Cyber security is currently one of the biggest challenges facing technology professionals today, and it is responsible for driving technology recruitment in many businesses.
With the upcoming implementation of the GDPR regulations, together with recent high-profile security breaches, businesses and consumers are looking to technology professionals and specialists to better understand cyber security, how it can affect them and how they can combat it.
Robert Walters hosted an exclusive panel discussion on the topic, bringing together industry leaders and cyber security specialists, to discuss this important and rapidly changing area of technology.
Current state of affairs?
We’ve been hearing about the importance of cyber security for the last five to ten years. It is a common buzz word and everyone knows they should be interested in it, but to fully understand cyber security we need to consider the current state of play. What are the biggest threats?
At the panel seminar, Haroon Malik, Principal Consultant at NCC Group, gave an overview into the current cyber security industry.
- Cyber security is gaining board-level visibility but we still have a long way to go
- Larger firms are still top targets but smaller firms are hit hardest
- Large proportions of security spend is on technical solutions even though 60% of breaches can be attributed to a lack of cyber awareness
- Cyber initiatives are not strategy driven
- Most organisations do not have a formal cyber security training programme
- Cyber security spend is set to increase over the next 12 months
You can download the full presentation here.
The human factor is important
Although cyber security is gaining more attention at a macro level, one of the biggest threats is human error, which comes into play on a micro level.
“Over half of cyber security breaches can be contributed to human error or human behaviour, yet a large portion of budgets are spent on technical solutions” stated Haroon continues.
Many companies have anti-virus software in place as their prime defence against cyber threats, but fail to consider the human element in stopping a cyber attack. Cyber hackers are changing their programmes so quickly that many of these technical solutions fall behind the curve, and are null and void by the time they are installed.
By shifting focus from fixing potential problems, to promoting cultural change where employees understand the risks of cyber attacks and the key ways they
Haroon advises, “Focus on instilling the right knowledge and behaviours - training shouldn’t be a tick-box exercise.”
Monitoring employee activity
With the realisation that many security breaches can be stopped if employees understand cyber security risks better, companies may wonder how much of an employee’s activity should then be monitored? Over half of cyber security breaches can be contributed to human error or human behaviour, yet a large portion of budgets are spent on technical solutions
The key is striking a balance between monitoring for problems, while avoiding putting too many rules and regulations into place making your employees jobs harder.
Alban Tramard, Head of Information Security at The Hut Group stated, “If you force too many rules and restrictions, and strict monitoring, on employees they will find a way around the rules.”
Andy Hague, an independent cyber security expert and consultant expands on this, “Like with access rights, you need to find a balance of usability in how you set-up access rights, if you make it too hard for [professionals] to do their jobs they will leave or ignore the rules.”
Understand your security priorities
One way you can ensure you are not wasting resources monitoring employees’ activity is to fully understand what your security concerns are and spend the bulk of your cyber security budget there.
Evaluate your organisation and ask important questions including:
- What are you worried about and what are your main priorities for security?
- What data do you need to protect?
- Who has access to this data?
By understanding your fundamental security concerns you can target what and who you need to better monitor. You can’t monitor everything, so you need to better understand what you are looking for to better use your budget and assets.
Alban added, “[Along with better understanding your key security concerns] you do need to watch employees who are a flight risk. If you know an employee is unhappy or looking to move, you should monitor their activity to stop them from leaving with data.”
By fully understanding the current cyber security outlook, focusing on minimizing human error, promoting organisational cultural understanding of cyber security and understanding your security priorities to direct the budget to focus there you can greatly reduce your security risk as a company.
Ensuring security within Cloud services
There tends to be two issues that commonly crop up in conversations around cloud security – multi-tenancy and data sovereignty. Both of which are underpinned by a concern about making sure that the cloud providers are delivering the secure services that they claim.
Lee Newcombe, Senior Manager at KPMG, said, “The major cloud providers are aware of the importance of keeping data within defined geographical regions and Microsoft and Amazon both have UK-based data centres that organisations can use if they do not want their data transferring overseas. Google will launch their UK data centre later this year. Of course, if you’re really risk-averse and don’t trust US-owned cloud providers due to concerns about US extra-territorial judicial reach then there are plenty of UK-owned and UK-based cloud service providers you could choose from instead.”
In terms of meeting that underlying concern about making sure you’re getting what you think you’re getting from cloud suppliers then Lee recommended asking to see the assurance documentation Cloud providers make available.
“The likes of Microsoft and Amazon offer access to ISO27001 and SOC2 auditor reports alongside Cloud Security Alliance STAR (Security, Trust and Assurance Registry) entries that can provide independent assurance that the providers operate as claimed. Of course, it is necessary to make sure that the scope of those assurance reports include the services that you intend to use,” he continued.
The Robert Walters' Cyber Security Breakfast Seminar brought together technology professionals from multiple disciplines to discuss key sector issues. The event featured a panel including Alban Tramard - Head of Information Security at The Hut Group, Andy Hague - Independent Cyber Security Consultant, Haroon Malik - Principal Consultant at NCC Group, Lee Newcombe - Senior Manager of Cyber Security at KPMG and Rhiannon Jones - Associate Director at Deloitte LLP.
Learn more about cyber security here.
Interested in a career move? Search our current roles and find your next perfect job.