Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

New security regulations are fine, but there is no substitute for innovation

by The Gurus
March 29, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

“Everyone is part of our cyber security team,” said the chief information security officer at a private trust company in New York. “It doesn’t matter what myself or my colleagues do from a technical perspective. If I have one user who clicks a bad link or answers a phisher’s question over the phone, it’s all for naught.”

These are sage words from someone in the frontline against the onslaught of cyber crime. Such chief information security officers (CISOs) are becoming ever-more important to all types of organisation. So much so that their appointment is one of the requirements of last September’s ground-breaking New York State Department of Financial Services regulations covering Wall Street and other financial organisations.

Introducing these data security regulations is a move that no other state has undertaken and marks the seriousness of the threat against the financial sector, in which IBM calculates more than 200 million records were breached in 2016.  The new regulation’s stipulations are relatively wide-ranging and include requirements for risk-assessment tests, multi-factor authentication, formal cyber security planning and policies, a duty to notify the authorities of a hack within 72 hours, and crucially, staff-awareness training.

Emails are still the biggest danger

This is an excellent starting grid, but the point made by the CISO at the head of this article is still the most telling. The biggest danger for financial organisations lies in the single slip by an employee clicking open a malicious attachment or link. That alone is enough to give hackers access to the entire systems of a large organisation, no matter how sophisticated its security. Emails are used in more than 70 per cent of successful hacking attacks, with criminals hiding malware triggers in standard files like Word docs, Excel spreadsheets and PDFs.

The result is that no amount of training will prevent cyber criminals targeting a specific employee with a spoofed email or phishing attack, tricking them into opening an infected attachment that appears to be legitimate. Unless, of course, an organisation has the technology to remove the threats from attachments without affecting the normal conduct of business.

Research confirms how vulnerable organisations are to phishing emails

A survey conducted by Glasswall among 2,000 office-workers at medium-to-large businesses in the UK and US revealed just how organisations are vulnerable to human error or ignorance. More than six-out-of-ten employees (62 per cent) admitted they do not usually check the legitimacy of attachments in emails from unknown sources, while a dangerous minority of 15 per cent said they always or usually trust email attachments sent by people they have never even heard of.  More than eight-in-ten staff (83 per cent) always or usually open attachments in emails purporting to be from known contacts.

Among staff who were more alive to the dangers, invoices were seen as the primary document used by criminals to trick them, but only tiny percentages recognised the full scale of threats posed by spreadsheets or simple Word files.

Other findings revealed how too many employees have no sense of responsibility with more than one-in-five unwilling to report anything they had done that may have compromised security. There was however, a consensus among 61 per cent of employees that their organisations should install more technology to protect them.

The steps necessary to ensure security

The truth of cyber security is that employees will always be the weakest point in the chain of defences, whether through ignorance, irresponsibility or pressure of work. While the New York State measures are very welcome there needs to be more emphasis in every jurisdiction on technology and innovation, because it is quite apparent that neither employees nor current anti-virus defences will protect any major financial business.

Large organisations need to embark on a series of steps to thwart these threats so they can keep sensitive data protected from criminals and malicious agents. Firstly they must accept that emails are the main gateway for malicious code and ransomware. After analysing the nature of its email traffic, a business should must then decide which email-related functions should be retained or dropped. This is a necessity in order to operate safely, because criminals exploit the many functional elements in files (such as macros) as well as hiding code in file structures.

Since almost 98 per cent of files do not conform to the manufacturers’ original designs, the organisation needs to be capable of determining whether an aberration in a file is due to an attack, or something poorly written or configured. Once risks are understood, appropriate security solutions must be applied. Most organisations have all the standard border-controls, including firewall, anti-spam, anti-virus and even a sandbox. Yet they are still by-passed by targeted attacks, using socially-engineered emails.

There is no substitute for technological innovation

This requires a shift in thinking and the adoption of more innovative technology that establishes what should be in an email file, using the manufacturer’s standard as a baseline. Instead of trying to match AV signatures against the “bad” elements in a file, organisations need techniques that look for and validate the “known good”.

The reason is simple. Millions of malware variants are released by criminals every year and the AV industry cannot keep pace in its battle to assign them signatures. File-regeneration technology does not require signatures. It will validate documents against the manufacturers’ specifications down to byte-level and then regenerate “known good” versions that have been stripped of all the code that the business has decided it does not want to risk admitting.  A clean and benign file is regenerated in its original format in fractions of a second, which can be sent out again and passed along without any interruption to business.

Of course, training has its place. Organisations need to reduce the risk of a single employee opening them up to a malware attack, so education will help reduce exposure and raise awareness of data security and best practice.

Businesses need to examine mobile device-usage too, since many smartphones and tablets are not equipped with advanced security solutions, making them capable of transmitting malware in documents.

While well-designed regulation that recognises real-world practice and avoids onerous burdens is to be welcomed, it must be accompanied by insistence on innovative technology that can stop dead the chief threats facing businesses today.

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

How to protect ATMs against logical attacks

Next Post

No Room for Cyber-Complacency: a Quarter of DDoS Attacks Claim Unintended Victims

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information