Blink and it seems a new ransomware group has taken an enterprise hostage. With ransomware and other cyber threats evolving and the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimize risk across people, processes, and technology. Trend Micro’s Jon Clay, VP of threat intelligence and Ed Cabrera, chief cybersecurity officer, discuss the importance of addressing the people element of security to minimize cyber risk.
Top infrastructure risk: people
It’s common knowledge that it’s not if but when your organization will be the target of a cyberattack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (2H’2021), 76% of 3,400 respondents across four global regions said its very likely they will experience a cyberattack in the next 12 months.
It’s important to note that while ideal, avoiding a cyberattack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimizing cyber risk.
It's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, and while this is certainly important, the human attack vector shouldn’t be so quickly forgotten.
The Cyber Risk Index (2H’2021) also found that CISOs, IT practitioners, and managers identified “mobile/remote employees” as the top infrastructure risk; “cloud computing infrastructure and providers” came second.
In a recent discussion, Trend Micro’s Jon Clay, VP of threat intelligence, and Ed Cabrera, chief cybersecurity officer, dig into the report’s findings and discuss strategies to better manage people to minimize cyber risk.
Managing people to manage cyber risk
Security leaders have good reason to be concerned about the risk mobile/remote employees pose to their infrastructure.
“The people part of the equation is overlooked so much,” Cabrera said, “You can look at any breach out there…and you see people and the breakdown possibly of someone either being exposed to a social engineering attack, be it phishing or smishing.”
With remote/hybrid employees accessing applications, networks, and servers via the cloud, oftentimes from multiple devices sharing an unsecure home network, enterprises are rightfully concerned with risk exposure. Factor in the dramatic 65% increase in business email compromise (BEC) scams since 2019, it’s paramount to secure the human attack vector to prevent malicious actors from accessing critical infrastructure.
Cabrera also noted that people are involved from a vulnerability standpoint as well. Even if an employee doesn’t physically click a malicious URL, there is a people component when it comes to proper vulnerability management. For example, are security personnel staying informed of the latest tactics, techniques, and procedures (TTPs) of prominent threat actors? Are they trained to optimize the security stack for investigation, detection, and response?
Evidently, managing people should go beyond user awareness training regarding business email compromise (BEC) scams, phishing, smishing, etc. CISOs and security leaders must also ensure they have the right teams within their cybersecurity program with the right skill sets and that those skills are properly maintained as threats evolve.
However, hiring the right staff can be challenging due a growing cybersecurity workforce gap and the fact that some enterprises may not have the resources to recruit a large team. Choosing a vendor that offers managed services is an effective way to augment teams while maximizing security posture.
Beyond general cyber hygiene, skills training, or leveraging managed services, Cabrera suggests drilling down into processes since it’s “people that actually create and manage these processes.”
Enhancing cybersecurity processes
After establishing a strong security team, the focus should shift to cementing processes that keep people in check. This is especially crucial with remote/hybrid workforces; with users more widespread and left to their own devices (pun intended), it can be challenging to know who you need to secure. As the adage goes: “you can’t stop what you can’t see.”
To identify the users within your network, you’re essentially identifying the attack surface according to Cabrera. After security teams have achieved comprehensive visibility across the attack surface, they can establish processes to manage and monitor users’ identities by deploying a zero trust model.
Leveraging a zero trust approach ensures that access is validated and continuously monitored for suspicious activity to prevent cybercriminals from using legitimate credentials to move undetected across the network.
Cabrera suggests taking a risk-based approach to security is more effective than a compliance-based approach.
“Compliance is the starting line,” Cabrera said, “In other words, you’re not just thinking about ‘hey, what are we doing about compliance?’ We need to identify that risk…what are the basic elements of that risk. So, we can actually mitigate it before it gets out of control or to make it more manageable.”
Now that we’ve covered how to effectively manage people and processes, CISOs and security leaders need to consider that even the best and well-intended teams can come up short if the right security technology isn’t in place.
Look for a unified cybersecurity platform like Trend Micro One that is designed to help security teams better understand, communicate, and mitigate cyber risk across the enterprise. Its capabilities and features, like automation, third-party integrations, customizable APIs, detailed reports and risk insights, were purposefully created to simplify security for users while maximizing protection.
To learn more about managing and minimizing cyber risk as well as the benefits of leveraging a unified cybersecurity platform, check out these resources: