CONTENTS ISSUE 119
M A R /A P R 2 0 2 1
Chief executive officer of the PSA Security Network, Matt Barnette, tells us what he believes are the necessary criteria for being a great systems integrator in the current climate
In the first of his regular new information security columns for Security Middle East, Daniel Norman, senior solutions analyst at the Information Security Forum (ISF), looks at how criminals exploit the ‘accidental insider’
Foreword from the editor
06 News
The latest regional and international security news
20 Market
A roundup of the latest security products and solutions
50 Events
13 Systems integration
16 ISF column
MONITOR 05 Up front
FEATURES
Diary dates of forthcoming security exhibitions, conferences and events
28 Recording devices
Timothy Compston assesses the state of play in the current DVR and NVR market and how the continuing rise of big data is forcing endusers to re-think how they record and store their information
34 Installation
A high-end multi-use office block in the city of London installs a state-of-the-art access control solution that combines touchless access, integrated turnstiles and surveillance cameras
36 Storage
Another look at data storage, this time from Brian Mallari of storage experts Western Digital who examines the impact that smart video is having on our data infrastructure
40 Access management
Morey Haber looks at the lessons that can be learnt from the recent security breach of over 150,000 security cameras run by Verkada IoT Camera Services
44 Interview
SME talks to Fahmi Jabri, general manager, Honeywell commercial security, Middle East, Turkey and Africa about how they are putting health & safety at the heart of their security offering
OPINION | ISF
Insider dealings In the first of his regular new information security columns for Security Middle East, Daniel Norman senior solutions analyst at the Information Security Forum (ISF) looks at how criminals exploit the ‘accidental insider’ Profiling and understanding key threats posed to an organisation
During these situations, employees tend to make quick, subconscious is a core component of security. For too long, organisations have decisions, without rationally thinking about the consequences of their focused on traditional threat actors, such as nation states, organised actions. Individuals will act on impulse, taking mental shortcuts to finish a task in the fastest time possible. For example, subconscious decisions criminal groups and malicious insiders that are typically well funded or can manifest when given a time constraint to finish a job for your boss, highly motivated to cause harm. In stark contrast, the most prolific threat to any organisation actually being stuck in traffic or having a personal problem at home. These comes from inside the business. It enters the organisation surreptitiously, situations can occur naturally without the influence of criminals and without any intent to cause harm, in the form of “accidental insiders.” result in a higher likelihood of mistakes being made. These are employees that either make a mistake in their job or daily life For millennia, attackers have also been using subversive and manipulative techniques to evoke certain responses from their targets. that results in a security incident or provides an attacker with an As humans entered the digital era, the attack techniques became more opportunity to compromise. Organisations across the globe experience thousands of security incidents daily that could have been avoided by sophisticated, cost-effective and expansive, enabling attackers to target individuals that never meant to cause direct harm in the first place. individuals or groups at scale. For example, attackers can perform spear In 2019 the number of data breaches caused by human error grew phishing campaigns, which are targeted communication techniques, from 88% to 90% highlighting that even with no real motivation to establishing credibility online with their targets to extract valuable information and persuade them that their requests are legitimate. Using cause harm, employees can have a significant negative impact on advanced technology attackers can perform these attacks using email, organisations. Interestingly, anyone in the business can be an accidental insider – from C-Suite text messages and social media, executives to secretaries, humans meaning that employees can be Currently, many enterprises take a technologyall have a range of psychological approached and targeted at any centric approach to security, implementing CCTV, vulnerabilities that can lead to time of the day. The believability errors being made and thus of these attacks are frightening user behaviour analytics, firewalls or perimeter triggering a security incident; and without the right training and fencing, but these capabilities do little to protect errors such as sending an email tools at their disposal, employees the business against the accidental insider containing sensitive information will always be vulnerable. Knowing the techniques to the wrong address, not attackers use to manipulate outcomes and the detrimental situations challenging a person if they enter a building without the right employees may find themselves in should be integrated into security credentials, or leaving a company device on public transport, can all cause significant financial, operational or reputational damage to a awareness across an organisation; training individuals to better manage business. As demonstrated by a number of global attacks, all it takes is their own stress levels is also an imperative. Security awareness, one small mistake to grow into a large data breach or incident, so why training and education must not be understated and must not have are so many organisations still struggling to combat this threat? budget reduced in place of more glamorous technical solutions. It is clear that technical controls and wider investment in Currently, many enterprises take a technology-centric approach to preventative controls can only do so much when it comes to preparing security, implementing CCTV, user behaviour analytics, firewalls or perimeter fencing, but these capabilities do little to protect the individuals to manage the threats posed by their own behaviour. business against the accidental insider. What is currently missing Historically, human behaviour has caused significant damage to across many organisations is a human-centred perspective of security, organisations, so a more progressive approach to managing these understanding human behaviour and the types of situations or threats is needed. Once security is understood through the lens of psychology and behaviour, organisations will be better positioned to techniques that trigger an individual to make an error. manage and mitigate the risk posed by human vulnerabilities. Human behaviour is complex and can be influenced and manipulated in a range of ways – all humans have fundamental n The ISF is a leading authority on cyber, information security and risk psychological vulnerabilities that can manifest during times of management. Its members comprise some of the world's leading heightened pressure of stress and will impact the decision-making organisations featured on the Fortune 500 and Forbes 2000 lists. For more process in real-time. information visit www.securityforum.org
‘
’
16 | SECURITY MIDDLE EAST | MARCH/APRIL 2021