Published on the 25/08/2017 | Written by Donovan Jackson
Humans beat sensors when it comes to sniffing malicious links…
Forget about the latest hack for a minute and focus instead on your organisation’s ability not only to deal with a hack, but rather to avoid that sort of unpleasantness altogether. Achieving that depends on having everyone in the business ‘on side’ and alert to the possibility of a compromise, which can come through any one of a dizzying array of attacks.
That’s the message from Peter Booth, ICT Risk and Security Manager at Contact Energy. He’s appearing at the Advance Cyber Security Summit, which takes place in Wellington in October – and Booth said a pervasive ‘security culture’ is fundamental to keeping your organisation safe.
“Hacks happen all the time and quite frankly, unless they hit your company, struggle to be front of mind when balanced against all the other tasks at hand,” Booth told iStart. “Look at the ‘Information is Beautiful’ site, which provides data visualisations. The one which shows hacks as bubbles is now so overpopulated that it is just one big blob of colour.”
It’s an interesting point which demonstrates at least two things. One is that hacks are so prevalent as to be a basic part of doing business. The other is that ‘hack fatigue’ has set in. What was once so interesting that data gurus thought it worth visualising, is now so blasé that it doesn’t even produce a cool graph.
But ‘hack exhaustion’, Booth stressed, is a poor excuse to let your guard down. “Despite that huge number of hacks happening all the time, the chances of a compromise can be easily mitigated – but it depends on companywide vigilance. Get that right and you’d have to be quite unlucky for it to happen – so long as you have your technology, processes and culture right.”
He added that ‘getting it right’ also depends on accurately aligning security with business objectives. “It is all very well to have various security measures, but if those measures are not adding value to the business, it will fall into the trap of security for security’s sake. And that’s just not a great message to deliver to the executive suite.”
For most companies, the budget for security isn’t enormous. And nor is the team which is tasked with ensuring enterprise-wide good practice when it comes to keeping attackers out. That’s what makes culture such an essential factor in avoiding the hassle of a compromise. “You need to be able to rely on your people a lot; like any other organisation, we get pounded with phishing, spear phishing and whaling. Things like fake requests from the CFO to the CEO requesting money transfers. When that happens, we rely on our people to let us and others know about it.”
Booth said that while technology does catch most of the potential hacks before they enter the perimeter, it only takes one to get through for there to be a problem; properly trained people, he added, are far more adept at spotting clever compromises than machines are (take that, AI).
“That helps us a huge amount. We just wouldn’t be successful if we didn’t have a culture where everyone is attuned to the possibility of a hack and everyone is doing the basics really well.”
How to instil that culture? Booth said awareness and reinforcement are key; onboarding includes a security module, while the security team takes its cue from the company Health and Safety programme which has a message of ‘continuous improvement’; and customer service representatives are trained to recognise various forms of social engineering to prevent attacks through the call centre.
“We communicate regularly, looking for a good cadence without overwhelming people, we share what’s happening in terms of attempted hacks, and we make sure that people are attuned to the small things. That really delivers a big advantage,” Booth added.
See the full agenda or book your place for the Advance Cyber Security Summit.