The evolving cyberthreat landscape is forcing C-level executives to improve or adapt their defence strategies. Chester Wisniewski, Principal Research Scientist in the Office of the CTO, Sophos, tells us why a proactive approach can contribute to building a positive security culture and defend against attacks.
How can smart technologies like AI and ML contribute to monitoring or preventing cybersecurity attacks?
I think we’re in the really early stages of seeing the benefits from this and the initial thing everybody’s done, including us, is think about how we use it to enhance the protection we’re providing at different places in the attack chain.
But I think where the real value is going to lie in the long term will be focused on augmenting the humans so that we become more efficient at what we do. The challenge for humans is managing the ridiculous quantities of data we have coming in – humans simply cannot deal with it. This is where Machine Learning and AI come in.
Humans are really good at taking a quick look at something and immediately recognising whether it’s good or bad and machines are terrible at it. When you look at how you measure the effectiveness today of a Machine Learning algorithm blocking for anti-malware, it’s measured on what’s called a rock curve. That means that you’re measuring it because you have to decide on how aggressive you want to be because if you move too far one way, you find all kinds of false positives and detect all the bad stuff and if you move too far the other way, you’re getting very poor detection but you’re never wrong. The challenge lies in how much ‘wrong’ you’re willing to accept to get higher detection.
How can businesses improve their defences against users being tricked into inviting malicious attackers into their network?
You need to structure things so that they’re more personal – use real examples of phishes that were sent to your executives in the screenshot in your presentation that you do for your staff. Have someone in one of your departments stand up and tell a story of what happened to them – make it personal if possible. Another approach, which can often be a better solution, is to change a business process rather than trying to do it with technology. A lot of businesses are doing this and trying to avoid business email compromises, people are being tricked to change the wire transfer because they impersonated the CFO or the Head of Finance. Look at your business processes and see if there’s a way you can train a small number of people on a very specific thing that helps protect them rather than trying to do a generic thing for 400 people that only applies to a small number of them. At Sophos for example, our Human Resources department is responsible for opening up documents all day of people’s CVs. Nobody else is responsible for that so if we can focus training just for the four of them and make it more personal to their way of working by showing them a slightly harder way of doing it, that’s going to provide security and safety. I don’t want to train 500 employees on it – they’re not going to pay attention to it, or if it’s hard it’s going to slow them down. I only really care about the four employees in HR because they’re the ones that are high-risk. I can afford to give them personal training, rather than some kind of broadcast medium.
How can employees contribute to creating a positive culture around data security?
I think it’s really important that it’s positive. An incentive might be to do a drawing for a gift card for £100 to a nice local restaurant once a month and tell them that if they report anything they think might be a phish to a security team, we promise we’ll get back to you in half an hour and anybody that reports something, we’ll put your name in the phish bowl and we’ll draw a card once a month – it’s the best £50 or £100 they’ll spend. It’s saying, please help us – we can’t do security without you and to show you we really mean it, we’re giving you a gift in return. Make it really well-known how to do it.
How can business leaders improve their approach to ensure this happens?
I think it has to be throughout the organisation – it can’t be initiated by the CIO or CISO, it has to be something that’s embraced by all the upper management. Everyone must understand that security isn’t an IT problem, data security is a business problem. IT can’t control what finance does, finance have their own processes, they have to embrace it and it has to be a part of their culture as much as it is IT’s. It may be IT’s job or the CIO group’s job to stop that framework for that positive message or easy processes, but then the leaders of all those groups within the company need to embrace that with their staff and let them know that this is a team thing no different than the physical security of our building, which is obviously a joint responsibility also. Keeping it positive can be tough but any time there is a punitive thing, think about turning it on its head. For example, if you’re doing phishing tests, instead of just reporting that 20% of people failed, also measure how many people reported it to the security team and start measuring that as a positive metric that you want to see increase.
Generally, in IT, we always focus on the negatives and we’ve got to look at it the other way around – how much did we block, how many people did we protect, how many people reported – so that people feel good about participating.
How important is it for business leaders to build and maintain reliable employer relationships to avoid insider threats?
Insiders are tough. If you have an insider attack it’s likely to be a problem that’s going to increase. It’s very difficult to defend against this kind of thing and if I consider it from our own company perspective – we have a lot of loyalty because we treat our people with a lot of respect and while we expect a lot from them, we give a lot back. I think that creates a very positive environment which makes it more difficult to be that malicious insider. If I were to turn tomorrow, I would be so isolated because the people I work with are so loyal, they’d expose me. It would be hard to get away with it because the team I’m on is so invested in the company.