by Bharat Mistry
We all know the job of the under-pressure IT boss is getting harder by the day. And as recent revelations from WikiLeaks have shown us, it’s not being made any easier by those institutions nominally designed to keep us safe. With the likes of the CIA allegedly actively developing exploits, the threat landscape is certainly broader and more complex than it has ever been, and that makes mitigating information security risk all the more challenging. That’s why Trend Micro runs events like yesterday’s TECHDAY. They offer a great opportunity for IT practitioners to learn from some of the leading figures in the industry, as well as network with their peers.
Interestingly, some of the key take-aways for Trend Micro after the event were the number of attendees who ranked user education as their top challenge for the year ahead.
A learning experience
Now in its second year, TECHDAY has proven a firm favourite with our UK Premium Support customers. These are some of the largest organisations in the country, running many of the systems that power our critical national infrastructure. That’s why we made sure the line-up of speakers had some serious big hitters on board.
Microsoft’ s National Security Officer, Stuart Aston, told attendees how security could be turned into an enabler of digital transformation if handled right. Channel 4 News Producer Geoff White described the new reality of reputational damage as it now impacts breached firms. And he joined our own European Cyber Security Architect, Simon Edwards to discuss some mitigation strategies for ransomware. There was also plenty of advice from other Trend Micro experts on our XGen layered security approach and what firms should be doing ahead of the EU’s GDPR and NIS Directive.
These events provide Trend Micro with a great opportunity to find out what really keeps CISOs and CIO customers awake at night. A straw poll at the show had some surprising results. Although there were certainly some attendees grappling with perennials like ransomware and cloud security, the top two biggest challenges were given as: attributing responsibility internally in the event of a breach; and user education.
The former is not an area on which much has been written, but it remains an important one. It all comes down to your incident response. Such plans are designed to ensure an organisation bounces back as quickly as possible from an attack with the minimum impact. And a big part of this is ensuring everyone is aware of the role they play. Not only IT and security teams but legal, HR, PR and others may need to be involved at the planning stage. Crucially, an individual/department will also need to take the lead in case of an attack and someone will probably need to appear in front of the press. The key is to plan early, so that when the attack inevitably hits, you’re ready.
User education is a more widely reported topic, but no less important to get right. Every organisation is different of course, but with the right strategy you can turn your company’s weakest link into your first line of defence.
Think about quick wins such as:
- Teaching staff to be suspicious at all times, especially with unsolicited email. They should be taught never to open an attachment or click on a link before verifying the sender
- Educating employees about the repercussions of their actions online. Just one wrong click could lead to major financial losses and brand damage if a serious breach or ransomware outage ensues
- Teaching staff never to divulge any personal or corporate details over email or phone
- Telling them about social engineering, how it works and how to spot it – online and over the phone
- Don’t forget temp staff, and ensure all employees get a refresher course every year
- Combine education with the right tools (layered security, 2FA etc), incident response plan, and the right culture – one which encourages scepticism and reaching out if something looks suspicious