The Sunday Times special report on Cybersecurity-2 - Flipbook - Page 5
RACONTEUR.NET
05
Commercial
Commercial feature
feature
GEN Z IS THE GENERATION LEAST LIKELY TO PRIORITISE CYBERSECURIT Y
Internet users’ level of agreement that staying secure online is a priority, by generation
When we use solely
technical terms, that puts
people off. Our messaging
has to change: we must
cover the reality of
personal outcomes and
use real-life examples
Agree
Neither agree nor disagree
CONFIDENCE CORREL ATES WITH YOUR ODDS OF HAVING SUFFERED AN ATTACK
Disagree
Cybersecurity professionals’ confidence about defending their organisation in future, by whether or not they have
suffered an attack in the past two years
Attacked
Very confident
64%
27%
Not attacked
Don't know
76%
9%
22%
2%
Somewhat confident
61%
33%
6%
Gen Z
Not confident
33%
74%
18%
Millennials
79%
17%
ARRIER
7%
NE
FRAGMENTATIO
EE
T
MPROVIN
ESILIENCE
TEC
ONSOLIDATIO
POSSIBLE SOLUTION
% of cybersecurity professionals who agree that the
complexity of the market is holding back progress
% of cybersecurity professionals who plan to
consolidate or have already consolidated their
security systems
4%
80%
61%
consolidated or
are planning to
consolidate
Yes
20%
Gen X
have no plans
to consolidate
39%
No
85%
10%
5%
Baby boomers
87%
11%
2%
Silent generation
National Cybersecurity Alliance, CybSafe, 2022
Uncle Sam’s change of stance on cybersecurity
In March, Joe Biden’s government
published a national cybersecurity
strategy stating in no uncertain terms
that self-regulation had failed.
The document argued that
“continued disruptions of critical
infrastructure and thefts of personal
data make clear that market forces
alone have not been enough to drive
broad adoption of best practices in
cybersecurity and resilience”. It added
that businesses would need to take a
more proactive approach in this area,
which could include hiring ethical
hackers to test their defences.
But does this change of onus risk
further undermining people’s sense of
individual responsibility, especially
when many feel that they lack agency
as it is?
The BSI’s Mark Brown doesn’t think
so. In fact, he says, this measure has
been “a long time coming. While the
US is seen as a forerunner in the
advancement of technological
progress, the legislative leaders
have probably been the EU and the UK.
If we go back to 2007-08, when the
General Data Protection Regulation
became an idea, it was for exactly the
same reasons. There had been
several massive data breaches across
the continent. Market forces and
voluntary conditions were seen not
to be working. The fines in place for
breaches of data privacy and
cybersecurity meant little to nearly
all organisations, so it was recognised
that something had to be done.”
The US national cybersecurity
strategy actually “emphasises the
need for those best suited to mitigate
security risks to do so”, says Zeki
Turedi, field CTO, Europe, at
cybersecurity specialist CrowdStrike.
59%
8%
drnadig via iStock
At the same time, zoomers may have
developed a sense of complacency that
they are less likely than older people to
become cybercrime victims simply because they’ve grown up with digital tech.
“On top of such overconfidence, there’s
been a lack of understanding about the
con sequences,” says Watling’s colleague,
Dr Konstantinos Mersinas, director of
Royal Holloway’s distance-learning programme in information security. “They
might say: ‘OK, maybe my phone is hacked,
but I’ll survive.’ Such an attitude is related
to risk-seeking behaviour. If you have an
individual who doesn’t care much about
their own data, what attention are they
going to pay to their organisation’s data?”
Yet apathy is not the predominant attitude that Lisa Plaggemier, executive director of the National Cybersecurity Alliance,
has detected in her conversations with
zoomers. Rather, it’s a prevailing sense of
nihilism tied to their perceived lack of
agency. Contrary to what many people
might think, gen Z is mistrustful of the
tech sector, according to research by marketing agency FleishmanHillard in 2020,
yet many feel powerless against the might
of big tech. Having grown up with the internet and learnt of many high-profile data
breaches, they feel that “the horse is out of
the barn and there’s not a lot they can do”,
Plaggemier says.
That’s not actually true, she adds, but
cybersecurity has such an image problem
that the effective safeguards that zoomers
could apply are often ignored.
If this situation persists, the cyber literacy gap could become a chasm, prompting
criminals to subject their always-online
young quarry to a constant bombardment.
A big problem here is the perception that
effective cyber hygiene is an onerous
chore. This misapprehension needs to be
tackled socially, starting at school, according to Mark Brown, MD for digital trust at
the British Standards Institution (BSI).
“We often talk about cybersecurity from
a deep technical perspective, but what we
He observes that the mandate for
agencies to use modern cybersecurity
technologies and best practices such
as zero-trust architecture, threat
hunting and log management is a step
that other countries could adopt in
tandem. This would help to set a new
standard for what reasonable security
looks like.
But governments and big tech are at
odds here, which could present
unintended ramifications for the rest
of us. The UK’s online safety bill aimed
to blunt the powers of big tech, or at
least force the sector to take more
responsibility, notes Konstantinos
Mersinas at Royal Holloway.
“But where this story goes is that
the bill is going to undermine the
individual’s privacy at the end of the
day,” he says. “The government seems
to be fine with that, although it’s not
stated like this in public.”
Ultimately, people will still need to
play a key role in keeping themselves
safe online. After all, while
organisations would rightly be fined
for leaking credit card data, it’s also
up to the individual not to do
something as foolish as publishing
such information themselves.
“I don’t think security can be
forced. It doesn’t work like that,” says
Mersinas, who adds that organisations
will need to start considering a range
of measures. “I think you have to take
several strategic approaches to
enhance your overall security culture.
For most organisations, that will
include a positive framing, so that
people realise the risks and
individually embrace actions that
expand to their colleagues, their
department and then the wider
company. But it’s not an easy answer.”
haven’t discussed is its societal impact in a
non-technical way,” he says. “When we use
solely technical terms, that puts people off.
Our messaging has to change: we must
cover the reality of personal outcomes and
use real-life examples.”
Carmi suggests that one way to prepare
young people better could be for schools to
focus more on teaching critical thinking
skills. She notes that, while data literacy is
mentioned in the continuing saga that is
the UK’s online safety bill, regulators are
understandably reluctant to take ownership of such a project.
“It’s not something you can do really
quickly, but governments prefer to think
about the moment rather than the future,”
Carmi says. “We need a future thinking
programme for different demographic
groups who haven’t learnt this in schools
and universities. It needs to provide ongoing support, because things learnt five
years ago may not be relevant today. But
some factors are never going to change
– teaching people how to cross-check
sources will still be relevant in 10 years’
time, for instance. And core skills such as
assessing whether websites (or people) are
legitimate or not are important.”
There are signs that some of tech’s biggest players are starting to position factors
such as data privacy as a competitive differentiator. Apple’s recent advert featuring
US comedian Jane Lynch, for instance,
may go some way towards addressing
cybersecurity’s image problem.
More could be done, though. Plaggemier
says that, if she could be granted one wish,
it would be for businesses to use multifactor authentication as the default, providing a huge security boost at a stroke.
But finding a solution to the problem
won’t be simple. It will require a concerted
effort from government and the tech sector
to communicate in clear terms why security is important. They must collaborate
to explain the benefits of good cyber
hygiene and provide ongoing support for
users of all ages, taking into account not
only the technology but also the psychology involved.
This issue cannot be attributed to some
inherent generational difference. There’s
strong evidence to suggest that the rest of
us have let a generational cyber literacy
gap widen too far. Where governments
have run awareness campaigns, these
have changed people’s views and habits.
Take the UAE, for example: one of the
world’s most digitally advanced economies
has used a targeted public education programme to make cybersecurity a key concern among younger people.
Traditional training will not work in this
context and neither will sanctions, according to Watling and Mersinas.
“If it’s too disruptive to people’s work,
they often seek alternative ways to do what
they want to do,” Watling argues. “We
think it’s crucial to consider cybersecurity
culture, how we explain things to people
and how we support their own buy-in.
Training is important, but we need to
think more generally about what kind of
cybersecurity culture we have.”
Is cybersecurity
overconfidence causing
complacency?
Cybersecurity is moving up the boardroom agenda, but implementing
solutions too quickly can result in a confusing mix of tools across your
infrastructure, leading to a sense of being more protected than you are
y
is a key topic
for discussion in boardrooms
everywhere – with its critical
importance to daily operations, growth
and revenue rapidly moving it up the
CEO and C-suite agenda.
Making sure your organisation is
resilient to ever-changing threats must
remain a top priority, with CISOs given
the directive to protect the business
and its strategic objectives. A successful breach could cause costly downtime,
reputational damage, the loss of sensitive information and, ultimately, huge
financial loss.
John Maynard is CEO of Adarma,
one of the largest independent cybersecurity services companies in the UK
and which runs security operations for
many of the FTSE 350. He warns that
there is no room for complacency in
developing and implementing a successful cybersecurity strategy.
“Our recent research found 53% of the
500 senior cybersecurity professionals it
questioned were ‘very confident’ they
did not have gaps in their control’s coverage, with 42% ‘somewhat confident’.
“However, three-quarters of those
who were ‘very confident’ had been
breached in the past two years, while a
third of those who were ‘not confident’
had suffered a breach,” he says.
All respondents to the Adarma survey
were from organisations with 2,000+
employees, and Maynard adds: “We
found the more confident security teams
are, the more likely they are to have suffered a breach in the past two years. The
danger is that this misplaced confidence
will lead to complacency, putting the
organisation at greater risk of attack.”
C
A fragmented market of tools
Another finding from the research was
how many believe the cybersecurity
market is fragmented, complex and
cluttered when it comes to the solutions offered. Six in 10 suggested this is
now a barrier to improving their capability and performance in security.
This is exemplified by the UK government’s cybersecurity sectoral analysis
from 2022, which shows 1,838 firms
are active within the market, providing
cybersecurity products and services.
Additionally, says Maynard, a wide
range of acronyms is adding to the confusion, leading companies to potentially
misunderstand or overestimate the
capabilities of their security technology.
“Our IT environments have become
hugely complex and expansive over
recent years. As organisations have
moved to the cloud, many have enabled
a largely remote workforce and so the
attack surface has grown,” he explains.
“Security teams have generally been
acquiring technology to try to keep pace
with this change and the threat posed by
adversaries, but they find themselves in a
very complicated place with a patchwork
of tools either overlapping in capability
or presenting gaps.”
With organisations having now
acquired a large number of security
tools, Dan Baker, chief delivery officer at
Adarma, points out the risk. “As the security technology landscape has matured
and expanded, this has become one
pitfall to be wary of,” he says. “Unless
an organisation has the capability and
resource to feed, water and integrate
these tools, they can provide an unrealistic safety blanket.”
Scott McElney, global chief information security officer at the Weir Group,
agrees and warns: “Having more tools
doesn’t mean you’re more secure. It
could add more risk if you don’t have the
expertise to fine-tune and harmonise
them across your digital ecosystem.”
Organisations nee o
tak olisti pproach
tha ombine eople,
proces n echnology,
bu hi a e
challengin arket
wher yb alen s
i hor uppl nd
man usinesse ve
conflicting priorities
Piling the pressure on CISOs
With CISOs under considerable strain,
it’s no wonder that security teams can
be tempted to adopt the newest cutting-edge tools that claim to be the
next cybersecurity silver bullet, says
Maynard. It's a problem that chimes
with Adarma’s research.
“We can’t rely solely on technology to
solve our cybersecurity problems,” he
explains. “Organisations need to take a
holistic approach that combines people,
process and technology, but this can
be challenging in a market where cyber
talent is in short supply and many businesses have conflicting priorities.”
He suggests effective cybersecurity
planning is a “marathon not a sprint”,
explaining how security teams should
not mark their own homework. Instead,
the better option, says Maynard, is to
engage an independent party to challenge security posture and enable “the
ongoing development of resilience”.
Adarma’s findings also showed how
eight in 10 security teams have, or plan
to, consolidate their security tooling;
Maynard suggests it is vital that people
“run the technology, rather than the
technology running itself”.
He adds: “It’s critical you have the
right engineering and analyst resources
working to configure and optimise your
tools, so you are defending against the
threats that matter to your business.”
Baker also explains how many of
Adarma’s customers are looking to
consolidate and simplify their technology stack. But he suggests to do so they
must first gain a better understanding
of what to consolidate and the value it
presents. However, while the bottom
line is often a driver for such a move,
Baker warns: “Security teams must
ensure they don’t jeopardise their
cyber resilience in the process.”
Taking a people-first approach
According to the Weir Group’s McElney,
a skilled security architect should lead
this sort of project, sponsored by the
CISO. “When you look at changing your
security tooling, there are lots of interested parties who are motivated by different needs, so a consolidation project
needs to be led by someone independent, like an architect,” he says.
Maynard adds: “If you can consolidate your tools and get greater visibility over your application estate, you
will be able to resource more effectively, reduce digital fragmentation
and create more centralised competencies. That will enable your security
team to focus on getting the best out of
the products you have.”
There is another challenge to be overcome: the state of vendor lock-in or fears
over losing functionality and flexibility. A
technology-agnostic and hybrid approach
to security can help reduce the risk of
becoming too dependent on a single provider, while working with a trusted security partner that prioritises interoperability and takes a holistic view of security can
help avoid a state of dependency.
“We can’t rely solely on technology
to make our organisations resilient.
Security teams need a set of tools that
they have the expertise to manage,
configure and optimise. Hoping the
technology will do its job without this
attention is a dangerous position to be
in,” Maynard warns.
“A threat-led approach to architecting your technology stack and the
people and process involved in running
that technology is what is important.
We take a people-first approach.
“Without the expertise to leverage
the technology and configure it in a way
that is optimal for the threats faced by a
specific organisation, you cannot realise
the full value of the technology.” After all,
Maynard adds, “a Formula One car is only
as good as the driver behind the wheel”.
For more information please visit
adarma.com