10 minute read
FIXING THE WEAKEST LINK
from Outlook 2023
by cxoinsightme
CYBER PSYCHOLOGY IS THE THREAT ACTOR’S DEADLIEST WEAPON; IT’S TIME FOR A ‘PEOPLE PATCH,’ WRITES MOREY HABER, CHIEF SECURITY OFFICER AT BEYONDTRUST
In the modern cyberthreat landscape, psychology reigns supreme. Of late, GCC nations have been clamping down on bad actors and have been recognised for it. Saudi Arabia and the UAE are impressively ranked in the ITU’s Global Cybersecurity Index (GCI), placed second and fifth globally, and first and second regionally, respectively. However, even the most prepared among us can still be fodder for creative social engineering attacks perpetrated by cybercriminals, hacktivists, and state-backed miscreants that seek to do us harm.
Advertisement
When it comes to cyber-risk management, end users get a bad reputation. Our “weakest link”, some would say; the more classically educated might be akin to an “Achilles’ heel”. And, while I wish I could stand with the people and dispute this, it is an unfortunate fact, backed by reams of post-incident data. Like any other vulnerability, it needs to be addressed. We need a “people patch”; if you will pardon the pun. But while a few hours of troubleshooting and coding may work for our software flaws, our colleagues require more thought and better training then a personal software upload.
There are many errors that lead to compromise, and most of them are avoidable with a simple list of “dos and don’ts”. But social engineering is different. Phishing and smishing attacks go after an employee’s ambition to be valuable to their employer or even their own self-importance. These attacks often fake communiques from senior staff members seeking action on something important and time sensitive. The cleverly counterfeited identity is often not a hijacked email account or phone number, but the recipient neglects to verify the source as they have fallen prey to an age-old stimulusresponse reflex of need.
Culture coding
The fact here is that we have missed the point of people as an attack vector. Where we hastily label “links” and “heels”, we don’t notice that the underlying behavior is programmed into the employee by corporate culture. They are doing what they think is expected of them — acting quickly and diligently to an instruction from an authorised source. When software is vulnerable, we blame the vendor. So, shouldn’t the corporate culture likewise assume some responsibility for user error? If the company culture programs individuals to react to their microinstructions from “do as you’re told” to “always verify”, might we see stronger nimbler heels and therefore less successful social engineering attacks?
This cultural perception of oneway communication extends to the cybersecurity function, which is seen as a detached dictator (albeit a necessary one) of rules. Workforces, especially the digital-native variety of today, do not respond well to in-your-face authority and only do as you are told. And so, we opt for explaining the rules and the role of security policies without sparing a thought for how difficult the controls are making life for employees to follow.
Some of my colleagues have drolly recounted having overheard Security Teams called the “Work Prevention Team”. Chuckling aside, this spells doom for the cybersecurity team’s ability to engage its colleagues. And we now know that all the tools and platforms in the world cannot convert a chain of weak links into a robust legion that can hold the line against the modern threat landscape against people.
Flexible and permissive
If we want better engagement, we need more human friendly cyber security controls. And yes, I can almost hear you scratching your head. Was I not just arguing against that? I was, but the answer is not to abandon our controls with tighter ones that are more cumbersome. Technology and processes must empower our people. A more flexible and permissive approach to security can be delivered while simultaneously providing a safer environment.
As an example, organisations should start by removing direct privileged access from all users, establishing a restrictive baseline account. We then add permissions as they are needed (and only as they are needed) to perform specific tasks. This is called the Principal of Least Privilege (PoLP). This way we prevent an out-of-control fog of superuser accounts from roaming the digital landscape and tempting threat actors, who will use them to perform potentially malicious activity.
This new system is easier to manage. Endpoint privilege management tools are designed to implement PoLP, allowing users only the privilege level needed for their roles. We refine these permissions sets over time without impeding user productivity. Automation and policy templates allow users to be shielded from the underlying granular controls that protect them. Once established, such frameworks even allow standard users to install certain software through an allow listing system. The employee experience is enhanced, and the cybersecurity team is now called the “Work Enablement Squad” or some imagined variation. Employees can do what they need to do without the risk of social engineering gaining administrative access.
What about passwords?
There’s more. Shared and default privileged accounts need not be deleted; they can now be secured. They can be managed through privileged-password and session-management solutions that automate the oversight of privileged accounts and their associated passwords and secrets. These solutions can regulate password refreshes, greatly mitigating the risk of brute force and pass-the-hash incursions even if passwords have already been stolen. Additionally, these tools can mandate that all privileged access takes place via secure links. This protects users and systems if they are attacked from our own human weaknesses. And as a benefit, moves us closer to a zerotrust environment, which is where every cybersecurity leader wants to be to ensure all communications is appropriate.
It should be made clear that while the eventual setup operates without undue complexity for users, they still need to be part of the change process. Policies will change. IT operations and workflow will change. And users will have to be retrained to use systems and processes differently. Clear communication will be critical. Rather than explaining the need for daily complexity, however, we can now tell users that we are working to enhance their experience while protecting them from themselves.
So, what does this mean for security teams? Control and accountability. An overall lower risk of falling victim to a phishing attack while becoming an enabler for users and subsequently converting them to allies in the day-today battle with threat actors. This means a more relaxed, productive, innovative work environment for everyone because the attack vector of people has been mitigated by removing administrative rights in the attack chain.
Psychology, reimagined
As we head into 2023, business leaders are faced with talent shortages in all roles. An ecosystem like the one described creates better work experiences for cybersecurity, IT, and non-technical staff. Tight security controls but with effective communication and unencumbering workflow is exactly what the psychologist ordered. Make it easy for people to work and if they make a mistake, remove the crack in the pavement that could cause them to stumble.
Can you list some top trends that will have the maximum impact on the tech landscape in 2023?
As technology evolves and complex business problems continue to emerge, IT professionals will face new challenges in 2023 and beyond. Some changes will fuel innovation, while others will spur debate around AI ethics. And others, such as cyber threats, will force companies to mitigate and meet these risks head-on.
The most influential trends that will impact IT decision-making are as follows:
• Cyber resilience will overtake cybersecurity as top security concern
• AI ethics will become imperative
• The cloud will drive innovation
• Companies will embrace distributed cloud
• Cloud networking will grow
• 5G private wireless to move beyond industry 4.0
• Personalized digital employee experiences are must-haves for hybrid work
• Mainframe will solidify its role in hybrid cloud strategies
As business leaders, we must understand that the impact of these trends will vary depending on the industry and application. It is never just the technology but the ways these it is integrated and adopted that can lead to an impact and help achieve business objectives.
How are you helping your customers build operational resilience?
For our part, Kyndryl is aligned around the principle of cyber resilience in managing risk. We have thousands of security experts across the world, many of whom specialize in cyber resilience as a service and are ready to work with government, private sector companies and organizations of every kind to ensure a safe and resilient global economy.
Since our launch, we’ve been expanding Kyndryl’s global strategic partnerships to address customers’ specific security and resiliency needs. For example, we have partnered with Veritas to deliver its industry-leading data management portfolio to enterprise customers as a fully managed service, “Protection and Cyber Resiliency, Powered by Veritas.” And in the Middle East, we formed a strategic collaboration with CPX Holding to help improve cyber resilience for customers in the UAE and the region. Through a powerful combination of Kyndryl’s global leadership in IT infrastructure services and CPX’s end-to-end cybersecurity capabilities, we aim to help customers protect their businesscritical assets and support their overall digital transformation. We have also announced a Recovery Retainer Service which provides our most at-risk, critical infrastructure customers
Can you list some top trends that will have the maximum impact on the tech landscape in 2023?
The current economic climate means that appetite for risk is extremely low. Despite this, businesses know they need to continue to innovate and digitise if they are to survive, and this involves staying at the forefront of technology. In fact, 95% of businesses surveyed for our Industry Insights Report 2022 told us that right-fit technology will accelerate growth for their business. So, while the global economic outlook remains uncertain, the pace of digital innovation will continue unabated and businesses that prioritise strategic tech investments will increase their chances of success in the year ahead.
Against this backdrop, business planning technology solutions have never been more vital. These include solutions that enable forward planning, financial planning and simulations that give businesses the data they need to make the right decisions in a volatile environment.
What are the biggest challenges facing CIOs this year?
Faced with resource and budget constraints, CIOs will be under pressure to maximise the value of their tech investments, which calls for them to effectively draw insights from the treasure trove of data that these systems generate. However, to effectively do this, organisations need one source of truth for all their data points, with a digital core that runs through their businesses. Other apps which monitor disparate parts of the businesses should be able to integrate with this digital core, so interoperability of all software solutions will be a key selling point. Although there is a lot of hype about the potential of predictive analytics, machine learning (ML) and artificial intelligence (AI), these solutions can’t offer full value to customers if that one source of truth isn’t already in place.
How are you helping your customers build operational resilience?
Through 2022, organisations in key sectors served by Epicor –manufacturing, heavy industry, aerospace and defence, automotive and more – have been plagued by supply chain issues.
The foundation for a resilient supply chain is advanced digital technology, which is what Epicor provides to its customers. Our supply chain management solutions connect systems, and take information out of silos and into a centralised location. This makes every link in our customers’ supply chains completely transparent, in real-time, so decision makers can account for every element that affects operations.
Company headcount will increase in 2023… with bot workers. In 2022, companies took high-efficiency measures, like layoffs, to financially safeguard business. But in 2023 companies will need to replace this headcount because customer expectations remain high. Companies will deploy more bot workers in 2023 to reduce human dependence on mundane tasks. Bonus: it’ll also reduce cost and margin for human error. We’ve started to see this trend with understaffed retailers, but it’ll soon be mainstream. Automation rewriting automation: 47% of developers don’t have access to the tools they need to build applications fast enough to meet deadlines. Next year we can expect the next wave of automation to automate its own development to fill this gap. Code will be written by AI engines, intelligently generating its own code. As low code and no-code platforms continue to enable the technology behind these innovations, we’ll see more maturity, more time savings (cutting down development time by 90%), fewer errors and faster development.
What are the biggest challenges facing CIOs this year?
Perhaps the most frustrating challenge for CIOs and innovation leaders is that despite their best efforts, and the significant investments being made into the latest technologies, one of the key outcomes they seek – enhancing employee experiences (EX) and thereby CX – remain elusive. A study we conducted in 2022 showed that despite businesses in the Middle East and Africa (MEA) having doubled down on digital transformation, nearly half (47%) of regional employees report that technology issues at work have since increased their stress levels, causing a negative impact on their mental health. Identifying ways to continue innovating, while ensuring high user acceptance rates will be a top priority for CIOs in 2023, especially given the pressure they will be under to justify the ROI on every dollar spent.
With sustainability being a priority for many organizations, efficient technologies which use less energy and have a better carbon footprint will be on many board’s agenda. Today’s businesses are much more environmentally conscious, but volatile energy costs have forced the issue in many countries around the world and in the next year we will see green and sustainability credentials at the tip of the spear in conversations between vendors, service providers and customers. Many groups within organizations will develop a much greater understanding of sustainability metrics and methodologies and will start applying them when making technology choices.
Containers will be the key to cloud neutral infrastructure designs — beating lock-in
While historically large enterprises have worked with different cloud providers for different use cases, this creates cloud lock-in which customers are sick and tired of. Next year we will see an increase in customers building cloud neutrality into their design to avoid this lock-in even if it’s only to prepare for the future. To do so, companies will rely heavily on containerizing applications, making them portable across private, public and hybrid cloud infrastructure, regardless of the cloud providers at play. There will also be a push to consolidate management of applications through Kubernetes platforms with all the flexibility, speed, cost effectiveness and security needed to ensure success in a cloud neutral environment.
Hiring IT specialists will become harder: organizations will hire more generalists
Every organisation is struggling to find Kubernetes, data analytics and machine learning specialists as these are some of the most in-demand skills in IT at the moment. However, companies don’t actually want to hire people who are good at only one thing — they are looking for people with a breadth of skills. As a result organizations will need to hire more generalists and fewer specialists, even in critical roles, and train them in areas where skills need to be developed. This will be far more efficient for the IT organization in the long run, as specialists tend to serve as a bottleneck if they are the only personnel who can solve specific problems.
Can you list some top trends that will have the maximum impact on the tech landscape in 2023?
KARIM BENKIRANE Chief Commercial Officer, du
Demands for today’s emerging technologies continues to increase exponentially, driven by customers and businesses across all industries:
1. Adoption for technologies such as 5G, Metaverse, AI, ML, IoT, and advanced data analytics will continue to rise due to the effectiveness of both full-time remote working