News

Spotting cyber weaknesses in organisations

Cybersecurity
Chris Hurst, general manager for the UK and Ireland at Kaspersky, talks to Comms Business about how organisations should approach cybersecurity.

Comms Business Magazine (CBM): What steps should organisations take to protect their data, networks and systems?

Chris Hurst (CH): “The first thing that that all organisations need to do is review their current practices and solutions. It seems obvious, but it needs to be done as it gives them a chance to identify any issues. Security is not a tick box exercise. It’s not okay to just go through what is in place; you also need to check everything has been configured correctly and is up to date.

“It makes sense for many companies to have an independent external assessment of their environments. That helps to spot weaknesses that may not have been identified internally. This can help companies prioritise the things that need to be improved – though it doesn’t necessarily mean money needs to be spent. That’s an assumption people can have, but often it’s just taking simple steps, like making sure password policies are in place, understood and enforced.”

CBM: What are the common weak links in organisations’ cyber defence?

CH: “The common weak link is the well-intentioned member of staff. 80 per cent of even the most sophisticated threats (known as Advanced Persistent Threats) generally involve some form of social engineering. Most people want to do the right thing, but criminals are very canny, and they do a great job at socially engineering situations. That’s why well-intentioned staff are the biggest risk, because they let hackers into a business’ network unintentionally – and once criminals are in, they can wreak havoc.

“Organisations need to educate and enable their staff but also, when there are known vulnerabilities, they need to get patches in place quickly to reduce security risks.”

CBM: How should an organisation approach security training?

CH: “There’s clearly an opportunity in every company to train and upskill their staff to better understand their role and their responsibility. That really needs to start from the top – you need to find ways to engage senior management as well as the rest of the organisation. Gamification can be a more enjoyable way to help employees understand the risks. Then you can start putting measures in place to help your staff become more cyber-aware. Ideally, that would start at the onboarding stage as, once individuals join an organisation and develop bad habits, it becomes quite difficult to change them.

“You also need to create an environment of trust: the organisation needs to trust employees, and vice versa. Part of that is, if an employee makes a genuine mistake, you don’t come down on them like a tonne of bricks. The consequences need to be proportionate. For example, companies can simulate phishing attacks, and you can begin to see what percentage of your staff may be vulnerable. The first time they fail the simulation, you send them a note with an explanation as to why. The second time, you can send them an educational video to watch to help them understand how their actions are creating security risks.

“The third time, you have a conversation with them to explain directly. It’s about encouragement rather than a stick, because these criminals are smart people. You need to find a way to encourage staff to understand the risks, understand their role, and have mutual trust so that they’re confident to do the right thing. And if they do something wrong, they need to not be scared so they don’t keep quiet about it – they need to tell someone so something can be done.”

CBM: Is the talent pool for cyber defenders large enough? What can be done to widen it?

CH: “The reality is no, the pool isn’t big enough. It must be difficult for youngsters who are currently in school because technology is moving quickly. Sometimes it’s difficult to spot the kind of roles that will be available in the future. It’s almost a responsibility on us, as cybersecurity leaders, to evangelise what’s happening in the industry.

“We’ve got the Kaspersky Academy, where we’re educating students and trying to teach them about cybersecurity, and we identify the roles that exist which students can aim to fill once graduated. It’s about outlining a career path for them.

“There are other initiatives that Kaspersky is involved in too: an internal Women’s Network to support female career progression, and ‘Kasper, Sky and the Green Bear’. The Green Bear initiative is aimed at six to nine-year-olds and helps educate them to stay safe when online. But in reality, it’s also familiarising them with the internet, security, the risks around security, and hopefully making them more comfortable online, and of course curious about the cybersecurity industry too.

“There aren’t enough women in our industry, and role models are therefore very important. There’s a responsibility on all of us to spread the word, achieve greater visibility for the industry and its opportunities, and help people become more comfortable with cybersecurity.”