There’s a moment in the first season of Sam Esmail’s Mr Robot in which the main character, Elliot Alderson, answers a question about vulnerabilities at a data storage facility with a smirk by pointing to humans and stating that he sees six vulnerabilities walking around.
This is very much the theme of Mr Robot, despite the best security measures, people are the weakest part of cybersecurity.
So how does one protect your business with roaming vulnerabilities?
Cybersecurity is a complex beast that requires a committed team to police the hallways and borders of your business but this can be costly and as a result we see firms who don’t believe that security is core to their business falling prey to nefarious individuals online.
This week we sat down to speak to security lead at Accenture, Wandile Mcanyana about how best to secure your business with a focus on the human element.
But before we get to training and awareness it is vital to understand your business’ attack surface.
Here Mcanyana advises that security be built from the inside out.
“The simple thing to do is conduct an assessment to determine what your defenses are against adversaries. Understanding your assets and understanding what the value of those assets will help you assess whether your defenses stack up against the adversaries out there,” says Mcanyana.
Traditionally, the security lead tells us, security is built with a view of keeping adversaries out and to prevent folks from getting in but Accenture takes the view of building security from the inside out.
“Many of the issues we see at the moment are because people inside the company are manipulated by an external party. So an assessment to understand how strong your defenses are can help a lot,” adds Mcanyana.
People are as important as software
One of the stumbling blocks we keep seeing as regards cybersecurity is a lack of training of employees.
Nobody within an organisation is immune to phishing attacks and as much as it may pain folks to admit, cybercriminals are crafty.
Take Twitter for instance. Twitter is a business which revolves around being online and one would think that cybersecurity was at the core of its business. While that might be the case on paper, it didn’t stop a social engineering attack in July which saw 130 accounts compromised.
In that instance, a Twitter employee gave an adversary access to Twitter’s backend tools because of a simple phishing scam.
But there is more to preparing your employees than just conducting training exercises.
“Take the view that a breach has already happened, and don’t assume it hasn’t happened. Given that it can take 280 days to detect a breach you must be proactive. We call this a threat hunt,” the security lead tells us.
A threat hunt means hypothesising about attackers’ behaviour, adopting their mindset, and considering what parts of a business might be appealing to them. In addition, you should consider what the easiest way to breach the company would be.
As regards securing your firm beyond the people, here you should be looking at two things namely protection and access to protected assets.
Employing multiple techniques such as encryption, digital rights management and data scrambling can all be used to secure data in transit.
“Remember that whilst it is critical to focus on securing and encrypting data, and keeping it in the safest of systems, you will simply move the point of failure, if you do not apply the same controls to people who have access to the data,” explains Mcanyana.
Here multi-factor authentication (MFA) and micro segmentation can help to mitigate some of the risk of a breach. Where MFA acts as a watchdog of sorts to prevent unauthorised logins, micro segmentation can help to decrease the attack surface should a breach occur.
“Micro-segmentation can show each person what they need to see based on their roles and responsibilities, while obscuring the rest. This also limits damage in the event of a breach, and if any user’s credentials are compromised, only a portion of the data is exposed. To exfiltrate whole objects or larger swaths of data, the adversary’s job becomes much more difficult,” the security lead tells us.
One of the questions we get asked often is what specific threats to be on the lookout for and unfortunately it’s not all that easy to answer this question simply.
We can point to general threats such as phishing or ransomware but these don’t give you the information that your company needs to secure itself. This is where machine learning, artificial intelligence and information sharing comes into play.
“Without information sharing we don’t know what is happening out there. One of your peers can point to a threat and that in turn helps you shore up your own security. At Accenture we take the view that this is an expanded ecosystem,” says Mcanyana.
Attackers don’t operate in a vacuum and neither should businesses. As Mcanyana explains, if your business makes life difficult for an adversary, they will simply move on to the next target and this is where information sharing becomes valuable.
It also helps to identify potential weaknesses in your security plans such as potential threats within a supply chain.
The short of this all is that cybersecurity takes work and requires investment over the long term.
The startup costs can be high but the cost of being taken offline or being made to pay fines following a data breach, not to mention the reputational damage could be far worse.[Image – CC 0 Pixabay]