Lloyd Evans, LastPass Identity Lead, APAC, gathered a panel of top security executives together last October to talk about whether or not corporate cyber security strategies need a reboot (Watch the full session here). Here are his takeaways from that conversation.
We all know that organisations have been getting progressively more sophisticated in the way they look to authenticate staff and encourage best practices behaviour. The COVID-19 pandemic lockdowns, however, have suddenly forced organisations to implement a new way of working in rapid time. It is now worth asking whether we have landed on the right setup for a permanently hybrid workforce.
Charles Gonzalez, Head of IT Security & Risk at HammondCare, explained that, in terms of ensuring staff follow the right security processes, it was important for the executives in charge to model the right behaviour.
“I think it's super important that we practice what we preach, and I have been using password managers for well over a decade myself,” he said. “We've rolled out password management across a subset of businesses within our business, and are actually planning to roll that across the entire fleet as well.”
Gonzalez added that a crucial part of his strategy would be based around education, to try to get past the natural resistance many users have to changing the way they have been working for years. This is something that Fadi Jafari, Cyber Security and Risk Director at Deakin University, said was a particular challenge with his user base.
He has people on his network from all walks of life, ranging from veteran academics to first year university students. Cyber security needs to be put into context for all of them.
“We have different messages targeting different people based on the roles and the risk profile they present to the organisation,” he said. “But at the same time we make good tools available to everyone, and we were surprised that when we told students that they could use Password Vault, not many of them knew there was such a thing.”
“I think we are guilty in the technology space of assuming that people know things and that it is trivial, but educating people and making sure the message has come across, and just being ‘in your face’ all the time is essential to the success of these initiatives that we are all working on,” Jafari explained.
Organisation-wide conversations
The shift to working from home during the COVID-19 pandemic lockdowns gave organisations a prime opportunity to talk to staff about cyber security processes at a time when they could clearly see how technology was helping them to keep doing their jobs.
Ashley Deuble, Chief Information Security Officer at Heritage Bank, said that there were organisations who left some aspects of cyber best practice to one side in the rush to keep staff productive in the early stages of the pandemic lockdowns last year. But this has since proven to be a good opportunity to explain why new measures were being imposed, such as stricter authentication and password manager tools.
The challenge facing organisations now is setting out the principles for the new normal, where a large proportion of organisations look to be retaining some of the flexibility in working from home, even when people can return to the office.
Gonzalez admitted that his organisation had needed to strike the balance between mobilising quickly when COVID hit and retaining the strongest possible security posture. The time has now come to re-assess what they were doing.
“It is really important to go back and have a retrospective look at what that balance should look like, this is not about a ‘set and forget’ situation, it is necessary to go and honestly test what is working and what isn’t” Gonzalez said.
Asya Ivanov, Chief Technology Officer at Generate KiwiSaver Scheme, pointed out that for organisations’ security policies to be effective, they relied on staff trusting management to not go overboard with recriminations if things went wrong.
The COVID era has coincided with a sharp rise in publicised cases of ransomware, and with phishing emails, lack of basic password hygiene, and compromised credentials being responsible for the majority of breaches, Ivanov pointed out that organisations are reliant on staff admitting when they have inadvertently done the wrong thing and clicked on something they should have left alone.
“I found it personally quite tricky to find a balance where we communicate that this is a serious matter that can bring the whole business down, but at the same time make people feel comfortable enough to step up and say that they think they may have messed up,” she said.
It is a valid point, and it seems a big part of a more progressive cyber strategy is normalising the topic. This means having people at all levels of the organisation, from the board down, accept that dealing with threats is a regular part of operations, rather than something that is left for the tech specialists to “fix.”
Planning and processes
Gonzalez related that, “if you haven’t lived through a real life security incident, you haven’t lived at all.” He said he had personally been through four ransomware situations at various points in his career, and that the biggest lesson learned was to make sure that there is a plan in place beforehand in the event of being compromised.
Of course, no one can completely simulate and foresee all the problems that will arise in the event of a successful attack, but having a clear plan related to back-up, restoration, emergency interim processes and tech partner buy-in can greatly reduce the damage.
“Have your playbooks ready and don't do the same simulations all the time, change them around,” Gonzalez said.
“No scenario planning is going to prepare you for real life to be honest with you, but if you have good processes and understand them well, then a lot of it becomes like muscle memory. It will get you working quickly and will be the difference between getting up to speed and getting contained at a much faster rate, and struggling for a long time.”
Deuble has had a varied career prior to joining Heritage Bank as its CISO and he said he too has been through numerous ransomware and APT attacks, including one perpetrated by an aggressive nation state.
He said during each attack the organisation was first alerted to the problem by a member of staff, highlighting just how important cyber awareness is across all disciplines in an organisation.
“When you're doing those playbook rehearsals and going through them, whether it be a tabletop exercise or a full-blown rehearsal, one of the things that I've learned throughout my career is that you really need to do it with the third parties that are going to be working with you throughout that process,” he said.
“Often you’ll find that if you call up a vendor in a crisis you will get the standard response of ‘please log a ticket and we’ll get back to you within four hours,’ which is just an eternity in times like that, so they need to be with you and prepared for how you need them to respond.”
The often elusive notion of collaboration between different companies and organisations as a part of a cyber strategy was also discussed.
Sharing real time problems and also lessons learned is the best way any organisation can hope to be prepared, but the standard of sharing varied wildly by sector. Whereas some industries like financial services and airlines have seemingly adopted a strong approach to intelligence sharing, others - such as aged care - still have a very long way to go.
The message from all our panellists was that the best form of risk mitigation is preparation and communication. Making people feel responsible and empowered to make sure they are operating securely, and setting up the lines of open and honest communication before the intensity of a live threat takes hold, can make all the difference.
LastPass is the leading password manager that enables companies of every size with the tools necessary to secure and centralise control of employee passwords and apps. Get a free trial here or request a demo to learn more. 
