Combating network breaches is now a consuming task for businesses.
Naturally, focus is initially applied to the very latest protection solutions available. As risk levels have increased and networks have grown more complex, security providers have had to transform their tools and services with technology. The cybersecurity marketplace has never been more competitive than it is today.
There is no doubt that automation and other technological advancements have transformed security provision, but with cyber attacks still regularly hitting the headlines, it’s also clear that this almighty game of cat-and-mouse will run and run. Does industry have the answers?
Among the sector’s thought leaders, it’s recognised that technology can only assist the mission to a certain level. Stringent internal processes are also critical to the fight, while there’s a third area where the most gains can potentially be made: employee engagement.
Human mistakes remain the principle cause of violations, with some studies claiming that as many as 95% of breaches include an element of error from the user. Richard Turner, Senior Vice President, EMEA for CyberArk, is of the view that education around network security will help greatly reduce the likelihood of an organisation being damaged by an attack.
“Without educated people, I think it’s very hard to maintain a vigilant security posture,” he explains to Digital Bulletin.
The average user is not as savvy as you might like them to be. You have to set a baseline that is probably lower than you’d really like
“We are reliant on individuals being knowledgeable enough to exhibit good behaviour; to identify and make the business aware of stuff that looks anomalous and to be cautious about what they click on. Even in the 21st century, there’s still a very high click-rate on suspicious or malicious links in email communication, for example.”
Turner, who has been in the trade for more than 20 years, is well versed on the lines of communication between businesses and their employees around cybersecurity and he insists that leadership teams must place a lot more emphasis on improving even basic knowledge of the subject.
Recent research from CyberArk, involving UK office workers, revealed that only 46% of the study’s participants read and took action on all security updates from their IT department.
“The best security organisations that I’ve seen, and those with the most progressive security strategies, have the security organisation as part of the business and communicating really well,” says Turner. “It tends to share information about risks and vulnerabilities, it uses the incidents that make the news to keep employees vigilant and help them understand that if one company is vulnerable, then their company is vulnerable too.
“I think it starts by recognising, or assuming, that the average user is not as savvy as you might like them to be. You have to set a baseline that is probably lower than you’d really like. A lot of complacency comes in when people just assume that their teams are security-savvy, that they do understand the threats.
“Another big part of it is engaging representatives of the user community in developing the strategy and the project plan, trying to make sure that users understand why these extra steps are now necessary, what it does to the business and why they need to comply.”
Human error from a security perspective comes in a number of forms, whether it means an individual being tricked by a phishing email, responding to a suspicious message through social media or failing to adopt strong passwords – and rotating them frequently enough – on internal systems.
Companies also need to be diligent around the deprovisioning of former employees from their networks. ‘Ghost employees’ are notoriously high-risk, with one in five workers retaining access to their tools or applications following their departure.
Turner continues: “Other areas are where people were given access temporarily; they remain an employee of the company, for example, and they were given access to a resource – a piece of infrastructure or data – in order to conduct a particular task, but then after their need to gain access was removed, it wasn’t necessarily revoked in a full nor timely manner.
“Research leads awareness, so the kind of research that we publish hopefully tries to raise a flag or put a spotlight on an issue. It is a best practice that is unfortunately not well enough adopted.
“The next area is really how the technology itself helps organisations manage, issue, age and revoke privilege across the information system in a much more manageable way than the disparate systems themselves allow.”
CyberArk narrows down on this specific field of security technology; privileged access management. The US-based firm boasts a formidable portfolio of clients that includes 22 of the 25 biggest IT services companies worldwide, 21 of the 25 largest banks and 20 of the top 25 manufacturing businesses.
Instead of concentrating its efforts on stopping breaches at the surface, CyberArk’s remit is to prevent the irreversible network takeovers that have dominated cybersecurity coverage in the mainstream media. By focusing on network policy, hygiene and technology, it aims to ‘minimise the ability of bad guys to move around organisations’ once inside. Its products and solutions stretch across cloud, endpoints and on-prem environments.
Turner says this approach is rare in the industry – between 70 and 90% of security spend is on halting access at the top level – but insists it is crucial to preventing hackers getting to the information they crave. He outlines three areas that ensure the successful adoption of CyberArk’s technology within security teams.
“Firstly, I think there’s very little point in having a system that’s designed to manage privilege that’s not significantly integrated into the broad set of tools and applications that people might use in order to do their daily jobs,” says Turner.
“The next area is using artificial intelligence to try to identify behaviour that looks anomalous, even though it may be appropriate, and raise a red flag to the appropriate parts of the organisation. Then the third area is really the breadth of the solution, from basically vaulting passwords – moving passwords away from the vulnerable infrastructures that contain them – right the way through to the technologies that then allow you to leverage capabilities across the network.”
Turner previously served as president of EMEA at FireEye. Prior, as chief executive at Clearswift Systems, one of the largest security software firms in the UK, Turner drove consecutive years of subscription revenue growth and improved operating margins; led the sale of the company to Lyceum Capital; and earned leadership recognition from SC Magazine. Additionally, he’s held board-level roles at technology and investment businesses, and also spent more than 11 years at RSA, the Security Division of EMC, where he held several senior management positions including vice president EMEA, vice president EMEA and Asia Pacific, and vice president worldwide channels.
This level of integration can place pressure on an organisation’s IT function. As technology has evolved at a rapid pace over recent years, enterprise has had to confront the challenge of filling skilled roles in fields such as cloud, data and networking. The security profession is facing the same issues.
Digitalisation is a strategic priority for a majority of forward-thinking companies, but are their own teams keeping up with the pace of change? Turner is adamant that the role of the traditional IT worker is being flipped on its head, with security high on their checklists along with an approach that actively pinpoints areas of risk.
“The reality is that, in the 21st century IT organisation, all IT people really need to step up a little bit in order to be more relevant to the journeys that businesses are on and they’re adoption of technology,” he states.
“They should be working across the organisation to help them deliver the outcomes they’re looking for, while reducing risk. It’s not about perfect security; it’s about setting a risk profile for your business based on its appetite to risk, the type of industry its in and the sorts of threats it faces.
“Let’s face it; we’ve seen across security applications, we’ve seen across endpoints, we’ve seen across network infrastructure – there will always be vulnerability. That’s interesting, but what we need to think about is what is exploitable, what is realistic and how could that impact us, and where should we invest our time and money as a result. That’s a very different posture to the historical security posture.”
What else does the future holds for those working in security? Turner thinks he can distil the emerging trends into two domains.
“Two areas of security are going to become the cornerstone of successful IT security strategies going forward,” he concludes.
“There’s the big area of identity: who has access, how do you manage that access, what is that access, how do you deal with changes to that access? And then it’s the data itself. Where is that data, who should have access and what data is the most valuable? You need to protect the things that are the most valuable and the most impactful for you.”