Sharing information about cyber threats, attacks and attack mitigations is crucial to staying ahead of attackers, according to a panel of information security professionals.
“Setting up a forum for information security professionals in the media industry has been one of the most successful security strategies in my experience,” said Brian Brackenborough, CISO at Channel 4.
“We all have the same risks and threats, and being able to discuss cyber incidents in the industry has been very useful to get the inside story,” he told the London SC Congress 2014.
Security intelligence within a sector or community is a good way of sourcing actionable intelligence, said Daniel Schatz, director of information security and vulnerability management at Thomson Reuters.
“It helps find out about tactics of attackers and put actions around that, such as proactive notification of staff about industry specific threats," he said.
“This raises awareness around relevant issues; it tells employees what to look out for, effectively reducing the attack surface."
Brackenborough said the UK media security forum has “blossomed” and has become international. He challenged all information security professionals to do the same in their industry.
More on cyber threats
“It is also worth joining the security forum run by the UK Centre for the Protection of National Infrastructure (CPNI).
“The forum provides the opportunity for information security professionals to share useful information in a secure environment, anonymously, if necessary,” he said.
Recognising insider threats is another important strategy for staying ahead of the curve, according to the panel.
“The insider threat is one of the biggest security problems because technical experts are trusted and tend to be overlooked, having no real supervision,” said Frank Florentine, director of consultancy LilyCo.
“I know of a company where a technical employee was able to siphon out more than $1m because there was no way of tracking the person who was responsible for tracking everyone else,” he said.
The panel also highlighted the importance of focusing only on the threats that are relevant in terms of the risk to a particular business and industry, rather than responding to every threat highlighted by the media.
“If you try to defend against everything, you end up defending nothing,” said Schatz. “A better approach is to identify what data is of value to the business and focus on defending that.”
By conducting a proper risk analysis to identify what data would be of value to attackers and how they are likely to try and access that, breaks down the threat into something that is more manageable, he said.
“Businesses need to balance the security they strive towards with what they can actually deliver and ensure they use scarce resources to respond only to what is relevant,” said Schatz.
Finally, the panel said that by engaging employees about security issues that affect them at home is an effective way of raising awareness and responsibility on security in the work environment.
Brackenborough said Channel 4 runs a programme for teaching employees about things like free anti-virus and encryption.
“If they are thinking about these things at home, they will start to think about them at work, and we have seen an increase in the number of questions about how to do things more securely as a result,” he said.