Cybercrime, regulation, the Internet of Things (IoT) and people factor are the four most common problematic areas for security professionals.
Speaking at The European Information Security Summit in central London, Steve Durbin, managing director of the Information Security Forum highlighted these four well-covered areas, and in particular the human factor, stating that we are at a stage where users are accustomed to using their own devices and accessing corporate systems to do online shopping, having internet wherever we go and using smartphones or tablets that we take into the workplace, take home and put on TV screen. “But we have not thought to change the password on the router,” he said.
“If we can get that right, we can switch from people being the weakest to strongest link in the chain.”
Referring to the attitude of the business to cybersecurity issues, Durbin said: “If you mention to a business leader a problem from the 1980s, they will ask 'why haven't you fixed it'?” However he said that a breach has “a very long tail”, and post-breach investigation and business changes and forensics require time and energy and this concerns boards.
Durbin also mentioned the concept of cyber fatigue, and that boards will ask why basic issues have not been fixed. To address this, he recommended regularly measuring investments so you understand the investments you are making in security, and come up with a cyber-risk model for your business.
He argued: “This is the real nub of where we are going from a security standpoint. Align risk with the direction the business is moving in, and put in place appropriate guides and engage broadly across the business. Establish something like ISF Cyber Resilience Framework, you also need board level sponsorship and engage with business and people you do not usually associate with the cyber resilience team – PR, legal, HR – as [a breach] has implications on process and your security standpoint as they are experts in their area.
“Assess the ability to respond and assess how to adjust from past, present and future not just for your business, but with other businesses. Cyber is still not perceived as being a competitive advantage; there is a willingness to share information across business, and once you have done that you can put together a cyber-response.”