teissTalk: Confronting cyber-criminals-strategies for cyber-hygiene

On 26 September 2024, Teiss Talk host Thom Langford was joined by Paul Holland, Head of Research, Information Security Forum (ISF); and Penny Jackson, Director Strategy, Awareness & Engagement (Human Risk Management), Aristos Partnership.

Views on news 

While physical services have been unaffected, limited access to online services continues to cause headaches as thousands of customers’ details had been exposed in a hack. It’s not known whether the vulnerability that led to the incident was a legacy or a segregation problem. TfL seams to have to deal with the incident while trying to find out how things are operating in the company – which isn’t an ideal position for incident response. Cyber security and trainings are important, but operational resilience should carry an equal weight. Large organisations such as TfL and the NHS don’t have metrics for cyber security, although studies, for example, show that there is a link between trust in the organisation and morbidity.  So the narrative for cyber professionals should be about how information security can save lives. 

Cyber security must support functions but shouldn’t own the risk

The way infosecurity should approach the business is via the CIA (confidentiality, integrity, availability) triad. If you take gambling as an example, they are going to be extremely worried about availability. The problem is that a lot of the national and critical infrastructure has been built by the lowest bidder, which often spoils the user experience and results in vulnerabilities. The overconfidence of people that technology and the tech-savvy will sort out everything can also give employees a false sense of security. 

Old OT technology often works in the background until it breaks down and suddenly everyone becomes aware of it. Often it’s old mainframes that cause the problem after having operated for 20 plus years, while manufacturing plants are built for a 40-year lifecycle. Infosec professionals should challenge their organisation about their assumptions regarding their OT, not just IT, as even if they are segregated, they make up a network as they work organically. Also, organisations must be aware of how IT and OT support their business operation.

It’s the responsibility of OT and IT to try and work in a more aligned manner. Large organisations, both public and private, need to fully own risks, which involves mapping out their cyber security risk too. IT, on the other hand, must explain how certain behaviours observed can pose a risk for the business. 

Infosecurity’s responsibility is to give support and advice but there are not the ones to own the risk. To change behaviours, however, you need a multi-layered approach including training, engaging information via test, video etc. infosec professionals should convince employees that it’s worth listening to them. Oftentimes, SOC and the data governance team don’t work well together and fail to share information about risk. Only if they do collaborate, can senior leadership have a clear view of what role they must play in cyber security. The information security function would need more human resources to train staff and change their behaviours and it feels these sources are unevenly spread between learning and development and IT, while it’s a no-brainer that cyber security training should primarily be an L&D responsibility. 

The panel’s advice

• Avoid the word cyber, which may have the result of people switching off when they hear it. Talk rather about how they can protect their information.
• Tailor the message you want to get across with your audience and make sure it resonates with them. 
• You can link security to bonuses pointing out how a ransomware attack can decimate the bonus pool.
• The conversation between infosecurity and senior leadership should be ongoing.