What’s keeping Australian CISOs up at night?
It’s a wonder CISOs sleep a wink. If they’re not working to protect their organisation from malware, phishing or email breaches they might be monitoring unauthorised downloads of information, guarding against system violations, safe guarding patch management and securing browsers. There are employees to train, skilled specialists to hire and executive leadership to brief.
Chief Security Officers face more threats to their environments than ever and they know all too well the potential costs of not managing risk effectively. Lost time, productivity, information (client and proprietary), trust, money, clients and jobs, to name a few.
Our team meets often with CISOs across APAC. Here are some issues we’re hearing are keeping them from getting a quality eight hours a night.
Email threats from phishing, malware and ransomware
Many employees are unsuspecting of emails containing links to malicious sites. Innocent or ill-informed clicking can make an organisation vulnerable to identity theft, data breaches and scams. Unfortunately for employees, and the CISOs working to protect them, there is much research over the last 18 months showing that email is the most prevalent delivery mechanism for malware.
Symantec’s 2017 Internet Security Threat Report highlights email as the number one mechanism to deliver malware in 2016. In 2016, an average of 1 in 131 emails with malicious attachments were detected, the highest delivery rate of malware in five years.
IBM’s 2017 X-Force Threat Intelligence Index also reported a rapid rise in numbers of spam emails being sent, along with the number of spam emails containing malicious attachments. Their data shows that more than half of all emails received are spam. This trend highlights that spam is a big delivery vehicle for malware.
Verizon’s 2017 Data Breach Investigations Report estimates that 90% of all security breaches involve some form of phishing element. 
There’s also growing concern around ransomware attacks. Ransomware made global headlines in 2017 with Petya, WannaCry and NotPetya impacting businesses of all kinds all around the globe, including Australia. WannaCry alone was estimated to have impacted more than 200,000 machines in over 150 countries.
Browsers draw hackers because so much information passes across them. From social media updates, transacting payments and working with company confidential information, employees are working through browsers a huge part of every day. A few areas causing sleepless nights include:
- Employee plug-ins and extensions. These are well known for ‘drive by download’ attacks that download programs with no obvious signals and run native code on a system.
- Advanced persistent threats. This type of attack installs malicious code on an endpoint to steal data, monitor activity or, sometimes, modify what employees see in their browser
- Man-in-the-middle attacks. This kind of attack lets hackers watch and modify traffic that passes between browsers and web services.
There have been some high profile data breaches over the last two to three years. Yahoo have been in the news again this month. This is a follow up to their announcement at the end of 2016 that more than one billion accounts had been compromised three years earlier. This was only one high profile instance of a growing trend in data breaches. The Breach Level Index is a global database tracking the volume and severity of data breaches published by Gamalto, a digital security consultancy. Their research shows nearly 1.4 billion records of data were compromised in 2016. That’s an alarming figure but what is even more alarming is that it represented an 86% increase in breaches since 2015. Most breaches are being seen in North America, followed by Europe, then APAC.
Cyber security and hacker skills are evolving so quickly, it’s difficult to find the right specialist skill to be able to counter evolving risks. Cyber security skills needs to evolve into every day conversation to become a move familiar concept across society, similar to the way ‘STEM’ has become a known acronym. We also need to attract talent by reinforcing that this is a career that’s interesting, varied, personally rewarding and well paying.
In the face of so many potential challenges, our CISO colleagues are focusing on:
- Training employees to better manage security and threats that start with in-depth password hygiene and beyond. This includes tips on what to look for in phishing efforts, malware and clicking links to malicious sites. Some firms we know send dummy phishing emails to test employee knowledge and show them what ‘bad’ emails look like.
- Many organisations require employees to use two level authentication. This helps protect users who’ve already been compromised.
- Recruiting specialist staff to focus on security and risk management and bring best practices into the organisation.
- Exploring innovation and technology to be able to detect and respond faster to threats, in the most cost effective manner possible.
- Upgrading the latest security patches as they become available
It might be a while before our CISO friends get a good night sleep but we’re glad they’re out there working to keep our client businesses safe.
If you’re looking to hire your new CISO or security expert, please contact us for an introductory conversation.
 Verizon, 2017 Data Breach Investigations Report. http://www.verizonenterprise.com/verizon-insights-lab/ dbir/2017/