Cyber Security Market Observations - Intuition

Cyber Security Market Observations

The continuous increase in the number of insider-related cyber fraud incidents, especially those caused by inadvertent actors1, underscores the importance of cyber security awareness in organisations. Since the turn of the year, our research has focused on building up a general knowledge of this market and those likely to be affected by cyber fraud. Our aim has been to identify and validate trends in the awareness of cyber security across industry sectors in both the software developer and end-user groups. Our focus includes, but is not limited to, Financial Services – consistently the sector with the highest volume of security incidents2 – and we look to answer the following:

  • Where does cyber security rank in the general list of business priorities?
  • Does the level of concern carry through to the human aspect of cyber security?
  • How are organisations currently addressing the human aspect of security?
  • Are current approaches having a positive impact on behaviours?
  • How would organisations like to address this issue in future?

 

IBM X-Force Report: Shellshock Fades, Gozi Rises and Insider Threats Soar, 2018

Key Aspects of Cyber Security

PwC Global State of Information Security Survey, 2018

Business is Built on Trust – Trust is built on security.

Cyber Risk is Acknowledged – The threat is continuously changing.

Security Impacts Everyone – At work and at home, it is our collective responsibility.

The majority of breaches are preventable – they involve human error. According to PwC’s State of Information Security Survey 2018, incidents related to hackers and other outsiders have declined, while those attributed to employees are increasing3. However, the consensus is that framing people as ‘the weakest link’ is counterproductive.  To have a positive impact, we must consider people as part of the solution. This starts with culture.

The Human Aspect of AppSec

Traditionally, Application Security has focused on the ‘detection & remediation’ of pre-existing vulnerabilities. Today, organisations are starting to move away from security testing only, to include prevention through education and promote a culture of ‘security by design’4. This ultimately saves money; the later in the software development life cycle a vulnerability is addressed, the more it costs.

Key points

  • Cyber security is a top priority in most organisations
  • Tick-box training is not working to raise awareness
  • To engage employees and have an impact, training must be frequent and relevant
  • Collecting data to illustrate the progress and impact of security programmes is a challenge
  • The approach to software development security has generally been a reactive one, although the benefits of ‘security by design’ are recognised

What can be improved?

People can be a primary resource in threat mitigation. People are often an underutilised resource when it comes to cyber-defence. From spotting the signs of an attack to knowing how to react, cyber-aware people can be a critical asset in addressing the cyber security threat.

Attitudes and behaviour matter as much as knowledge. Knowledgeable people can still act insecurely. What people know, what they think and how they behave when it comes to cyber security are all key to understanding the role that humans play in reducing cyber risk.

Compliance should not be the only driver. Employee awareness is often seen as a compliance activity rather than a means to change behaviours. Ultimately, it is how people behave that will reduce risk or expose organisations.

Relevance is critical. Cyber security measures that are relevant to day-to-day tasks, the industry and the changing threat facilitate knowledge transfer and behaviour change. This includes both secure software development practices and security conscious end-user behaviour.

Align personal and work life. Security impacts our employees both at home and in the workplace. Scenario-based challenges, which highlight the risks, help with knowledge transfer and illustrate secure behaviour.

Leverage data. Data analytics can be used to demonstrate improvement, measure risk and identify areas of vulnerability. This allows for better allocation of resources.

 

References

1 IBM X-Force Report: Shellshock Fades, Gozi Rises and Insider Threats Soar, 2018

2IBM X-Force Report: Shellshock Fades, Gozi Rises and Insider Threats Soar, 2018

3 PwC Global State of Information Security Survey, 2018

4 Veracode Best Practices for Complying with Emerging Application Security Regulations, 2017