies need to build the mindset that such classes have to be entertaining and “less painful to sit through, because we've got to educate our people”.
The SC Congress audience also heard that while many APT attacks are not particularly ‘advanced' nor ‘persistent' - but opportunistic - their continuing success means companies should focus as much on dealing with the aftermath of breaches as preventing them.
Jeremy King, European director of the PCI Security Standards Council, said it is vital for companies to have a good incident response plan ready.
King quoted the example of US retailer Neiman Marcus, whose head of security at the time it suffered a high-profile data breach realised that “I don't even know what's happened here and you're telling me to inform all my customers that their bank account details have been compromised.”
King said: “After that, they realised the importance of a good incident response plan.” Neiman Marcus even put its board directors through ‘war games' exercises, including a mock TV interview quizzing them about data security.
“The impact of what your CEO says can affect the company - whether it survives,” King told the audience. “They can either say the wrong thing and cost you a lot of money, or say the right thing and people will have confidence that actually this is a company that want to try and sort this out.”
He added: “Everyone accepts you're going to be breached,” and pointed out that after Heartland Payment Systems was breached, it stock rose because it pledged to take the right remedial action.
However, when it comes to finding the technology to protect you from APT attacks, Pinkard said it is still difficult to find a security vendor that covers every need.
Suppliers have not kept pace with the emergence of cloud-based and virtualised environments, she said.
“Last year I struggled to find a vendor that could operate in the physical infrastructure and cross into the virtualised, cloud-based infrastructure that I was working with,” Pinkard said. “And even the vendor that we finally selected, their product wasn't ready for us until about six weeks ago.”