teissTalk: Security assurance – how effective are your security controls?

teissTalk host Jenny Radcliffe was talking to Glen Hymers, Head of Data Privacy and Compliance, The Cabinet Office; Ash Hunt, Group Head of Information Security, Sanne; and Tim Ager, VP of Sales – EMEA, Picus Security

The realities of information security on the ground and the underlying reasons

The news of the CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issuing a warning of an increased number of Conti ransomware attacks targeting US organizations is indicative of how vulnerable our information security systems – whether governmental or enterprise – are.

The methods that the hackers used are rather basic exploits including spear-phishing, phone calls, stolen or weak remote laptops not requiring sophisticated cybersecurity tools to protect against. The reasons why sometimes the most fundamental defences are not implemented are numerous, the first one being cost. But even at organisations where sponsoring information security projects is not a problem, system complexity can be challenging with sometimes as many as 40 to 50 security controls being in place.

Moreover, there are huge disparities between industries with more digitally advanced ones such as finance or retail prioritising information security more than others. Similar discrepancies can exist even between the different arms of the same enterprise. Also, sometimes an organisation’s risk tolerance can be higher because they can’t see any secondary risks resulting from a certain type of breach.