As 2015 peters out, it's only natural to turn our attention to what has been happening throughout the year. And as far as IT security goes it has been some year with standout cases—so far—including Ashley Madison and TalkTalk.
What’s interesting looking at those two huge hacks was that even though there were probably just as newsworthy, their sources of origin couldn’t have been more different: in one case almost certainly a disgruntled company employee and in the other (allegedly) a teenager or two in their bedroom.
But that just goes to show that defending against hacks is very much a case of looking to both the inside and outside of organizations.
According to Andy Herrington, head of cybersecurity at Fujitsu, it’s a case of looking at a 2 x 2 threat matrix whose respective axes are internal and external, and then malicious and accidental. Herrington believes that the focus of the IT security industry has traditionally been on preventing threats from external malicious whilst not paying as much attention of the three other areas. Threat intelligence, he says, needs to be more agile and flexible and cope ‘sensibly’ with the diverse nature of attacks.
Even though not as newsworthy as external malicious sources, the internal vectors can be just as devastating—just ask Ashley Madison for one. Research from IBM in mid-November showed just how much insiders' threats are a growing menace. Indeed such things stood among amateur hacker carelessness, ransomware, and C-suite attention as the top four cyber-threat trends of the year.
IBM’s 2015 Cyber Security Intelligence Index also revealed that 55% of all attacks in 2014 were carried out by insiders, individuals with insider access to an organization’s system, knowingly or by accident.
But this last vector should not be ignored as really it can be the source of a lot of untold damage. That is to say just think of how many times you and your IT/security departments have had to deal with the actions of a colleague who just clicked on a link, just inserted a USB stick they found into their PC and then the inevitable happens.
For IDC research director Duncan Brown, the industry needed to pay more attention to preventing such incidents, primarily by moving away from what he says are not untypical ‘there is no patch for stupid’ attitudes. Speaking at an industry trade event with SecureData, he added: “we place too much pressure on the user to do the right thing—but how do they know what the right thing is? They aren’t professional. We need to take security from [worrying] that users will do daft things. It’s all about education.”
But pointedly Brown also warned at the typical standard of this. User education was, he asserted, usually like sheep-dip—“You dip once a year and then that’s it.” If you really wanted to change behavior, the more effective alternative he said was to make education a continuous process.
Which will be news to a lot of firms. Herrington’s model is correct—you have to look in both directions but in assessing the insider threat never forget that people are not just a weak link to be exploited, they are also your first line of defense.
Educating properly non-IT members of staff as to what security actually means and what the ramifications of ‘just clicking on a link’ could be could be transformative. Responsibility for, and empowerment in, security is everyone’s business, and it is the business that benefits most from adopting that attitude.