The dust is still settling on another Infosecurity Europe — the trade show billed as the region’s number one event for all things cybersecurity. It has long been an important place for the neutral observer: a bellwether of what’s keeping CISOs awake at night and what the security industry is doing about it. So what have we learned from another jam-packed three days at London’s Olympia conference centre?
The central theme of the show for me was complexity: everything from rapidly advancing IT systems, to regulatory frameworks, and the various types of malware and threat actors doing their best to disrupt organisations. This complexity is only going to increase as the world becomes more connected, expanding the corporate attack surface as it goes.
Here are my top three takeaways from observations on the exhibition floor and the keynote arenas:
Awareness programmes are key
The weakest link in the security chain is your employees — we’ve known that for a while. After all, around a third of breaches are caused by phishing attacks, according to Verizon. But what to do about it is another matter. Awareness training programmes are crucial, and should include phishing awareness simulations — although not exclusively so, experts claimed.The weakest link in the security chain is your employees ... around a third of breaches are caused by phishing attacks, according to Verizon. Click To Tweet
HSBC’s Europe and UK CISO, Paula Kershaw, explained some of the practical steps required to build effective programmes:
- Set a target – be realistic about your aims
- Know your audience – who will you be targeting?
- Aims and objectives – what do you want to achieve and how will you measure success?
- Deliverables – what needs to be developed to support the program?
- Engagement – how will you keep staff engaged throughout the programme?
- Communication – keep content relevant, aligned and relatable
- Competitions – have fun with these to engage teams and individuals
- Rewards – these will help keep staff motivated
- Measurement – consider how this will be achieved
- Consider getting a senior sponsor on board
Most important, Kershaw argued, is having a clear message. “It’s about engagement and getting people excited about security,” she added. “The easiest way to do this is to make it personal and make it matter to them.”Effective user awareness programmes are about engagement and getting people excited about security ... The easiest way to do this is to make it personal and make it matter to them. ~Paula Kershaw, @HSBC @HSBC_UKClick To Tweet
AI is still everywhere
Artificial intelligence (AI) and machine learning are still being placed front-and-centre of many vendors’ marketing efforts. Among the long tail of VC-backed smaller vendors who have become increasingly visible at these events of late, they’re even pitched as a silver bullet solution. This is somewhat worrying: although there are certainly highly effective uses for the tech, putting out a message as distorting as this will only undermine the reputation of the security industry as a whole.
In fact, some experts at the show questioned whether AI should be used at all in some contexts. Titania CSO, Nicole Whiting, argued that bias inherent in data training can create challenges, as can the use of probabilistic rather than deterministic data in such systems. It must be said, however, that AI tools from trusted vendors can add a useful extra layer of defense to existing security strategies — for example in spotting phishing techniques or attack patterns human eyes might miss. But only as part of a defense-in-depth approach, not as a replacement.
Security needs automation
What AI starts to do well is automating the process of accurately detecting and blocking serious security threats. This will become increasingly important over the next decade or so, as the black hats develop their own tools and techniques to improve the ROI of attacks. Best-selling author, Jamie Bartlett described the impact of tools like AutoSploit — which scans for publicly exposed IP addresses, finds any linked software, scans it and cross-references with an exploit list. He claimed that, in a few years’ time, every single vulnerability out there will be found and exploited.
That makes automation in security increasingly important, to free up your most expensive and important resource: IT security staff. Although the industry is suffering from severe skills shortages, the role of the information security professional has never been more important, argued Bartlett. If people stop trusting technology, there could be an uncertain and dangerous future awaiting society that emerging issues such as targeted political advertising are only just beginning to shine a light on.
Yet with a huge and growing to-do list, what should security leaders prioritise? According to National Cyber Security Centre (NCSC) boss, Ciaran Martin, getting the simple things right is still the most important thing organisations can do. Stronger access controls, anti-malware, automated patch management, continuous network monitoring, user education, and secure configuration are all on the NCSC’s 10 Steps to Cyber Security list.
Getting the basics right won’t necessarily insulate you from a determined attacker. But it will filter out most of the malicious commodity attacks that ping around the web on a daily basis, and make the organisation more resilient overall. If everyone did the same, then we’d finally be challenging the black hats to up their game. In too many cases at present it’s just too easy for them.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.