How can cybersecurity leaders reduce the risk of ransomware? What makes security awareness training effective? And is there really a cybersecurity skills shortage?
These were just some of the topics discussed at Tech Monitor‘s latest Tech Leaders Club event, a forum for senior technology decision-makers to share in the insight and experience of their peers. The discussion, which focused on cybersecurity and took place under the Chatham House Rule, is summarised here.
Our next two Tech Leaders Club dinners are now open for registration to qualifying executives. Taking place in London, they will focus on cloud (15 September) and digital innovation (17 November).
Cybersecurity lessons from the pandemic
For many of the security leaders in attendance, the shift to online collaboration tools did not itself introduce new risks, as they had been in place before the pandemic.
But, in some cases, the fact that employees were working at home did have cybersecurity implications. For example, more than one attendee noted that junior staff in shared accommodation presented a new security headache, as they might be discussing sensitive information within earshot of their housemates.
The pandemic was also accompanied by an uptick in online fraud, delegates discussed, perhaps as lockdowns closed off other opportunities for criminals. One attendee, from a financial institution, shared how its website had been entirely cloned to trick victims into sharing their bank account details. “They didn’t do a bad job,” he recalled.
Delegates discussed the barrage of ransomware that has plagued businesses and public sector organisations in the last two years. A security risk manager from a large financial institution shared how one of its suppliers, an SME, had been presented with a ransom demand. The institution lent its technical expertise to help the SME neutralise the threat, thereby avoiding disruption to its own operations.
Effective back-ups, delegates agreed, are essential for mitigating the risk of ransomware. Other strategies discussed include ‘devaluing data’, through encryption, so that it is less tempting to criminals, and getting to know ransomware negotiators so they can be contacted when the need arises.
Another is defining the minimum IT systems that an organisation would need to get back up and running if entirely disrupted by a ransomware attack, and maintaining it in ‘air-gapped’ infrastructure.
One delegate was clear in his mind what has caused the ongoing ransomware spree: Bitcoin. The cryptocurrency has given criminals an easy way to receive ransoms without being traced by law enforcement, he argued. “Stop Bitcoin, and you stop ransomware.”
Cybersecurity: the human aspect
The human dimensions of cybersecurity loomed large in the conversation.
The recent uptick in online fraud has required organisations to make sure their cybersecurity awareness training is up-to-date and effective. For a security executive from a manufacturing company, employee engagement with cybersecurity training improved when the company started to discuss it as a dimension of safety – a crucially important topic in the industry.
“You have to learn the dialect of cybersecurity” within each organisation, he advised.
It has been reported that burn-out is on the rise among cybersecurity professionals, perhaps due to their heightened awareness of ongoing risks. Delegates agreed that this is a danger, but that staff burn-out is a reflection of bad management. “No one person should feel the weight of cybersecurity risk on their shoulders,” said one.
The quality of management in the cybersecurity profession was laid bare in the pandemic, said another attendee. Remote working made clear who had the leadership skills to engage their teams from a distance, he said, and who did not.
Not all cybersecurity professionals should be required to enter management, however, and delegates praised employers that offer non-management career paths for technically proficient staff.
Poor management can also be seen in the so-called skills shortage that afflicts many employers seeking to fill cybersecurity roles, argued the CISO of an international company. There are plenty of candidates with the ability to learn and thrive in cybersecurity roles, she said, one just needs to be able to recognise them.
“I’ve never seen a skills shortage,” she concluded. “I’ve just seen people who don’t know how to hire.”