While most organizations are happy to put the pandemic-dominated 2020 behind them, 2021 will bring more of the same security challenges.

Information Security Forum Managing Director Steve Durbin

Steve Durbin, managing director of the Information Security Forum (ISF), offered SC Media insight into the ISF Annual Threat Update and where IT security might find a leadership moment.

Cybercrime seems to be at the top of everyone’s threat list these days. What is it about the pandemic or at least our response to it that has fueled the growth of criminal activities?

Cybercriminals have been taking advantage throughout 2020 and they’re going to continue through 2021, particularly targeting the health care sector and hospitals, which I think is pretty distasteful whichever way you look at it. There is plenty of opportunity there and money to be made and as we know that tends to get things to percolate to the top of their list.

But we’re also going to see the continuing increase of malware, again playing off the fact that people are working from home; playing off the fact that they are not as well-disciplined as when they are in an office environment. We are seeing things like cyber fatigue, mental health issues, people spending so long in front of the screen. Someone extolling as a virtue that he got up at five in the morning and had their first meeting by 5:30, was still going strong at 8 o’clock at night and then going strong even after that. So, people are tired. I think one of the things that people don’t recognize about cybercrime is that cybercriminals are watching all the time. They understand how we’re operating, they understand we get tired; they know when to drop malware on to you.

I think the theft of intellectual property will continue. We saw that recently with the hack by North Korea of Pfizer. That’s going to continue as well, and with anybody related to that industry, of course, because we’re back into that whole chestnut of the third-party supply chain. Your way into an organization is through one of the other organizations that it does business with.

Why do you believe insider threats will become, well, more of a threat?

Against this sort of COVID backdrop, we’re starting to see an increase in layoffs. If you think about the three areas of insider that we always talk about – we talk about the malicious, the negligent and the accidental. We’re going to see an increase in malicious insiders who have been laid off or take exception to a family member or a close friend being laid off and want to do something about it. We’re seeing an increase in accidental, certainly, which is related back to my point about cyber fatigue and stress. And people just pressing the wrong button. And then the negligent, which I think of the three is going to be the least, which is 'I know I shouldn’t be doing something but I’m going to do it anyway because it makes sense.'

How can security organizations counter those threats?

Clearly, we need to introduce more support around security awareness, understand the pressures that employees are under, whether that be self-inflicted or whether that be because of some external factors that are going on. This one is also the real challenge of security folks. We’re still not that good at that kind of emotional intelligence. We love a process, we love a policy. But we’re still not very great at this touchy, feely, fluffy emotional space. There’s a real role here for a human resources professional to get engaged to help deal with this one.

Do you think the isolation we all feel as well as the need to connect might make security leaders more likely to key in on emotional issues, though? Is this a moment in time where there’s more opportunity for CISOs and others to expand their emotional intelligence skills?

There is a real leadership opportunity there to create the right environment that encourages people to talk about some of those issues. We’ve seen some real progress in that space. Let’s face it, we all have good days and bad days. I think encouraging people to talk about that, to share those things is hugely important as is encouraging people to take breaks, move away from the screen. We’ve moved into a realm that those kind of things are really important for us to be picking up on. Some of us are doing it quite naturally, perhaps, but they are not skillsets that are the strong suits for CISOs and security professionals. In a briefing paper we [ISF] wrote on the CISO of the future, we talk about need for having these softer skills. They’ve got security-based stuff, but need to have softer, emotional intelligence skills to deal with people.

That’s part of argument for having more women at the CISO level and above.

I would agree. If you look at the proportion of women that are at CISO level and above, it’s still pitiful. The numbers are still way, way too small. So, I think we’re suffering because of that. Because it does bring a different dynamic. I’m in a fortunate position because I have a 50/50 split across our workforce. But the business benefit you get from that is huge. And you wouldn’t know unless you had it. That’s the thing. If you haven’t got it, you don’t know you’re missing it. Hopefully that balance will change, but, unfortunately, we’re quite a ways off.

You’ve marveled at the way younger employees approach data privacy and security. What impact does that have?

Again, related to the insider piece, the third threat I pulled out is around the digital generation. They really are becoming more prevalent in the workplace, they are the first generation that are digitally native, having been brought up with iPads as babies. Their attitudes toward sharing information is still nothing like what corporations expect. We encourage them to share information and they do through social media. Then we take them into the workplace and tell them they can’t do it. Of course, they’re going to carry on that behavior. And so back to my insider thereat piece. This is where that negligence is going to come from. Security awareness is something we talked about since time began. We haven’t made a huge amount of progress here; we’ve got a generation whose attention span is about eight seconds because they’re doing a lot of different things simultaneously. If you’re a fairly traditional business, and let’s face it, there are plenty of those out there still, you can have a real challenge dealing with these sorts of people. But, it’s the future. You can’t expect them to change to accommodate you. You have to change to accommodate them. That’s the key learning. That’s where the resistance comes in and that presents somewhat of a threat. But, it’s about really understanding. Those are the sorts of things we should be taking into our training materials for this particular age group in the workforce. And keeping an eye on social media. A lot of stuff has escaped out there via social media. Increasingly, of course, larger organizations are monitoring their feeds just to find out what’s happening.

But not all the threats organizations will face are strictly people-oriented. What are you seeing on the tech side?

Edge computing allows you to disperse your processing to take use of things like cloud. But it also creates various opportunities for attackers. Because it creates numerous points of failure that perhaps traditional security solutions don’t cover. You need to be monitoring every single device across you network all the time. And attackers as we know are particularly good at exploiting blind spots targeting devices perhaps on the periphery of the network. As we move increasingly into a 5G-enabled space, a physical component is coming into it.

How so?

What I’m seeing is organizations going back to having their CISOs also responsible for physical security. It’s an interesting trend, I’m seeing it quite a lot. And the guys that are moving into those kind of roles are really relishing it because they see it as having total control again.

There’s a lot of work to be done, but will security teams have the money they need to do what they need to do to lock things down in 2021?

Obviously, we’re still going to see budgets under pressure, but that’s not going to stop organizations wanting to undertake digital transformation. Maybe they are going to have people working more from home than in an office environment, and so they need to deploy new systems, new infrastructures to help with that. Because of some of the financial constraints, it could be they’re building new infrastructure on top of the old, creaking structure. And that is going to cause some challenges for organizations. And it’s going to have implications across the old favorites, across the supply chain, not to mention introducing new vulnerabilities and attack vectors simply because of the creaking environment. And, finally, it’s going to be quite difficult to roll out as well as long as we have some of these pandemic-based prescriptions in place. So, you may not have full security across that rollout that you would be expecting.

We’ve talked about these threats individually. But they often work in concert. Why do they together create even more formidable threats?

When you think about these threats, some of them are people related and some of course are technology-based. Sometimes what you’ll see from the security standpoint is us focusing in on perhaps a narrow element of the threat. If you take digital transformation as an example, we might target how we can protect some of that infrastructure build out. We might have the finest amount of security around the way we program it and design it, but potentially we’re not paying attending to things like mental health or cyber fatigue, some of the things I mentioned around insiders. I think that’s more what we’re talking about with combining threats. Missing things, because we’re focused arguably too finely in a certain area. That’s quite natural, because let’s not forget, your resources are still going to be stressed in 2021. They’re still going to be widely dispersed around the country. We have to keep security functioning as well in an environment that is still very uncertain.  We may have a plan to take everyone back into an office, but that may change, as we’ve seen, very, very quickly. We may have to take them back out again. The volume of work that’s required to do that is not going to help when it comes to managing some of these threats.