On May 13, 2021, Noord hosted a virtual boardroom in association with Qualys. The event comprised an introduction by Matt Middleton-Leal, Managing Director, EMEA North & South Africa, and Paul Baird, UK Chief Technical Security Officer, followed by a discussion among senior IT professionals on visibility as the cornerstone of any cybersecurity strategy.
Reasons for attending and key challenges
Following a brief introduction by Matt Middleton-Leal and Paul Baird, participants were asked to state their reason for attending and the key challenge faced by their organisation.
Attendees came with a broad range of experience, including in cloud security, data protection, fraud investigation, human risk and compliance. Many were keen to learn how other organisations deal with vulnerabilities on their network and ensure visibility for all devices.
In terms of key challenges, there was concern about the increased vulnerabilities presented by remote working, particularly in roles where employees have to process sensitive personal or financial data. Similarly, there was concern that as companies had accelerated their digital transformation programmes during the pandemic, organisations were now having to retrospectively consider the potential security implications of this.
Keeping an up-to-date asset inventory across a biodiverse landscape
One participant working in the military sector noted that visibility was critical to enable their organisation to secure government contracts. As cyber-attacks against the organisation tended to come from nation-states, the organisation had to control all endpoints very tightly and as a result, a policy of ‘bring your own device’ (BYOD) was not permitted.
Another attendee representing a bank noted that their organisation operated a policy of corporately owned, personally enabled (COPE) for devices. Fortunately, the organisation had been well prepared for the disruption caused by the pandemic, owing to a laptop-first policy implemented in response to a severe weather incident several years ago.
In terms of deciding on a tool to ensure visibility, one participant noted that they had various tools to enable them to capture and address risks, but no ‘silver bullet’ that could provide an overview of the whole landscape.
Another attendee described their organisation as ‘serial abandoners’ of visibility tools, hinting at the difficulty of finding an adequate solution or knowing where to start. During the pandemic, employees at the company had been using personal devices, but this had not been well policed. The company, therefore, needed insight into the number and location of the devices on the network, and the version of protection installed on them. This lack of transparency presented concerns in terms of endpoints but also critical points of egress and made it difficult to create a risk register.
While a couple of organisations had implemented an automated asset inventory, it was noted that having a utopian view of an estate is meaningless if an organisation cannot patch any of the vulnerabilities detected. However, the point was made that providing proof of vulnerability enables organisations to develop action plans and offer assurances to senior management.
Participants discussed the challenges of securing endpoints. For example, one attendee noted the pushback from employees when applications are installed on their devices. This linked into a wider discussion about employee expectations, with one attendee stating that IT departments – cognizant of the risks of data leakage – must be able to educate users on why changes need to be made to their devices, and if these changes are rejected, IT departments must reserve the right to prevent employees from using their own devices.
While it was felt that basic levels of awareness about security were improving, there were still issues around accountability – including a reluctance from employees to self-report mistakes that could result in security breaches. However, one solution raised was containerizing corporate and personal uses. This way, employees can be offered conditions of entry (which they either accept or reject), and containerization can be sold as added protection for employees in that they can keep their personal lives separate from work.
Linked to this, another broadly well-received solution was having a code of conduct based around compliance control rather than technical control, which puts the onus on individual employees to act with integrity, both remotely and in an office setting. Spanning compliance and governance, this kind of code was seen as a powerful tool as it presents a clear set of expectations. In other words, employees must learn to take the least bad decisions and adhere as closely as possible to the model behaviours set out in the code.
This idea of educating users was picked up by another participant, who felt that it can be more difficult for workers who don’t have desk-based roles to understand what they are doing wrong – perhaps because there is less opportunity to emulate the behaviours of the person sitting next to them. ‘Naming and shaming’ was suggested as a potential solution, though others felt that a policy of ‘praise in public, punish in private’ was more effective, with a cut-off period where employees are let go if they have not taken steps to improve.
Knowing the unknowable
There was consensus that organisations were powerless against employees exfiltrating data, such as by taking photos of their computer screens with their devices. The only measures suggested were to educate senior management on the potential mitigation measures and to carefully monitor behaviour changes for signs of unusual activity.
However, it was noted that it is particularly difficult to instil an ethos of accountability when people are working at home, and employees may be laxer about security precautions, especially contractors.
This is coupled with the added risk that third parties may gain unlawful access to data when employees are working remotely (inadvertently or deliberately), which has implications for organisations’ data protection policies.
Again, the point was made those individuals need to be made to feel accountable. They also need to be given sufficient time to read the relevant documents and provide their informed consent.
The changing value of assets
It was noted that while some organisations held onto data out of tradition, many already had one-year or six-month retention rules in place. One organisation had a legal discovery system that holds all email data for seven years, thus ensuring that the data is auditable.
When rolling out retention policies, it was felt that users need to be informed of the benefits, such as reduced risk and faster systems. Moreover, it is important to gain buy-in from the top down and make the C-suite aware of their accountability when it comes to data breaches. A further suggestion was to involve other parties in the conversation when trying to win top-down buy-in, as management can sometimes tire of listening to the same individual detailing the same problems.
Fostering a collaborative approach
Summing up, Paul noted the importance of embedding mutual support and collaboration within the ethos of the IT sector to strengthen cyber resilience and prevent malicious cyber-attacks.