This past week, the US National Security Agency (NSA) released a rare security advisory urging organisations to patch a list of critical vulnerabilities. The top 25 list detailed the software flaws most frequently being targeted by state-sponsored Chinese operatives. Although most CVEs were published in 2020, a few date back several years.
What does this tell us? That many organisations are still not patching systems promptly enough, even though the result of a major state-sponsored or cybercrime intrusion could be catastrophic. This is where virtual patching can save the day.
Today, open source software powers some of the world’s largest organisations. But that in turn means it is a target for cyber-criminals and nation state actors. As one of the most popular Linux distributions out there, Red Hat Enterprise Linux (RHEL) is well regarded in security circles. Yet when iterations reach end-of-maintenance support, customers must act quickly to protect their servers.
This is where virtual patching capabilities could help to mitigate risk and extend the value of investments in RHEL.
Cloud computing is transforming organisations across the globe, making them more nimble, cost efficient and responsive to market demands. But security remains a perennial barrier. Unfortunately, outdated notions around how security should look in the cloud may be creating a false impression that migration is inherently more risky than keeping data on-premises. In fact, cloud-ready solutions exist to provide an environment as secure if not more so than traditional ones.
Organisations have been forced to adapt rapidly over the past few months as government lockdowns banished most workers to their homes. For many, the changes they’ve made may even become permanent as more distributed working becomes the norm. This has major implications for cybersecurity. Employees are often described as the weakest link in the corporate security chain, so do they become an even greater liability when working from home?
Unfortunately, a major new study from Trend Micro finds that, although many have become more cyber-aware during lockdown, bad habits persist. CISOs looking to ramp up user awareness training may get a better ROI if they try to personalise strategies according to specific user personas.
What we found We polled 13,200 remote workers across 27 countries to compile the Head in the Clouds study. It reveals that (72%) feel more conscious of their organisation’s cybersecurity policies since lockdown began, 85% claim they take IT instructions seriously, and 81% agree that cybersecurity is partly their responsibility. Nearly two-thirds (64%) even admit that using non-work apps on a corporate device is a risk.
Yet in spite of these lockdown learnings, many employees are more preoccupied by productivity. Over half 56% admit using a non-work app on a corporate device, and 66% have uploaded corporate data to it; 39% of respondents “often” or “always” access corporate data from a personal device; and 29% feel they can get away with using a non-work app, as IT-backed solutions are “nonsense.”
Fearful employees may benefit from training and simulation tools as well as real-time feedback from security controls and mentoring.
Conscientious staff require very little training but can be used to good effect as exemplars of good behaviour and to team up with “buddies” from the other groups.
Ignorant users need gamification techniques and simulation exercises to keep them engaged in training, and may also require additional interventions to truly understand the consequences of risky behaviour.
Daredevil employees are perhaps the most challenging because their wrongdoing is the result not of ignorance but a perceived superiority to others. Organisations may need to use award schemes to promote compliance, and, in extreme circumstances, step up DLP and security controls to mitigate their risky behaviour.
By understanding that no two employees are the same, security leaders can tailor their approach in a more nuanced way. Splitting staff into four camps should ensure a more personalised approach than the one-size-fits-all training sessions most organisations run today. Employees will benefit from training and simulation platforms like Trend Micro’s Phish Insight, with its diverse library of training content designed to suit the varying cultures of organisations, skill levels and roles of employees.