The list of cyber threats is growing, but in a technology-led world, it’s easy to get lost trying to solve the problem.
Authors: David Jones, Managing Director of Robert Half Asia Pacific and Roland Carandang, Managing Director in Protiviti UK’s Technology Consulting practice.
Lots has been written recently about the cyber-security risk of remote working: larger attack surfaces, more informal surroundings and the upturn in threats, have all been contributing factors. While some people believe our working environments are more vulnerable now, others point out that companies are getting better at preventing attacks. The truth is probably somewhere in the middle, but it’s clear the volume and inherent cyber-risk has gone up overall, making the management of cyber-security risks an inter-departmental business priority.
According to research from Interpol in August 2020, “a further increase in cybercrime is highly likely in the near future”, suggesting that vulnerabilities related to remote working would be exploited by cybercriminals. In turn, the Australian Cyber Security Centre recorded an average of one cybercrime report every ten minutes in 2020. Companies are responding quickly to this perceived threat. However, as demand grows, there is a shrinking supply of top tech talent equipped to manage the surging threat. A recent survey by Robert Half revealed that 36 per cent of Chief Technology Officers in Australia believed “IT security” would be the most difficult to find specialist skill amongst job candidates coming out of COVID-19.
But this fast-moving situation presents challenges for everyone. On one hand, security leaders are able to tackle these problems with an increasing list of technology at their disposal; but on the other, the threats they face are evolving and changing all the time. This means it’s becoming harder for them to understand how well their businesses are protected.
Plugging the gaps and firefighting will only get them so far.
Making cyber-security easier to understand
The key to helping everyone progress is to frame these challenges in a language that makes sense to business leaders not just technology professionals. The industry is very good at talking about cyber-security in terms of products and solutions. But assessing the risks through the eyes of people, or more specifically, ‘threat actor personas’, can help everyone to better understand the risks in more human-centric way.
Internally, it’s common for well-meaning users to bypass controls so they can do their job, for example: if someone wants to send a large document to a client, they will likely find a file transfer service to get the job done, but it might not be secure. In addition, opportunistic insiders are sometimes all too happy to undermine security but are not so criminal they would bypass established controls. In situations when those controls are missing, however, they’ll see a green light. An opportunistic insider wouldn’t take ten pounds from someone’s wallet, but they might keep the money if it were lying on the pavement.
External threat actors range from sophisticated, such as organised crime syndicates, to unsophisticated, which use well-understood but easily detectible methods. Most managers expect to be breached by sophisticated attacks because they are highly co-ordinated and harder to protect against. But lower-level phishing scams and malicious URLs can also create a lot of noise for companies if they are not dealt with quickly.
Our experience shows that businesspeople, the genuine risk owners, engage far better with these personas than technical frameworks, like the ‘kill chain’. Once these actors are understood, defining risk scenarios and acting on them becomes far simpler.
From understanding to action
At this point, a company’s risk assessment becomes a framework to help them move forward. By discovering and defining the problems, it’s possible to develop and deliver the right solutions. This might include the provision of new technology to help eliminate the noise from external threats. But it could also include new controls that help change the behaviour of people inside the business, too.
Once business leaders understand how threat actors operate, and how they impact real world problems like confidentiality, integrity, availability and privacy, it’s easier to think about security differently. When they explore these challenges across different teams it can be engaging and productive for everyone. It also means the case for change is being made with the whole business in mind.
As companies navigate the changing landscape of cyber-security, it’s important for them to frame their challenges in a language that business leaders can understand. Threat actor personas and scenarios break down the perception of security as a specialist subject and create buy-in across teams. Business leaders can bring in people to help them do this, and work with security professionals to help transfer knowledge and upskill others. This creates an opportunity for shared understanding and greater awareness in the future.
In a world where cyber-security threats are moving fast, and professionals are in high demand, this human-centric approach helps more people to understand the risks that companies face – and ultimately allows them to move forward together.
 Robert Half, Survey of 100 CIOs in Australia, November 2020