Cybersecurity Awareness is Paramount in Times of COVID-19
Since the outbreak of the Covid-19 crisis, cybercriminals are constantly looking for ways to exploit the pandemic. In this time of uncertainty, there has been a surge in cyber attacks, phishing scams and malicious activity, making Cyber Security awareness more important than ever. In a recent interaction with CXOToday, Steve Ledzian, Vice President & Chief Technology Officer, APAC, FireEye, shares his insights on how organizations can make their employees aware about cybersecurity, especially as the COVID-19 has made the cyber space more vulnerable.
CXOToday: Are organizations in India doing enough to make their employees aware about cybersecurity, especially as the COVID-19 has made the cyber space more vulnerable?
Steve Ledzian: Employees need to be aware of how to keep themselves and their computers safe, and security awareness trainings are great for t hat. But it’s the Board of Directors who have the ultimate responsible to keep the company safe. The Board has much greater resources and greater power to drive change in order to address the cyber security problem, far beyond what individuals can do. But how is the Board kept aware of how effective those security investments are proving to be? Every Board will ask, “How secure are we?” Often CIOs and CISOs struggle to offer a measured, quantifiable answer. In that case, organizations need a way to measure their own specific security effectiveness.
CXOToday: Is it only the larger companies in regulated industries or you see a general awareness in the SMEs too?
Steve Ledzian: The need for cyber security awareness certainly spans to SME as well. SMEs often deliver products and services to those large companies in regulated industries. In today’s world suppliers, vendors, and partners are all connected through technology. Threat actors targeting those large companies will often go through smaller connected SME’s in the form of third party or supply chain attacks to get to their ultimate targets. Because SME investment in security may be less than what an Enterprise invests, attackers may see them as low hanging fruit. Unfortunately when enterprises learn that they were breached through a supplier that can have serious consequences to the relationship between those two entities, the damage is already been done.
CXOToday: Please throw some lights on your recently released Security Effectiveness Report. What are the top 3-4 takeaways from the report for CISOs?
Steve Ledzian: Organizations spend a lot of time, effort, and money on implementing security controls to protect themselves from cyber attacks. Often the amount of effort and investment is so great that they are left with a sense of pride in the multilayered defense they have constructed over the years. Yet in the back of their mind there’s this nagging voice raising doubt. “Other organizations surely must be putting in the same levels of investment, and yet breaches are getting more frequent and more impactful all the time. Are we really secure?” The Mandiant Security Effectiveness report answers this question. What the report shows is that assuming you’re safe because you’ve worked very hard and spent a lot of money on defense in depth is most likely doing is leaving you with a false sense of security. To be certain, you have to move beyond assumptions, you have to measure and test. When we test across multiple organizations we see that 53% of attacks successfully infiltrated environments without detection and only 33% of attacks were prevented by security tools. The good news is that the reasons behind this poor performance are correctable once you know these problems exist. The report shares the measurements of security control efficacy testing and provides guidance on how to better optimize those controls and get more value from them.
CXOToday: What are some of the initiatives you have taken to make organizations cyber-aware in the time of crisis?
Steve Ledzian: FireEye has put together a centralized location of a large collection of resources for organizations that need help Managing through Change and Crisis. Blogs, news, webinars, and briefing related to the crisis are all available here. Examples include ‘Security Tips for Remote Access during Corona Virus’ and ‘With COVID-19 Themed Campaigns on the Rise, Here’s How to Manage Email Phishing Risks’. FireEye is also working with healthcare organizations globally and providing Cyber Threat Intelligence to help inform decision making at a time when they cannot afford to have availability impacted. Lastly we continue to track and expose how both cyber espionage actors and cyber criminals are exploiting the crisis for their own gains.
CXOToday: What needs to be done now to create more cybersecurity professionals in the cyber space?
Steve Ledzian: We’re going to need to think out of the box to tackle this challenge. Governments can put together initiatives to try to increase the number of cybersecurity professionals, but the shortage of talent is very large and we need to combine those efforts with other approaches as well. An obvious angle is better leveraging automation technologies. Less obvious is pivoting to an intelligence led cyber security approach, where you’re making smarter and more informed decisions about where to invest resources, budget, and talent. An Intelligence led approach can deliver a better outcome than flatly trying to cover the entire space of possible cyber risks with the same prioritization whether those risks are applicable to you specifically or not. Lastly I think we will see more creative and flexible outsourcing models that provide expertise on demand, when and how you need it.