Based on hands-on experience in constant dealing with cyber threats, ISSP’s experts identified the trends in cybersecurity in 2021.
Among all types of organizations, banks have been and remain the first in matters of information and cybersecurity, using ever newer technologies, systems, and approaches. Therefore, to find out what information security will look like and how it will be managed tomorrow, we need to look closely at banks. Today, we see that banks’ approaches to cybersecurity are changing. The first trend concerns employees, the second is a paradigm shift in the use of technologies and services, and the third is a change in processes.
Trend #1: The significance of cyberhygiene
The first of these trends concerns the fact that in 2020, the issue of cyberhygiene received new life. There is growing awareness that the first firewall in the security system is human. It is the employee who is the boundary that may or may not allow a hacker into the infrastructure. Therefore, cyberhygiene skills are no longer optional, and cyberhygiene has been raised to the level of a key practice in which employees must constantly be trained. It’s no longer a one-time exercise but constant preparation for a marathon.
Whereas previously the director of information security or the risk department or the human resources department may or may not have conducted cyberhygiene training for employees, now banks see the need for this training to be continuous and multidimensional. And it’s not just about transferring specific knowledge but also about constantly reminding employees of and testing their levels of cyberhygiene.
There are several features of cyberhygiene training that will companies’ approaches to cyberhygiene in the coming years.
First, people are not interested in such training. Cyberhygiene training is not the sort of professional training that allows employees to strengthen their skills and thus raise their value in the market. But it’s important to understand that better cyberhygiene does increase the professional value of each employee. After all, a high level of cyberhygiene indicates that you care about issues of cybersecurity, which is important for the success of any organization.
The second significant feature of cyberhygiene training is the evaluation of results. After completing a training or course, employees usually take a pass/fail test. Say they need to score 90% or more to pass. What does that mean? Is 90% good or bad? What about 95%? And what should you do with those 10% or 5% of incorrect answers? Will an employee succumb to a phishing attack? Will they pick up a flash drive from the ground and insert it into a work computer? In this aspect, it’s important for the employee not to pass the test but to assess the risk areas for each person to further work with their weaknesses. As a result, test results should show not only what a person knows about email, social networks, and other technical aspects — not only that they understand what phishing is in theory — but also how prone they are to violating established norms and policies and how disciplined they are in matters of information security, etc.
The third feature that will affect the approach to cyberhygiene is time efficiency. As this is not vocational training, it should be as short as possible. The best option is 45 to 60 minutes of training on an online platform once a quarter. If we imagine an afternoon or full-day training in which a thousand people take part, then when we take each of them away from daily work we lose a thousand worker-days — and this is only the direct loss. Therefore, efficiency over time is what will distinguish tomorrow’s cyberhygiene projects from those we have today.
Trend #2: Paradigm shift in use of technologies and services
The second trend concerns a paradigm shift in the use of technologies and services. Consider the fact that a targeted attack lasts an average of six months. Despite all the available tools and security processes, a security service can still miss an attack because attackers have an unlimited number of attempts to penetrate and they only need one to be successful.
Therefore, in the context of a cybersecurity management system, it’s necessary to proceed from the position that attackers may have already entered the network. If they have, then you need to find out when, where, and how the compromise took place. To do this, there’s a service called a Compromise Assessment. It gives an organization answers to two important questions: 1) How likely is it that our infrastructure is already broken? That is, what are the anomalies hackers could successfully mimic so no system would detect them? 2) Do we have enough information to determine that we’re being attacked now?
In many years of work, we haven’t met a company that could say, “Yes, we know that we’re being attacked now. That piece of infrastructure has been compromised, but everything is fine, let them dig there.” This doesn’t happen. Usually the attack is unexpected, so you need to look for compromise on the inside. Experts need to be involved in investigating attacks and retrospectively analyzing them, collecting data, and analyzing and showing infrastructure anomalies.
The results of such an assessment may show, for example, that you don’t have a division of responsibilities and there are no controls to help you understand that something is wrong. Many banks are now planning, budgeting for, and purchasing compromise assessment services.
Trend #3: Use of third-party services
The latest trend is a willingness to use information and cybersecurity services from professional organizations. Tolerance of external managed security services has greatly increased in the past few years. Until three years ago, large banks didn’t think about outsourcing cybersecurity at all, and even smaller banks had ambitions to build their own systems and security services.
But we must understand that this requires technologies, processes, and people. It’s necessary to buy and configure technologies, hire qualified specialists, and establish interactions within the information security unit and with other departments in the company. A lot of time will pass from the moment when large funds are invested to the moment when all this starts to give tangible results and benefits for businesses.
Many security directors are already aware of this and are beginning to use services from external providers. Obviously, you don’t have to rely on contractors for all your security. That’s wrong. An organization should have a director of information security who should be a member of the board of directors and in close contact with the CEO. But at the level of controls, policies, and operations, you can safely outsource some of the work, such as threat detection or incident management.
A professional cybersecurity company uses time-tested technologies and employs professionals who work with many organizations and see a variety of new threats and methods of combating cybercriminals. This makes a cybersecurity team tuned to the process of effective internal interaction. In this way, a bank or any other organization can significantly strengthen its own team with additional resources. Meanwhile, the service level agreement guarantees allow the client to demand and receive a high level of service.