With Infosec, of course, comes data. NS Tech has trawled through a few of the studies to pull out six trends for businesses to watch over the coming year.
Skills, skills, skills
For me, just so you know, the top thing is skills. There’s an increasing demand for the right people and not enough training for the roles.
That means companies have to rely on specialist vendors and it can sometimes be unclear exactly who’s helping whom.
You need people in-house who understand what services you need and who to buy them from, if you need to buy them.
Author of the Dark Net Jamie Bartlett told NS Tech that companies should probably look to the digital underworld for their next big hire. “For experts in encryption and privacy, you won’t find a better place than the Dark Net culture to learn from.”
You also need proper buy-in from the c-level, it’s their heads that are starting to roll after all, and everyone else in your business has to understand that they are the biggest weakness.
As social engineering expert Dr Jessica Barker said on stage: “It’s a mixture of human nature and social norms that makes social engineering scams work. That’s the way we are naturally human being used against us and the way we uphold society being used against us.”
She uses the example of the person struggling with the ‘heavy box’, who you instinctively let into your building.
The ISACA nonprofit found that a quarter of people think cyber security is ‘for geeks’ and a third think it doesn’t pay well.
Personally, I think the ‘man with hoodie and microchip face’ on the cover of the event guide speaks for himself.
Cyber experts are increasingly needed to appear in the media, attacks are even getting their own brand logos, so someone has to explain what all of this really means for normal people.
Although not a huge figure, 3 per cent of workers across France, Germany and the UK in a poll of more than 3,000 people admit to storing company data in the cloud just for whistleblowing.
That, according to cyber security firm Blue Coat, equates to almost 1 million people across the UK alone, presenting an embarrassing or even damaging problem for businesses if they aren’t behaving. Just another reason to stop those dodgy dealings!
A further 7 per cent admitted to nicking off with important stuff just before they head to a new job.
Blue Coat also highlights that, while cloud applications are now used by more than half of the workforce, the GDPR legislation might put a stop to people sharing sales records and customer databases in this way.
Almost one in five CIOs, 19 per cent, admitted that they avoid telling customers when they’ve been hacked even though they have a breach notification policy in place.
The survey of 100 CIOs by security software provider Trend Micro found a further 19 per cent have no breach notification policy in place at all.
This problem was found to be even worse in an on-site Infosec survey conducted by hybrid cloud specialists F5. They spoke to 274 people face-to-face and 36 per cent admitted their company has no cyber attack response plan.
Of those asked, network attacks were their top security concern, followed by malware.
That said, perhaps ill-advisedly, data confidence is growing among UK organisations, with 74 per cent of CIOs telling Trend Micro they feel well-protected against a breach.
Following high-profile breaches like that of TalkTalk, 43 per cent said they have introduced new processes, with staff training top of the list, followed by hashed passwords.
Human skills needed
But that training is still not getting to the right people, as more than half of 2,000 office workers surveyed by the ISACA said they’ve as yet received no help.
It comes as no surprise then that 19 per cent have fallen prey to a phishing email and 14 per cent said they use easy-to-guess passwords, because they’re easy to remember, duh.
A full 76 per cent had never heard of ransomware, one of Infosec’s hottest topics, and 62 per cent could not define a data breach.
Despite this, there’s yet more probably misplaced confidence, with 79 per cent saying they are confident in their ability to protect their own sensitive data.