CRN roundtable: The changing shape of cyber security

By on
CRN roundtable: The changing shape of cyber security
Page 8 of 13  |  Single page

Neil  That’s a good point Sean.  They are given both if that makes sense.  The management will say ‘it’s an application what have you, you’re in charge of that, but then fundamentally you are in charge of devices, and you should be in charge of all the facets that go with it’.  That’s where the danger starts.

Sean  Yes, because what I’ve seen in quite a few organisations is IT guys being aware of a threat, but having no input to the business model. The separation between business roles and IT has been a big problem with ‘we want to enforce this, but we can’t because no-one has given us authority to do it’.

Aviv  I absolutely second that. I’ve seen first hand and had multiple conversations with multiple security managers in Australia that they are absolutely sure that there is no shadow of a doubt that their data is being attacked, data is being leaked.  But when I asked ‘why aren’t you doing anything about it?’, they didn’t have the authority.  They had to prove it to an executive of sorts, and so it was a bit of a chicken and egg problem. How do you prove it without getting the authority, or budgets to implement the bare minimum to actually start probing. A lot of organisations have chosen not to know. ‘I’d rather not know than be responsible’. Going back to education and how we deal with it, in SMB or even large organisations, what I saw as not so effective as having education to use it as a one- time effort, where you do a massive education and then we go ‘okay we’re educated, we did our workshop’ – and you have to continuously interact with the users. You can actually train users to behave in a smarter way and behave in a secure way by interacting with them a little bit more about the different applications they use or different products they use, interact with them more, and let them know what they’re doing.

For example, we’ve all been trained by the phone companies so that if we pick up the phone and hear a single line, we know the phone is working, because I have a line, if I dial the number and I hear a few short bips I know the number is busy and I have to call again. It wasn’t written anywhere, the phone companies have trained us all to understand it, and if I take that analogy and bring it to security, I think we can probably create products that interact with users a bit more and train them what to do. Don’t plug in this USB because you don’t know what it is, it’s an unapproved USB. Don’t send that document, because it contains sensitive information, or do you really want to do that?  Rather than having just one workshop once a year and saying ‘we’ve covered that’.

Sean  I agree entirely. The idea that you cannot be cruel and say ‘we have to block this’, but just alert people can change the behaviour massively.  If you can pop up for web browsing, plug in USBs for copying certain types of data to certain places, generate a warning saying that ‘by the way did you know that what you’re trying to do, is this kind of problem?’ People will think ‘well no, no, actually I didn’t’. It’s not insider threats, it’s actually just accidents, but being able to do that continuously trains people.

Sanjay  We also need to enhance what we’re educating users about.  So if you look at the targeted attacks hitting organisations today, the vast majority are coming from ‘spear phishermen’ fishermen’ that’s occurring, because people are posting too much information on Facebook and Linked In.  So it doesn’t matter how much we tell people ‘stop picking up USBs in the parking lot and putting them in’ . That still happens, which is shocking, but it does.  Start saying ‘stop telling people on Facebook that you’re really excited about your trip to New York in two weeks’ and stop telling people that you’re a fan of underwater basket weaving, because those are the things that are getting the emails saying ‘here’s your hot hotel room deal for New York, and ‘here’s Flo who’s also in the underwater weaving class in your community; wouldn’t you like to connect with her’. That’s the other side of the coin, and that seems completely lost when you talk about user awareness today.

CRN  To bring NSA back in again, Keith I notice in your white paper you cited the organisation’s Deborah Plunk remarking that often security really needs to be approached from the point of view that you can’t really keep yourself totally safe. The really bad guys are going to get in, and you have to mitigate and reduce the damage.

Keith  Yes, we have to operate under the assumption that your network is already compromised, and you cannot protect everything. So we now must identify what’s really critical to the business, and I appreciate that that is a daunting task for some businesses to know how to do it. 

Previous PageNext Page
1 2 3 4 5 6 7 8 9 10 11 12 13 Single page
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
black swan group bridge point communications check dimension data keith price mcafee micro point rsa security symantec trend

Partner Content

Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?