22
PRINT.IT
01732 759725
DATA SECURITY
Q. Are data breaches always
caused by human error and flawed
security practices or are many of
today’s security solutions not fit
for purpose?
TK Keanini,
CTO (chief technology
officer),
Lancope
“All of the above. The defender is
not playing against a static and
predictable attacker, and so we need
to think about this as a game that
is actively being played. Security
solutions are like going to buy a
car and only being able to buy car
parts – you, the defender, must put
together the whole solution,and this
is challenging for the mid market.”
Simon Crosby,
CTO and co-founder,
Bromium
“The 2014 Verizon DBIR shows that
about 90% of breaches begin with
a human error – typically clicking
on malicious links or attachments,
but also losing devices and mis-
configuring them.”
Joanna Brace,
VP of Product
Marketing and Marketing,
AVG Business
“Even the most secure system is
only as strong as its weakest link
– typically the end user. This is
compounded as businesses try to
implement flexible ways of working
to ensure talent is attracted to the
organisation and stays over the
long term. How this manifests itself
is through letting employees use
their own devices and apps to carry
on working outside the walls of the
office. In the absence of any controls,
many small firms have had no option
but to trust employees to behave
responsibly and hope they do not
leave themselves open to a hack
or breach. However, with reports of
hacking and cyber-attacks on small
firms continuing to hit the headlines,
doing nothing is scarcely sustainable.
Hackers are becoming increasingly
sophisticated in their approach,
using social engineering to trick
employees into opening realistic-
looking but fraudulent emails, or
using fake or re-directed websites.”
Andy Heather,
VP EMEA, enterprise
data security
,
HP Data Security
“The answer is yes, or all three! The
human error is not necessarily that
someone forgot to throw a switch or
left a door unlocked; it starts with the
decision (or lack of) to leave sensitive
data unprotected. Sometimes
the decision about data security
is based on an older model of a
secure perimeter. Traditional security
technologies like firewalls establish
a security perimeter that is designed
to keep hackers out. A security
perimeter is not necessarily a bad
thing (if it can keep hackers out), it
is just that with today’s technologies,
your data is being moved in and out
of that perimeter on a routine basis by
people who need to use it. Choosing
to leave sensitive data unencrypted
as it flows in and out of your system
is flawed security, and relying on
perimeter security only is not a fit
solution. Instead, businesses should
be protecting the data rather than the
network where the data lives. This is
typically done with encryption.”
Graeme King,
Senior Tech PI
Underwriter, Financial Lines,
Allianz
Global Corporate & Specialty
“Available security solutions are
mostly fit for purpose. But they
are limited. Malware injected into
computers will bypass anti-virus if it
is a new type that does not contain
the ‘signature’ of known viruses.
One of the greatest challenges is
ensuring that employees do not
fall for phishing emails and the
sophistication with which these
attacks are done is increasing all
the time. The majority of successful
attacks start with an email where
employees are tricked into disclosing
login and password details. Once
the door to the computer system
is open, the damage is often done
and the company is at the mercy of
the hackers. They will usually move
slowly and carefully through the
system, monitoring, recording and
learning what they need to know to
commit their intended crime. You can
build layer upon layer of protection,
but employees frequently let them
through the front door.”
Richard Cassidy,
technical director
EMEA,
Alert Logic
“The reality we face in today’s
threat minefield is that human
error is the highest contributing
factor to why threats exist and why
attackers succeed in exploiting their
targets. Bad actors (hackers) have
increasingly turned their focus to the
tried and tested method of social
engineering, ranging from brute
force attacks against systems and
servers protected by weak passwords
to phishing campaigns that far
too many users still fall victim to,
allowing malware to bypass almost all
security tools in place. If we flip the
same view to the developers of the
software used in today’s production
environments, it’s bugs or poorly
understood security practices in
coding that often lead to the major
exploits we have seen in the last
decade. However, we’re starting to
see a shift, through better education
of end-users on the pitfalls of online
activities and how to identify potential
attacks. This remains the most
critical part of security best practice.”
Mark Noctor,
General Manager,
Europe at app security specialist
Arxan Technologies
“It’s a mistake to try and pin security
breaches on a single cause, as there
are often a number of factors at play.
Human error does still account for
a large number of breaches, but in
certain situations, security solutions
are also not advanced enough to
deal with more sophisticated attack
methods. With this mind, best
practice for a company is to adopt
security technology that includes
Q&A
TK Keanini,
CTO,
Lancope
Simon Crosby,
CTO
and co-founder,
Bromium
Joanna Brace,
VP of Product
Marketing and
Marketing,
AVG Business
With major data breaches now almost a daily occurrence,
PrintIT
asks leading lights in the data security industry where businesses are
going wrong and what small and medium-sized businesses can do to
protect themselves from attack
Continued...
