June 28, 2022
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Implied in the predictions is advice to focus not just on ransomware or any other currently trending type of cyberattack, but to prioritize cybersecurity investments as core to managing risks and see them as investments in the business. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, according to Gartner‘s predictions. Doubling down with greater resilience across every threat surface is key. For example, while Gartner mentions zero-trust network access (ZTNA) in just one of the eight predictions, the core concepts of ZTNA and its benefits are reflected in most of the predictions. The predictions also note that investing in preventative controls is not enough, and that there needs to be a much higher priority placed on resilience. This is because threat surfaces grow faster than many organizations can gain visibility to and protect. By 2025, it is expected that 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s secured service edge (SSE) platform.
"So some of the strategies that I use when I'm working with the C-level teams, the boards of directors, is I don't just give them a summarization or my opinion," continued O'Neill Sr. "I bring in events from insurance -- our insurance broker or our auditors -- and I say, 'Hey, can you give me a few examples of other customers where their cybersecurity insurance didn't get renewed because of some event? Or can you give me an example of a audit that failed because proper levels of protection weren't put in place?' "And I articulate those things to the CEOs and the boards of directors. Not in long-worded descriptions, but basically like, 'Hey, you know, if you look at this year, and our actual insurance broker says that they have processed claims for a billion dollars this year because of security events where malware has been involved.' And then I show them data where I say, 'Okay, of the 100 events ... about 15 percent of those companies never survived. They did not return back to business.' Okay.?
The savviest organizations are taking on the onus of training talent themselves, increasingly hiring people straight out of school, according to Jean-Marc Laouchez, president of the Korn Ferry Institute. These firms are also trying to instill a culture of continuous learning and training. “Constant learning — driven by both workers and organizations — will be central to the future of work, extending far beyond the traditional definition of learning and development,” Laouchez wrote. In that light, coding bootcamps have become talent pools for organizations looking for skills-based applicants over more traditional college graduates. Graduates from coding boot camps reported a quick ROI, higher salaries, and STEM career opportunities, according to recent survey of 3,800 US graduates of university coding bootcamps by US education company 2U and Gallup. All graduates reported they saw their salaries increase by a median of $11,000 one year after graduation, with those who moved from non-STEM to STEM jobs after graduation seeing the highest income growth.
领英推荐
If the company has already concluded that it can’t hire a full-time CDO, the next best thing is to look at individuals in the company who have some of the skills or who have backgrounds and talents that would enable them to skill up quickly. The first place to look is in the database group. The database administrator should be charged with oversight of the development of the entire corporate data architecture. When an overall data architecture is in place, you have a structure that ensures all of your various data repositories and processes can interact with each other in enterprise-wide data exchanges and ensures you have the tools, such as APIs (application programming interfaces) and ETL (extract, transform, load), to facilitate integration. This also means eradicating stand-alone data silos that might exist within the company. ... The database group can work hand in hand with the IT security group to make sure all data is properly secured and that it meets corporate governance standards, even if the data is incoming from third-party vendors.
When looking at the security of links between a company and its business partners, BCS volunteer Petra Wenham says: “We must include the company’s IT in that statement and the security of a partner’s IT system.” Junade Ali, a technologist with an interest in software engineering management and computer security, points to the OAuth vulnerability as an example of the risks organisations face across their supply chains when they connect or make use of third-party systems. “In the recent past, I’ve worked on changing practices across the industry when it comes to password security,” he says. “I developed the anonymity models used by Have I Been Pwned, the developer tooling needed to improve password security practices and published scientific studies used to change the industry understanding of the best practice.” What Ali learned was that the reuse of compromised credentials from one low-value website (say, a pizza restaurant) often cascades to compromising someone’s online banking. He adds: “The message here is clear – security isn’t purely within our fiefdom and we depend on others to keep our data safe.”
Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network. To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve. Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.