FEED Autumn 2021 Newsletter

Ben Kepes Diversity Limited Technology industry analyst

What are the biggest cybersecurity threats now? Widespread attacks from nation states seeking to gain political and economic leverage. Whereas previous key risks related more to bad actors looking to make financial gains through cyberattacks, these players have multiple drivers – and hence their attack targets have grown wider. How well-informed are your customers on cybersecurity issues? Every boardroom I sit in is deeply aware of cybersecurity as one of the key risks. The issue is, with significant investment in cybersecurity products and services, people are still generally the weakest link. Therefore, organisations need to spend as much time as possible developing robust policies, and training staff across the entire organisation about good practices to decrease cybersecurity risks.

Who is in charge of cybersecurity in your organisation? For my own consulting firm, I take care of these things. Wearing my governance hat, however, I am fortunate enough to sit on a number of boards. The larger organisations have the benefit of a CISO or CIO to take charge. Smaller organisations either outsource these roles, or have a senior member of the team take care of it. But to reiterate, cybersecurity should be seen as the responsibility of every person within the organisation. What best practices do you have in place to defend yourself? Obviously, ensuring computers are patched, antivirus software is used and installed, firewalls and network access are robust and controlled. But also less obvious things, like ongoing training of staff, regular updates of what is

happening in the broader cyber area, and a ‘watching brief ’ on this rapidly changing issue.

Have you had any personal experience of a cyberattack?

I think everyone has received phishing emails. These are, of course, one of the most common vectors of attack. Organisations I am involved with have sustained DDoS and other attacks. What is the scariest cybersecurity story you’ve ever heard? Recently, an entire health district in New Zealand sustained a prolonged attack. Multiple hospitals were forced to resort to paper systems, surgeries were cancelled and patients had to be sent elsewhere to receive life-saving treatment. Recovery involved starting entirely from scratch and essentially destroying an entire infected IT system.

Ian Hamilton Signiant Chief technology officer

What are the biggest cybersecurity threats now? Mismanaged deployment of on-premises or corporate IT cloud software is a big threat to most organisations. Attackers can take advantage of loose update policies and poorly configured software. Most corporate IT- deployed software is not secure by default, and requires hardening as part of configuration. A key value of SaaS is that this is done for you. How well-informed are your customers on cybersecurity issues? We make sure that any commercial partners conform to our security policies before we engage with them. A chain is only as strong as its weakest link. We design our SaaS so our customers only need minimal knowledge of cybersecurity issues, but quite a few of our large-enterprise customers have significant cybersecurity expertise.

What best practices do you have in place to defend yourself? We consider information security in everything we do, and design controls in compliance with guidance from ISO, AICPA, MPAA, DPP and TPN. We engage with independent third-party security evaluators, who review our designs, implementation and controls. And we make extensive use of SaaS in our business systems, ensuring all vendors have controls in place. Today, every system is in a constant state of attack. A static, perimeter-based approach to cybersecurity is insufficient to address the evolving threat landscape. Security must be managed proactively to understand evolving attack vectors, and potential attack surfaces in your enterprise. SaaS is valuable, since much is done by a SaaS vendor with a deep understanding of their application and the infrastructure that powers it. A key question for small- to medium-sized SaaS vendors is whether they have ongoing engagement with third-party security evaluators. Big organisations often have in-house teams, but third-party auditing plays an important role. Have you had any personal experience of a cyberattack?

Who is in charge of cybersecurity in your organisation?

While I lead the strategy, security isn’t a one-person job. It’s part of the culture of our engineering, product management, SRE and operations teams.

feedmagazine.tv

Powered by