Intelligent CIO Europe Issue 56 - Page 39

TALKING

‘‘ business

rResearch seems to suggest human error is the biggest cause of security breaches – can you tell us more about that ?

The Verizon Data Breach Report suggested that 83 % of security breaches had a human cause . The World Economic Forum produced a report earlier in the year which said that 95 % of security breaches had a human cause .
It used to be that the data centre or the head office was at the core of your network and if you wanted to get access to the sensitive data , you ’ d come into the office and badger a way in . Now , everyone works from everywhere , using resources that aren ’ t just their own , like Microsoft , Google and Dropbox , and their data is all over the place . Now , the central core of an organisation is the user who has access to whatever they need , wherever and whenever they want , making the user even more tempting to the criminals . By stealing a user ’ s credentials , suddenly they have access to everything . That ’ s the reason the attackers focus on the human aspect of security , because staff are the central access point and they are capable of making errors .
What level of sophistication is being observed when it comes to social engineering attacks today ?
Attackers are not just sending the classic ‘ inheritance ’ email to us anymore , they are using behavioural science techniques to trigger emotional responses from users . We ’ ve seen some examples of attackers using an email stating that ‘ your partner is seeking divorce and they ’ ve been too embarrassed to speak to you about it . Please click on this link to see the reasons for the divorce ’. You can imagine this would be an incredibly emotional trigger and it would be hard to resist clicking through to see the information . We have also seen attacks on military and governmental organisations using the topical subject of Ukrainian refugees . Attackers will revise and change their content depending on what ’ s current .
How high on the agenda is employee education and awareness for today ’ s CISOs and why ?
Our recent Voice of the CISO Survey went out to 1,400 CISOs globally and asked what they perceive in terms of risks and what their priorities are in terms of controls .
The top significant risk they wanted to prioritise was insider threats , including negligent users , malicious users and compromised users . In terms of control
measures , information protection , security awareness , education and behaviour change are on their list of priorities for the next two years . These results show that CISOs recognise the gravity of the challenge at hand .
However , only 60 % of CISOs think that employees understand their role in protecting the whole organisation . This is likely because awareness is still generally delivered by relatively junior staff within these enterprises and not given sufficient priority or resource . Although human error accounts for the majority of risks , only about 2 % of the budget is given to awareness training . This highlights that although security awareness remains high on CISOs ’ agenda , they still haven ’ t fully committed the right resources to deliver on that topic yet .
What are some of the existing challenges CISOs and their teams experience when it comes to planning and executing an effective security awareness training programme ?
Firstly , a lot of CISOs have grown up through a technical career path , so they ’ re much more comfortable dealing with technology , firewalls and intrusion detection systems , and getting dragged in front of the board or trying to educate people is a bit alien to them . However , it ’ s something they ’ re embracing more and more . The first challenge is their perception of security awareness as a topic , and how it works . Many think ‘ it ’ s called security awareness ; I ’ ll make people aware of security and then they ’ ll do things differently ’ but that ’ s not how it works . You can ’ t simply stack awareness higher and higher , expecting a sudden behavioural change as that ’ s relying on a
Andrew Rose , Resident CISO , EMEA at Proofpoint
www . intelligentcio . com INTELLIGENTCIO EUROPE 39