Security within organisations needs to be collaborative process, says Sophos
By Tan Jee Yee December 24, 2019
- Less than one-third of APJ organisations consider their security as “optimised”
- Build a security lifestyle by taking security awareness home, educate family, friends
The first thing I asked John Shier, Senior Security Expert at cybersecurity company Sophos, is the same first question I’ve always asked cybersecurity experts: What is the state of cybersecurity today?
I suspect it’s the sort of first question every cybersecurity expert gets asked, sort of like how people would ask fiction writers about how they got their ideas. Though, to my defence this time, I have met up with Shier to talk about Sophos’ recent study on the maturity and readiness of Asia Pacific and Japan (APJ) organisations when it comes to dealing with cyber threats.
His answer: “Overall, if you look at APJ as a whole, the picture is okay, but not great.”
This is mainly in reference to one of the study’s findings, that less than a third of organisations in APJ consider themselves “optimised” when it comes to security. By “optimised”, it means that organisations have a security plan in place that is repeatedly tested to ensure tip-top performance.
“A lot of people [organisations] find themselves in the middle, which is not uncommon,” Shier says (pic, below). As far as Malaysian organisations go, though, the study found that more half of the respondents don’t think they have the basics right.
What contributes to that are three things. 72% of organisations have challenges in finding talent, while 60% says they have insufficient budget for security. 83% observe that staying up to date with security is challenging.
The top frustrations cybersecurity professionals face with their organisations are, primarily, that executives assume that the organisation will never get hacked; and that they assume security is “easy”. Adding to that, 92% of Malaysian organisations believe the biggest challenge in the next two years will be improving cybersecurity awareness and education among employees and leadership.
Shier says that it’s not uncommon for executives to be less aware of cybersecurity importance. Often, the problem is that, when it comes to allocating funds and attention, security is often never the priority.
“For a long time, cybersecurity has not been at the forefront of that,” Shier says, noting that certain organisations in industries like healthcare and manufacturing, for instance, didn’t consider the importance of security because they believe that they’re not an IT company. “But the harsh reality of today is that every company is an IT company. They all have computers, business partners that are connected. They connect to customers.
“And if you’re an IT company, you need to have security. CISO (Chief Information Security Officers) of organisations need to go to their peers and say, what if we get ransomware, and that the business can’t start because of that? So, security has to be an overlay on everything you do. If you think security first, with an eye to enable the business, then I think you’re doing it right,” he says,
Improving awareness among execs and employees are important because it helps tackle two of the top issues that Malaysian decision makers think will impact their organisations’ securities in the next two years. According to Sophos’ study, the top three concerns are AI or machine learning-based attacks, malware and phishing attacks. Awareness can help combat the latter two.
Shier says that the use of automated systems for cyber-attacks and defence is certainly there. Sophos themselves use automated systems to help cut things down to manageable numbers – vital, considering that the company discovers 450,000 new malware daily. No, that is not a typo. Yet the use of AI for attacks may not quite as concerning as malware or phishing.
Data scientists and experts Shier has spoken to say that the effort needed to breach organisations using AI is not worth the time and effort, when the alternative of using cheaper and faster methods like phishing is more effective.
One can look at the Emotet Malware as an example. This banking Trojan is spread using spam or phishing emails and will extract information and credentials of the computers it infects. But after it’s done that, it will download a secondary payload belonging to one of its customers (yes, Emotet has customers) that will further steal banking information. After that, it may further download other customer payloads, like a ransomware. It’s like 3-in-1 coffee.
A security culture
He advocates building a “security lifestyle”. Rather than just practice security as per company policy, such as avoiding suspicious links and email attachments, Shier says that the practice should be carried on to the house. “Take that awareness, take it home and share that with your family, friends and everyone you interact with. Help them understand. What that does is build a security culture,” he says.
Ultimately, though, organisations ought to have a culture that includes cybersecurity people at every level, from top to bottom. “In a lot of businesses, the problem that exists is that security is not brought to the table for all tech discussions,” Shier explains.
For instance, a company’s human resources department may have worked with the IT department to come up with a way to speed up processes, but if security is not brought into this, there may be gaps that become the weak links that cybercriminals end up exploiting.
“Not every IT person is a security person. Some may understand networking well, but they may not necessarily think of the security implications of the stuff they do. They might think that one way is great, but security may be able to think of a better way that covers up the security gaps,” he opines.
As companies increasingly start to digitally transform themselves and take their processes to the cloud, Shier says technology will be able to help. Sophos, for instance, has a product called Cloud Optics, which gives organisations more visibility to their assets, software and other important aspects on the cloud. “It’s our way to help people be more secure, to do the basics right.”
But organisations are complex things. You may have technology that can help alleviate such issues, yes, but company structures are often made up of several pieces – IT, finance, HR, sales. Each of them have their own security needs.
Blanket security policies may be a good idea, but security is also about making processes as frictionless as possible. Overly restrictive policies will make employees adopt to more convenient methods, such as sharing company data over public clouds, unaware of its repercussions.
“You need to take a step back, break your organisation down and look at the assets and people that needs to be secured the most,” Shier suggests.
Shier says that security needs to shift from being seen as “no people” who only implement roadblocks and restrictions into “yes people”.
“We need to go to each department and ask, ‘What’s your priority? What do you need? Let’s see how we can help you with that.’ Security has to sit with them, architect something that is secure from the beginning.
“It has to be a collaborative process.”