News broke today that the U.S. National Counterintelligence and Security Center (NCSC) has started to distribute informative materials ranging from brochures to videos to privately held companies around the country promoting increased awareness of rising cybersecurity threats from nation-state actors.
Sam Curry, Chief Security Officer at Cybereason:
“Today there are two types of businesses, those that have been hacked and those that will be. We live in a world where businesses today have a much harder task of keep adversaries at bay because of the increasing network attack surface that security teams have to monitor. I welcome the NCSC’s new campaign to educate businesses and it is indeed good news. But the real weak link for any business is its employees that regularly fall victim to phishing scams, open attachments from unknown parties and visit suspicious websites. And until we change human behavior the hackers will continue have the upper hand. As an industry we have come a long way and making cybercrime unprofitable for hackers is achievable if businesses use the right tools and deploy the right strategy.
In the short term, businesses should start fostering a healthy sense of paranoia amongst staff. Look, if the CEO sends an email and it’s sitting in the inbox, people are going to open it. That’s fine and to some extent can’t be avoided without something that makes it look inherently bad or filters it to a special folder. But let’s assume that the bad guys can get past any defence and the employee will open it. The trick now is for the employee to think… 1) would the CEO write to me and not my boss on this? 2) does the CEO do things like this normally? If the answer is yes to both, this is where process saves us. And that process should be out-of-band and depending on thresholds seek the right approval. The same rules to protect against embezzling and money laundering and separation of duty will also protect against this.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.