teissTalk: The evolving role of identity in cyber security

On 11 May, teissTalk host Thom Langford was joined by Andrew Raynes, Chief Information Officer, Royal Papworth Hospital NHS Foundation Trust; Samer Fayssal, Chief Analyst, Cyber Analytics LLC; Mandeep Gosal, Director of Professional Services, ITC Secure.

Views on news

According to the Journal of the American Medical Association, the frequency of cyber-attacks on US hospitals and health systems more than doubled from 2016 to 2021. The healthcare sector is a veritable goldmine of data, as much of it is managed through easily exploited legacy IT systems.

According to the World Economic Forum, healthcare organizations need to implement a zero-trust environment to fend off the rising number of attacks. The threat landscape is changing rapidly with the speed of attacks increasing and response times lagging behind. However, for most of businesses Zero Trust is still a big hairy topic, which they can approach by putting necessary controls in place first. On the other hand, the public’s trust in health institutions can get broken instantly if they realise that their personal information is mishandled by hospitals. One of the leading vectors that perpetrators leverage to carry out these attacks are leaked credentials. 

But the question arises what the chances are, what are the chances that smaller businesses can manage with all the legacy architecture they have if big tech is struggling to implement Zero Trust systems too . Although the post-authorisation phase when the monitoring for anomalous behaviour takes places is often forgotten about, it’s becoming key, especially given the use of generative AI by bad actors to deceive users. Even if an organisation has implemented Zero Trust, it may have third parties that access its network with less developed defences providing a backdoor to the company via its dependencies. Organisations have to make some compromises, though, to make Zero Trust work.

External threat intelligence and measuring your controls’ success

There are now solutions on the market that will tell you if you have SaaS apps on your network that you’re unaware of. Risk assessment is an essential first step that no company should miss out on. If businesses followed established standards (AUP, change management processes, NIST800-53, Zeo Trust Architecture) , most of the problems that security expert has to face would vanish.

Sometimes even colleagues who work for similar purposes such as security and compliance, speak different jargons and the same word may mean different things to them. There are some very interesting solutions in the sector to detect social engineering. Today, businesses have many point solutions that security may or may not have visibility into or write logs for, with different versions of a shared responsibility model. When talking to the C-suit, security experts need to make them understand what is at stake when a particular risk materialises.

The panel’s advice

Raise the organisation’s awareness of what ZeroTrust is and what needs to be done when an attack has happened.