The world is 'clearly' not prepared for cyberwarfare One-third of IT and security professionals globally say they are either indifferent or unconcerned about the impact of cyberwarfare on their organizations as a whole, according to a survey of more than 6,000 across 14 countries. Security firm Armis commissioned the study, published today, in an effort to gage cyberwarfare …
Spend is by far not the whole answer though. Most cyber attacks succeed mainly as a result of management deficiencies -- process failure rather than technology failure is commonly the primary trigger. One of the biggest contributors to this is the general incapacity to assess risks reliably. As a result the organisation's priorities don't accord with the threat landscape so they concentrate on fixing the wrong problems.
That's true. Spend as much as you want, it won't prevent Joe from accounts opening that interesting-sounding attachment on that unsolicited email he just received...
(Of course you can ban all attachments, or have an air-gaped machine print emails out, but users tend to not accept things which make their lives even more miserable: They will quickly find means to bypass your barriers, potentially opening even bigger security holes in your perimeter security.)
Agreed. People need to be aware AND accept that security is about making things deliberately more difficult -- putting extra steps in to check, 2FA for instance. When you can just save all your passwords in your browser and click on a website and have the browser simply fill the fields in for you, that's convenient, but it's not secure.
It can be more awkward and secure, or it can be easy. It can't be both.
I'm a relatively safe, snivelling miserable coward, because I delete every email that includes a link like "update your expired password" or includes an Urgent_Purchase_Order.pdf.exe "document". It's pretty much like wearing a mask in the office all the time which kept me happy during the COVID "warfare" years too - and now I'm happy to be a coward these days.
... "I have a total irreverence for anything connected with internet except that which makes the emails safer, the Windows updates stronger, the phone apps cheaper and the old men and old women receiving less malware in the winter and happier in the summer." (Brendan Behan would probably have said that these days).
The answer is not to spend. Spending is what got us here. Spending on "automated" systems that need to be maintenance more often than they're used.
The very existence of our profession, the "IT Professional", is a symptom of the root of the problem. The root of the problem is the general public does not understand how computers work, yet they rely on them for literally everything.
How do you stop malicious packages from being mailed to your employees? You have a receiving department. Shielding the workers from the outside world.
Yet when the internet came along everyone said "oh sure everyone in the company gets their own company email"
Not everyone needs a company computer, or company email, or internet access
Spend is by far not the whole answer though.
You still need people to even do spot checks in the office. For instance - has someone left the desk without locking their computer? Are there any access passes lying around? Any documents not secured?
Also to do things like leaving "infected" pendrives or memory cards, so when the worker decides to plug it in, it sends an email to security so you know which employee did this if it was inserted to company computer etc.
Sending fishing emails to see which employees follow procedures.
You also need people trying to breach the perimeter and see if any staff is challenging them for not having a pass etc. (and you need good actors for that)
Some of these tasks need to be done daily. If you stop, the staff gets relaxed after a while and falls into false sense of security.
> so you know which employee did this if it was inserted to company computer
You'd only know who found it, unless of course you empty a whole wheelbarrow of "lost" pendrives in the parking lot... Chances are 99% of those who pick one up will "just have a look", and if they suspect it could be virus-infected they'd rather try it on a company computer first...
.
> Sending fishing emails
Here again what might work for Jim might not work for Joe. You'd have to find some bait interesting/convincing enough to interest all employees, in which case I'm afraid a majority will fall for it. Often phishing emails just don't work because the target can't be bothered to react to them, inertia being a huge part of corporate security ("not my job, let someone else deal with that")...
Well, if they find it and stick it in a company PC "for a look" they still need a beating. They're still willfully exposing the company to serious risk.
And if the "majority fall for it" then maybe the majority needs their email attachments privileges suspended for a month.
Edit: is it really too much to ask for people to have just a little bit of healthy suspicion? There's not much difference from getting a virus from purchase_order.exe than someone doing a $50,000 action on an email that's not actually from the CEO. Maybe they should double check first?
I only turn it on to do a backup, then I turn it off again. I dunno how the cyber-warfare ransomware expert is gonna attack it remotely when it’s off!
(I guess you could burn the house down to destroy it? You’d have to figure out where my street address is, and you STILL don’t know if I’ve got any worthwhile data at all [nope.] Or offsite servers [nope. MAYBE!])
I like to think of the global reliance on IT to maintain our civilization (food, water, power, sanitation, health etc....) as if the world is a small blue glass marble balanced on a knife edge. It seemed a clever trick at the time, nobody is quite sure how we did it, but now we realize that one tiny little slip and we drop the marble which shatters into a million tiny pieces and we're all back in the stone age.......
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
