Cybersecurity for your business: Where’s your head at right now?
At a large cybersecurity conference and exhibition like RSA’s in Singapore, where there are solutions after solutions and a myriad of showcases, it can be very challenging to know where to start.
Enterprise IT News sat down with Sophos’ Chester Wisniewski and what followed was a list of possibly entrenched notions about cybersecurity that went through some well-deserved and timely fine-tuning.
Wisniewski lists a few notions; some well-known already, others not so; which EITN dives into, below:
Businesses have yet to make the transition to actually being in driving seat of security in an organisation.
RSA’s vision for business-intent security, proposes that the overall security posture of an organisation, is determined by the business outcomes it wants to achieve.
That in turn requires security teams, which in most cases is also the IT team, to work closely with the business. In the whole history of doing business on this planet Earth, has that ever happened?
Maybe, in small pockets, maybe there are a few isolated cases.
And yet, in RSA’s view, this collaboration and business-driven security has to start to happen, because of limited resources; instead of trying to tackle all the threats towards the whole of the business, why not tackle only the threats towards valuable assets and data in the business?
This drives home the point, that security has to be business-led.
Businesses have to shed their thinking that security is an IT-department problem, and start to seriously think about what data breaches could mean to their bottom line.
IT risk as a process
Businesses understand business-speak, even risk, because everything is a risk and business must manage it so that it does not get out of control and impact productivity, reputation, and revenue too much.
However, when they look at IT risk, they see it as a tool to take quantitative measurements, instead of a process.
Wisniewski opined, “Risk assessment in IT security is qualitative … it shouldn’t be about measuring what has happened ie. damage loss in numbers, but rather it should be trying to measure where we need to be because that’s where the risks are.”
If we don’t know it already, people, process and technology have to be in lockstep together, for any solution deployment to succeed. Wisniewski added, “The budget conversation (however), needs to be around training.”
Cyberinsurance? Nobody ever gets paid
That statement is true, unless you, “… do not accept the blanket policy they sell you because they will try to get out of it, and will always have a way out.”
Wisniewski also said, “Tailor that policy to your needs, and focus it on important areas of your business.”
You may think you are safe, but…
Chester Wisniewski, Sophos’ Principal Research Scientist in the Office of the CTO, had earlier presented to RSA participants, how he could put together a ransomware campaign with just USD200 and 30 minutes.
“Actually, I could do it in five minutes,” he said highlighting how easy it is to obtain tools for nefarious purposes, from the Internet.
Places like the Dark Web have lists upon lists of resources and how-tos. It’s also the place bad guys go to, to sell stolen credit cards, among other things.
“Tens of thousands of cards are stolen every week, either physically or via scanners. There are forums to sell these cards.”
What can be done with these cards, you may ask.
It depends on if the cards are sold, with or without their PIN numbers.
He said, if there is no accompanying PIN, the cards are only good for online transactions.
Or the bad guys may try to reset the PIN.
Hence the reason why, there are attempts in the real world or online, to try obtain your personal information, any sliver of data that the bad guys can use to fool your banks into thinking that they are talking to you.
On the plus side, Wisniewski observed that there are proactive banks, that will buy up all their credit cards that are in circulation on the Dark Web.
Dark Web = Regular Web
As with the regular Internet, the Dark Web has discernible ‘zeitgeists’, if you can call it that, that alerts security professionals about possible security events in the pipeline.
He reminisces about ransomware’s first origins in 1989. Cyberhackers would lock the screens of their victims, but “…too many were getting their files back after the screen lock, so one guy decided to stop just locking screens and to encrypt files instead.”
What does this mean for businesses?
The security scientist said, “Enterprises look for if anyone is talking about their brand. It is well-worth keeping an eye on it, because if you are big there is probably activity happening around your brand,” and he added that it is possible to spot mass market trends, that are not talked about it ‘open areas’ enough.