Security Think Tank: Understanding attack paths is a question of training

Modern organisations are investing more and more in tools to increase agility, support teams and capitalise on increased flexibility that tech affords them. However, not enough of them are investing in the security and education that is required if they are to get the most from these technologies without risking their organisational information assets or those of their supply chain partners – up and downstream.

It has always been a disappointment to me that, whenever I have talked about the risk posed by technology to business, the assumption has been made I am therefore by definition opposed to technology – nothing could be further from the truth. I do believe, however, that there is no way to abdicate the organisation’s responsibility when it comes to security assurance or data protection matters to technology.

Experience has taught me that when organisations head for technology to solve a range of issues, as well they should, they do not funnel anywhere near enough resource into protecting themselves from unintended consequences, or from the poorly informed users of this technology, in many cases not even training the users on the basic usage of it, let alone the safe and secure usage of it.

Now that we have built more and more tech to enable us to connect more easily and simply, the threats I am talking about have rapidly adapted and taken advantage of it. There is too often a reactive response that is then required, with organisations reverse engineering risk mitigation in once the risks became apparent, and often after data breaches have occurred.

If we look at the latest available data from the Information Commissioner’s Office (ICO), we can see that almost three-quarters of breaches in the third quarter of 2021 were caused by non-cyber incidents, such as sending an email to the wrong person. Of the remining 25%, the top five causes include phishing (no surprises), ransomware (again not a shock) and misconfiguration of software or hardware. This speaks to hasty roll-outs, blanket policies and changes in work environments and tools. In short, a lack of robust risk management.

We know that third-party breach has been grabbing headlines for the past few years. Not only does this show no signs of changing but, as we continue to work in remote and hybrid styles, the results of poor technology implementation and poor security risk management potentially place more organisations at risk from each other. And we know only too well how fast links between supply chain partners get exploited these days.

In other words, there is far more at stake than one’s own organisation now when it comes to poor security. Some 51% of organisations have been breached due to a third party in the past 12 months and 75% of that was due to those third parties having too much privileged access.

Organisations need to be much more joined up and their risk management needs to be far better informed. Too few risk assessments start with a detailed, well-informed threat assessment, which means that risk treatment is often flawed.

Assuming that an effective and well-informed risk assessment has been carried out for each business area where a new platform or technology is being considered, then the way each team or area needs to use this tool should be identified, defined by the business and once agreed and facilitated by security.

“Too few risk assessments start with a detailed, well-informed threat assessment, which means that risk treatment is often flawed”

Ensuring the users’ experience and capability is balanced against the need for security and then tied to the security level means there will be no need for users to work around overly tight security measures that prevent them from using it as they need to for their role. It will be appropriate and proportionate to their role and not a blanket security level for all. 

Ensuring that IT security teams are consulted as part of any procurement and subsequent roll-out is vital. They should also be a part of the education and training that should occur as part of user orientation.

People – their behaviours, attitudes and beliefs – are fundamental to getting good security right. As such, technology education is only a part of the solution, and organisations should be mobilising their real experts to aid with wider education, awareness and training – communications, marketing and PR people tend to have a much better understanding of what motivates people and what is likely to be successful in behavioural change, so use them.

Where appropriate and achievable, are networks with differing security needs or varying levels of sensitivity segregated? If the worst should happen and a bad actor finds their way into your network, are they able to move easily and quickly through it? Making sure that areas are segregated means this will be more difficult and you can layer your security more appropriately in the sensitive areas and around those who have privileged access to assets.

Nothing makes an organisation better prepared than good intelligence. As most of our breaches come from within, or at least are facilitated from within, then why is so much of our horizon scanning and intelligence gathering focused on without?

Good quality, no blame, near-miss reporting is invaluable as an intelligence tool. It will enable you to identify early warnings and indicators of subtle changes of behaviours, deviations from policy, or lax security practices slipping back in, and enable education to be targeted to nip it in the bud.

At the end of the day, you can call it information security, information assurance or cyber security. Whatever floats your boat. But whatever you call it, never, ever forget about the people, people.