Avoiding the Whac-a-Mole security response

This year’s Infosecurity Europe was awash with all and sundry from the security sector. Away from the bright lights of the conference floor, the speaker programme covered some fascinating areas. From embracing security by design, to the skills shortage, to future-proofing a business; there was a lot to get your head around. But one session from Mimecast that particularly caught my attention – and also dominated conversations I had with exhibitors at the show – was ‘Cyber Resilience in the Face of Human Error’.

Ultimately, technology can only get you so far. Whether it’s lack of time, skills, resources or simply errors being made … the major hurdle for the information security industry is people. Featuring commentators from Mimecast and Domino’s Pizza, the panel explored the idea of managing increasingly sophisticated security attacks in light of the insider threat posed by human error.

The panel discussion revealed that the challenge for companies isn’t necessarily how to approach new threats, but rather the methods of delivery of these attacks, which are extending beyond the traditional to areas such as cloud computing – particularly when multiple servers are set up beyond the CISO’s knowledge. To the untrained eye, that form to complete in your inbox sent seemingly by someone in the finance department is actually a cleverly designed phishing attack. Cyber-attacks are becoming a lot more intuitive, targeting specific employees, and are much more sophisticated in how they look. As a result, employees are under a lot more pressure to recognise a potential security threat. Knowledge is therefore power.

On the other hand, the CISO is worried about how to eliminate or mitigate security threats entirely, rather than taking a ‘whac-a-mole’ panic fixing approach. CISOs need to work out what the threat is, who it’s targeting, where the anomalies are and, most importantly, what the longer-term approach is, particularly from an employee education perspective. Are the same people being targeted? If so, why? How can we re-educate the workforce on the changing threat landscape? Does training need to be more personalised?

My experience at InfoSec Europe showed me that it’s all very well and good making the investment in the latest and greatest in security technology. But if you aren’t constantly evaluating and nurturing your security investment and taking a good hard look at your staff education, it won’t do the right job for you.

We work with lots of security companies to get their voices heard above the noise of the industry. Find out more about our cybersecurity PR expertise here and do get in touch for a chat.