“Data: We have never had so much of it, and it has never been so challenging to protect.”
These are some of the opening words in the new survey published by ISMG and HelpSystems in the ‘Data Security Survey 2022’. The survey explores how COVID19 has permanently changed how CISOs approach Data Security.
It is an important study because it recognises that in a world which is in a rush to return to ‘normal’ (whatever normal is now), change has come, and we need to respond to it.
The report states that the amount of Data we create (and consume) is only ever increasing, which I don’t believe should be news to anyone. Consider for a moment the explosion in the use of video conferencing (MSTeams, Zoom etc.) to hold meetings during COVID, and how many of these were recorded? All the webinars and events that suddenly moved online, and all the companies who quickly had to invest in devices so their staff could work remotely.
The amount of data we create was already increasing, and this was before COVID19 forced us all to go online.
Data, Data everywhere.
This point should not be glossed over, and it’s worth again considering the number of new internet users forced online during the Pandemic. From pensioners who were provided mobile devices to stay in contact with loved ones to schools and childcare services who were forced to conduct classes and safeguarding sessions on Zoom. Although these individuals use technology, there are CISOs and DPOs everywhere who manage these organisations and the data that is collected and flowing through their servers and systems.
Old Threats. New Challenges.
The Pandemic brought with it new challenges for CISOs, not least because the networks and users of systems were suddenly distributed to the four corners of the city, country or beyond. What was once a relatively controlled environment quickly became an environment that was exceeding those control boundaries into one which was increasingly worried about the world around them.
It is absolutely imperative that we do not lose sight of this very human experience we have all gone through. Remembering that even before the Pandemic, the ‘insider threat’ was often cited as a considerable risk, the Pandemic created a perfect storm concerning people who were either distracted or disgruntled. Either of these could lead to people accidentally clicking a link or deliberately taking confidential data to a competitor.
During the Pandemic, the number of phishing attacks and scams increased dramatically, and according to UK Finance ‘Fraud the Facts’ report of 2021, “2020 was a year of unprecedented challenges, as the Covid-19 pandemic dramatically transformed our everyday lives and lockdown restrictions significantly impacted on the economy.”
As the world attempted to pivot and respond as best possible to the new problems, the cybercriminals and fraudsters capitalised on the confusion and new ‘clients’ presented to them. As stated above, people were clearly and understandably distracted during this period, and cybercriminals were quick to build on previous scams, but this time with an increased likelihood of success. Scams relating to everything from fake PPE products to fraudulent (and costly) health-check kits to tax and credit relief quickly propagated across the world, and understandably they landed on fertile ground.
Disruption to data security initiative – 19%
Worryingly, the report highlights that the Pandemic disrupted data security initiatives and programmes of some 19% of respondents. This, therefore, leaves us at a disadvantage against an adversary who knew we were struggling to cope with the changing landscape. It would be interesting to know how many of these initiatives have been re-instated or have been forever abandoned due to financial (i.e. business) imperatives.
The report goes on to state that nearly 100% of respondents (97%) expect level or increased funding for 2023. When asked where they will invest resources, they cite;
- Enterprise data loss prevention (56%),
- Data classification (40%), and
- Encryption (35%).
Although this looks encouraging, we can only hope that a large portion of the 56% investment on enterprise data loss prevention is focused on training and awareness.
Conclusion: The Biggest Challenge
For me, the most troubling part of this survey is the response to the following question;
“What are the biggest challenges facing your organisation today when you consider your data security?”
At the top of the leader board is ‘Data visibility”. With the increasing amount of data in circulation, this is no real surprise. After all, as we often say, “You can’t protect what you don’t understand”, and if you don’t understand your data landscape, then you are always at risk.
But at the bottom of the table, below ‘lack of budget’ and ‘Transition to Cloud’, is ‘Lack of training/awareness for employees’.
Thinking positively, this response could indicate that CISOs have done a great job training staff and making them aware of security risks. But unfortunately, I’m not as optimistic.
I believe there maybe flawed thinking here and one that must urgently be addressed.
The virus we have experienced affected humans. Not computers.
What we have gone through is a very human experience. The Pandemic affected each and every one of us in ways that many could not have predicted. It turned rational thinkers into irrational reactors.
Training and awareness are often established on the idea that people are thinking rationally. “Think before you click” is the slogan and cliché trotted out on PowerPoint slides the world over.
CISOs need to change their approach to training and awareness, and they need to do it quickly. For the longest time, cybercriminals, scammers and fraudsters have known something that, it would appear, CISOs don’t understand;
People are emotional beings. Training and awareness addresses only one aspect of the human condition, and when emotions can be provoked – anything is possible.
About the author: For over three decades, Lee Scorey has honed his technical skills, working for a multitude of industries and sectors, including financial, commercial and the public sector.
Information Security has always been at the heart of each role he has undertaken, and he is passionate about developing safe and secure operating practices and environments that make life safer for all.
As a consultant Lee now runs his own Information Security Consultancy, helping businesses approach information security in a practical and pragmatic way.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.