Lots has been written recently about the cyber-security risk of remote working: larger attack surfaces, more informal surroundings and the upturn in threats, have all been contributing factors. While some people believe our working environments are more vulnerable now, others point out that companies are getting better at preventing attacks. The truth is probably somewhere in the middle, but it’s clear the inherent cyber-risk has gone up.
According to research from Interpol in August 2020, “a further increase in cybercrime is highly likely in the near future”. The influential policing body also suggested that vulnerabilities related to remote working would be exploited by cybercriminals. Companies are responding quickly to this perceived threat. A recent survey by Robert Half revealed that 44 per cent of Chief Technology Officers believed “maintaining IT security” and “safeguarding company information” would be a priority during the first half of 2021.
But this fast-moving situation presents challenges for everyone. On one hand, security leaders are able to tackle these problems with an increasing list of technology at their disposal; but on the other, the threats they face are evolving and changing all the time. This means it’s becoming harder for them to understand how well their businesses are protected.
Plugging the gaps and firefighting will only get them so far.
Making cyber-security easier to understand
The key to helping everyone progress is to frame these challenges in a language that makes sense to business leaders not just technology professionals. The industry is very good at talking about cyber-security in terms of products and solutions. But assessing the risks through the eyes of people, or more specifically, ‘threat actor personas’, can help everyone to better understand the risks in more human-centric way.
Internally, it’s common for well-meaning users to bypass controls so they can do their job, for example: if someone wants to send a large document to a client, they will likely find a file transfer service to get the job done, but it might not be secure. In addition, opportunistic insiders are sometimes all too happy to undermine security but are not so criminal they would bypass established controls. In situations when those controls are missing, however, they’ll see a green light. An opportunistic insider wouldn’t take ten pounds from someone’s wallet, but they might keep the money if it were lying on the pavement.
External threat actors range from sophisticated, such as organised crime syndicates, to unsophisticated, which use well-understood but easily detectible methods. Most managers expect to be breached by sophisticated attacks because they are highly co-ordinated and harder to protect against. But lower-level phishing scams and malicious URLs can also create a lot of noise for companies if they are not dealt with quickly.
Our experience shows that businesspeople, the genuine risk owners, engage far better with these personas than technical frameworks, like the ‘kill chain’. Once these actors are understood, defining risk scenarios and acting on them becomes far simpler.
From understanding to action
At this point, a company’s risk assessment becomes a framework to help them move forward. By discovering and defining the problems, it’s possible to develop and deliver the right solutions. This might include the provision of new technology to help eliminate the noise from external threats. But it could also include new controls that help change the behaviour of people inside the business, too.
Once business leaders understand how threat actors operate, and how they impact real world problems like confidentiality, integrity, availability and privacy, it’s easier to think about security differently. When they explore these challenges across different teams it can be engaging and productive for everyone. It also means the case for change is being made with the whole business in mind.
As companies navigate the changing landscape of cyber-security, it’s important for them to frame their challenges in a language that business leaders can understand. Threat actor personas and scenarios break down the perception of security as a specialist subject and create buy-in across teams. Business leaders can bring in people to help them do this, and work with security professionals to help transfer knowledge and upskill others. This creates an opportunity for shared understanding and greater awareness in the future.
In a world where cyber-security threats are moving fast, and professionals are in high demand, this human-centric approach helps more people to understand the risks that companies face – and ultimately allows them to move forward together.
Robert Half and Protiviti continue to help many clients with sourcing high-quality IT talent. We have access to a strong network of interim and permanent technology professionals. They are ready to help your organisation meet its rapidly changing IT and cyber-security needs. Contact us today.