Tom Martin Ball, Lead Auditor At Alcumus ISOQAR, Speaks Out About The Future Of Cybersecurity

By   ISBuzz Team
Writer , Information Security Buzz | Oct 19, 2020 02:51 am PST

The shift to home working means new distractions, systems and forms of communication. All of which can lead to mistakes, but the average attack takes 18 months to 3 years to be detected. 

So, how do you know if your business has suffered an attack as a result? Organisations need a cybersecurity strategy, and a strong foundation of knowledge will help to shape a coherent plan. The fallacy of a time-bound commitment must be demystified; however, as strategic thinking in the long or short term is less valuable than the depth of that thinking. 

Tom Martin Ball, lead auditor at Alcumus ISOQAR, shares his insights on the future of cybersecurity and how businesses can best protect themselves from emerging threats.

Businesses need to consider two sources of risk

There are three components of Information security; Confidentiality, Integrity and Availability (CIA). Confidentiality is commonly thought of, but the integrity and availability of information represent an equal threat.  Businesses need to consider two sources of risk; deliberate attack and accidental damage in the context of two big trends following COVID-19 – work from home and the cloud. 

Working from home has increased the technological footprint for cybercriminals to target and attack and the workforce is facing new distractions. New distractions can lead to mistakes and the home environment can lower our guard. Employees may download a file and work on the document from home or save files to a personal laptop rather than the company drive. Never mind accessing company files via personal or public Wi-Fi which is less secure. 

We must debunk our perception of the “the cloud” as a “mystical land”

Given face-to-face interactions with other members of staff have decreased, there’s less opportunity to remind the workforce of the right ways to work. The solution might be viewed as “the cloud”. But the problem is the cloud is often viewed as a “mystical land” that we don’t truly understand. As a result, organisations may rush into cloud solutions without thought to latency, security, cost and accessibility. Organisations must take an approach that prioritises more thinking, more procedures and less hast towards new solutions. 

You can’t put a price on reputation, but it will cost you

The majority of serious incidents, however, are rooted in a lack of monitoring. We must break down the perception that a technological solution is a magical solution. A machine may be exceptional, but it cannot do all the work. We need to keep an eye on systems, even if the frequency of checks can be reduced. If we don’t, the costs are often unmeasurable. 

Cyberattacks tend to impact corporate reputation more than finances. Most external “hackers” are foolish amateurs out for fun or status building as a glorified cybercriminal. This means they may not steal anything worth having, but you’ll still have to inform your clients of poor security. You can’t put a price on reputation, but it will cost you.

All technology, down to a single door lock, is open to attack

There is a danger that during this time of distinct and turbulent change, technology will be viewed under an overly simplified lens, ignoring that it represents more than IT, computers and software.  Businesses must be aware that all technology, down to a single door lock, is open to attack because thinking solely about the IT limits the potential range of solutions. 

When it comes to cyber threats, consider ‘defence in depth’; don’t just rely on one level of security or technology. A mix and match of IT and “old fashioned” physical technology is an effective way of having defence in depth. When thinking about solutions, firstly create a strategy based on your understanding of your organisation, what the real threats and vulnerabilities are and how significant the risks are. This will be far more beneficial than merely ‘throwing money’ at a solution.  

Don’t trust the “it takes a thief to catch a thief” adage

An initial first step that organisations can take is the Penetration Test (PEN test). During this test, a bona fide ‘ethical hacker’ attempts to infiltrate your system. There are a variety of PEN tests, including internal assessments, where ethical hacker(s) are given access to your network, and attempt to infiltrate your system without admission being granted. However, don’t trust the “it takes a thief to catch a thief” adage. Security “experts” who flaunt their “black hat” past are probably no better than anyone else. And might still be on the dark side at heart.

Less common PEN tests are those that involve ethical hackers physically attempting to gain access to your organisation by conning their way into getting information. But, beware, not all PEN testers are the same. Some are simply lists of open ports and unpatched software, where they don’t give background and context in terms of what these problems mean in practical terms. It’s often worth paying a little extra for these services to ensure you are given valuable information. 

Watch out for ‘inside jobs’

Cybersecurity is often portrayed as a fortress under attack from outside, creating a false impression of real risks. However, most risks are ‘inside jobs’. It stands to reason that employees within your organisation are a more significant risk. Hackers may be internal aggrieved or gossipy staff members who snoop around where they shouldn’t or download files before they leave – perhaps to get an advantage in their new job. 

These risks are not always a result of malicious actions; however, threats can often be the result of ignorance, inadequate training or poor organisation. Given COVID-19 has elicited unforeseen and rapid changes to the workforce, it’s even more vital that organisations do not overlook its people when assessing risk.  After all, a lack of training can be a more significant security risk than a cyber-attack itself.