O2’s cyber security experts: Jay McDonald on the human element of security
With home and remote working now a necessity for most of us, I have been reflecting on the cyber security implications we face and what I’ve seen at recent security conferences.
As we know, conferences are often the go-to places for the latest high-level industry insights and thought-leadership. Security conferences are no different. I’ve been to several since the start of the year and there’s been a lot of talk, especially about problems, solutions and the need to consider the human element of security. But what happens on stage tends to stay on stage.
As I walked the halls of the exhibition centres over the past 12 months, I was confronted with a growing number of security vendors. Each one jostling for attention without really saying anything different. They might offer a novel approach, but the underlying solution offering is often the same. And they rarely talk about what we at O2 would call ‘humanising security’.
So it got me thinking. How do security vendors fit within the bigger picture when it comes to securing your business? If we can step back from the clamour and noise of the exhibition hall for a moment, we can start to think about what businesses really need in order to stay secure. Yes, technology is part of the answer. But it isn’t everything. There are processes you have to consider. And, more importantly, people.
So what does the human element of security actually mean in practice? I think you have to look at the organisation and its people across three levels.
Level 1 – the C-Suite
For this group, the human element of security is all about direction. It is about responding to business drivers – be they growth, compliance or dealing with or responding to the threat of a massive cyber attack. And the CEO, MD or CTO will have a decision to make about where to invest in security and to what ends.
Level 2 – Directors of IT or Operations
This group may be tasked with securing workflows or customer data. They will need a firm grip on the processes their business uses and the effects of a new security solution on how people work. They need to answer a multitude of questions to find a way of handling the security threats they face.
If we were to look at the threat of ransomware alone, the string of questions that follows might look like this:
- Are our users able to identify a possible phishing attack?
- Do we have cyber training in place to prevent them clicking suspicious links?
- If we can’t easily identify those links, can we use technology to de-weaponise the threat?
- What if the technology fails and the threat detonates? Do we have a way to keep the user or organisation operational?
- Once the breach has occurred, are we able to forensically detail the chain of events to find the root cause?
- Was this user, or group of users, the only one affected?
- If not, where has the attack spread?
- Does this breach affect our customer data?
- If it does, how do we inform the regulator and our customers?
As you can see, this example of a security threat involves people at almost every stage.
Going back to what you or I may have heard on-stage at conferences in 2019 and 2020, the buzzword that’s been used a lot over the last year is ‘Zero Trust’.
It’s something that vendors are marketing heavily if evidence from the exhibition floor is anything to go by. In fact, at the RSA Conference 2020, the number of vendors offering Zero Trust solutions grew by 50%, to a total of 91.
Zero Trust is the principle that your organisation should trust nothing and no one. Not people. Not applications. Not systems. In some ways it should already be the principle behind most security architecture. However, it does have an impact on people.
- From the technology perspective, it means a policy of no access to anyone or to any application unless explicitly permitted. It involves the use of multi-factor authentication to identify that a person is who they say they are, or that an application has the right access to the permitted systems and / or data.
- From a process perspective, it requires a review of workflows to prevent manual workarounds.
- And from an individual perspective, it requires buy-in and understanding.
Level 3 – end users
Employees use your IT systems, apps and devices every minute of every day. And they are still – in a general sense – the weakest link in your security chain. Partly because they may accidentally (or even maliciously) allow a data breach or cyber incident. Partly because they are often the targets for hackers. And potentially because they simply may not understand the latest security technologies that they are being asked to use.
It was staggering to see the number of vendors offering endpoint security at the RSA Conference 2020. According to Forbes, endpoint security vendors, “dominated the show floor, with over 120 vendors promoting their unique solutions.”
This is not necessarily because vendors are pushing user-friendly solutions. It seems they recognise endpoints are the quickest and easiest ways to identify and respond to threats proactively (EDR). And this fits with a wider trend towards Managed Detect and Response (MDR).
MDR gives IT departments the ability to ingest logs and feeds akin to SIEM solutions. But it also enables smarter protection, automated responses and threat hunting with devices as logging and enforcement points. Being proactive with threats and alerts across any device, appliance or app (whether on-premise or in the cloud) is the ultimate goal. But the endpoint is the place where you can score quick wins. Hence the rise in vendors.
What I have experienced over the past 18 months at security conferences is a lot of talk about the human element of security. But a lot less evidence of it on the exhibition hall floor. Maybe I notice it more because it’s something that we do here at O2 – promise to humanise security for our customers. Yet the fact remains that it’s still the most important element of security right now.
There are already technologies (that we can provide too) that can help us beat the cyber criminals (lots of them in fact). There are plenty of advisors and consulting firms that offer advice on securing your processes. Yet there are very few out there that combine people (first), processes and then technology, to create holistic security strategies.
So, while the world is focused on the current situation, we’ll need to continue to ensure our people working remotely can do so securely and our network security is maintained.