CISO Priorities Q3-Q4
Over the past 90 days 2-SEC has met with many leading CIOs and CISOs to discuss where they see developing trends in cyber security.
Whilst many said they had seen huge improvements across the industry over the last year, there were five trends that over 90% saw as both developing as well as significantly alarming:
A lack of board understanding. Whilst many boards now collectivley appreciate how significant the potential risks are from cyber security, many members still don’t understand the complex nature of cyber security. The reasons for this are varied, however there are several common reasons that 2-SEC has found. Although board members often have less experience in assessing risks of a technical nature, we found that it is usually the weight of other agenda board items that leave cyber security squeezed-out. Where individual CISOs haven’t as much experience engaging the board directly, it can be difficult to educate the board on what they need to know. This is especially important where a board is perhaps too engaged by the technical details, and the education drive is to only discuss the strategic factors around security and not individual defences. Lastly, we have seen a rise in the so-called ‘smoke detector paradox’. This arises where boards of companies in less-regulated industries do not perceive there to be a significant threat posed and may say that if they haven’t had a breach, nor has a competitor, why manage it further?
Upcoming changes to legislation and regulation. Although there has been increasing regulation around cyber security, it has been largely ignored by any company not squarely within the sights of regulators. Many companies have escaped direct pressure because they are either in a non, low or semi regulated sector, or they aren’t processing such vast sums of data to be on the legislative radar.2-SEC believe that is likely to change in 2017 as HM Government turns towards lightly-regulated industries such as media, SMEs of less than 1,000 employees and smaller companies inside larger sectors, such as challenger banks, hedge funds and building societies. Existing frameworks such as CBEST and Cyber Essentials will be broadened to include smaller firms or firms within the supply chain of much larger firms. These are firms that often may not have the same resources as larger firms, and for which this development will be worrisome.
The ‘gold-rush’ taking place for vendors. If you have ever thought about upgrading your IDS or buying a new threat monitoring system you will know there are now thousands of companies offering similar products. However, it can be incredibly to differentiate between firms that all carry doomsday warnings in the event you don’t purchase. Not only is this castrophe-communication style inevitably passed on to your board (exacerbating the first trend in this list) it also makes it much harder to find a company that fixes the ‘magic three’; cost-saving, time-saving and effective protection. In our last competitor analysis 2-SEC found very few vendors will to become trusted advisors to their clients.
Socially engineered SPEAR-PHISHING. Despite companies investing more than ever in technical security protection, cyber attacks are on the rise. One reason for this is that traditional phishing techniques are no longer as effective. Between more sophisticated email filtering software, and an increase in user-awareness against crude ‘click on this link’ emails, most standard phishing emails aren’t successful. However, the worrying trend is now for cyber criminals to research their targets via open source, break into the email server and finally to contact know exactly when and who to approach, with what line of suggested action, such as contacting the CFO’s PA at 5pm on a Friday, explaining how a payment needs to be made in relation to a named internal project. In a recent test 2-SEC found only 30% of users will now click on a standard phishing email, whilst over 80% will action a low-level request for information as the result of a socially engineered spear-phish contact.
Cloud outsourcing. As more and more companies outsource their data to the cloud, one emerging trend is a lack of knowledge on where data is held, and by whom, and to what extent that final custodian is secure. 2-SEC has heard from several large companies who are forced to admit they don’t fully know where their data is held. Whilst most cyber attacks seen in the press are as a result of a smash and grab inside the company’s network, it’s a concerning factor to many CIOs that if your cloud provider is breached, it may lead to several frightening effects, such as a delay in them being notified compared to internal systems, confusion over who is liable and of course the inability to pass on that liability when it comes to effects on brand reputation with customers and the press.
For a FREE copy of the 2-SEC Cyber Security Trends Radar Q3/Q4, upon which this article is based, and which includes further detailed analysis of all upcoming threats and trends, please contact us on 08445 022 066.