teissTalk: Reviewing the InfoSec legacy of your pandemic response

teissTalk host Geoff White was joined by Enis Sahin, Head of Information Security, Federated Hermes – International as lead guest; www.linkedin.com/in/naina-bhattacharya-0172351/">Naina Bhattacharya, Chief Information Security Officer, Danone; David Petty, Cyber Specialist, OpenText.

 

Views on news

 

According to Entrust’s new Securing the New Hybrid Workplace report only about one-third of companies run ransomware-specific training programmes despite it being one of the most serious cyberthreat scenarios. Thanks to its technicality, ransomware is mostly perceived as the responsibility of IT and InfoSec departments.

 

In teissTalk’s impromptu survey 57 per cent said they’d like to receive some ransomware-specific training from their companies versus 43 per cent who don’t feel this would be necessary. It’s best to provide some generic cybersecurity training to provide staff with a frame of reference that they can fall back on when dealing with specific threat vectors.

 

What processes introduced during Covid need to get changed or rolled back?

 

During Covid, businesses’ risk tolerance increased, which has provided cybercriminals with a larger attack surface. Post-Covid information security is a bit like waking up from a hangover. VPN has been one of the bottlenecks that panellists’ businesses experienced. VPNs weren’t intended for achieving scale. Some of the companies go down the path of creating a VPN-less environment.

 

Employees who just write emails, attend conference calls or create some documents can manage without VPNs, for example. Another problem is that the cybersecurity solutions we are using today were designed c15 years ago for VPNs, for working on site inside a network setting.

 

As for incident response, the 3-4 tools available work off VPNs but the problem is, they aren’t scalable. The shift to the cloud raises new questions such as how we should deal with ephemeral data and machines that are up one minute and down the next.

 

The same trend has impacted InfoSec’s relationship with the finance department too. The spreading of the SaaS model means that the CAPEX that was previously spent on software needs to be presented now as OPEX (monthly subscriptions). Typically, legacy companies still think in terms of CAPEX, while cloud-based ones prefer OPEX.

 

The panel’s advice

 

Don’t overtrain your staff. Training should only serve as a frame of reference for staff that they can fall back on when dealing with various threats.

 

Reassess the risk tolerance of your business post-Covid. Leverage the extra support information security is receiving as a result of the pandemic. Inform staff about the threats without unnecessarily alarming anyone.