"Organizations need to train their employees in good operational security"

Keith Martin, F-Secure Head Asia Pacific and Japan for Corporate Business shares his perspectives on cybersecurity…

"Organizations need to train their employees in good operational security" - CIO&Leader

Keith Martin, F-Secure Head Asia Pacific and Japan for Corporate Business shares his perspectives on cybersecurity…

Cybersecurity spending is higher than it’s ever been – an estimated USD 96 billion this year. Where do you think organizations are investing the most?

Companies continue to invest the lion’s share of their cybersecurity spend in the more “traditional” areas, such as antivirus software, firewalls, and monitoring. However, although the overall percentage is still relatively low, some newer categories, such as endpoint detection and response, as well as vulnerability assessment, are growing at a faster rate than the more traditional types of protection, and we will see them consume an even greater percentage of the spend in the future.

Do you finally see organizations turning cybersecurity/security into a strategic asset in the organization?

Unfortunately, I don’t believe this shift in mindset has become very commonplace yet, although it should be. Using the strength of your security as a competitive differentiator can definitely add value to your business and therefore should be seen as contributing to your profit, not simply viewed as a cost to be minimized.

There’s a lot going on around cybersecurity and data protection these days, so it’s a fantastic set of topics. So what are some of the concerns you’re hearing from your APAC customers on GDPR?

There is still a lot of confusion and uncertainty regarding GDPR. Companies really need to clearly understand if this affects their business and, if so, ensure that they have taken the necessary steps to comply with these regulations. GDPR is not only about cybersecurity but also ensuring that the personal information you have on your systems is sufficiently protected. This is something every company should take seriously, regardless of whether they are impacted by GDPR or not.

GDPR will force everyone to raise the bar in terms of security and functionality. How do you think organizations can able to balance both?

As our chief research officer Mikko Hypponen has said, “Complexity is the enemy of security.” The more complicated we make our systems, the more difficult they are to use and maintain; the more likely they are to be insecure. As an example, one of the data leaks that occurred within the government of Japan happened for exactly this reason. A system that was too cumbersome to use as designed led one user to move data in a spreadsheet to another machine in order to complete their work more efficiently. Unfortunately, that machine was not on the secure network and eventually got compromised. This is a good lesson for ensuring that we don’t forget that sometimes the simple solution is both easier to use and more secure at the same time.

According to your recent ransomware report, WannaCry is the family behind May 2017’s global ransomware pandemic, which is now recognized as the largest ransomware outbreak in history. How can we avoid such attacks from recurring in the future?

The best way to avoid ransomware is to use reputable antivirus software, preferably one that includes heuristic analysis in addition to a standard signature-based detection engine, and to keep all of your PC software up-to-date with the latest patches and updates. The WannaCry outbreak was enabled by the fact that while there was a Windows patch that would have prevented infection, those 200,000 machines that got infected had not taken the care to keep their systems up-to-date. Finally, be sure to have a backup of your data just in case. If your data is backed up, even in the worst-case scenario of a ransomware infection, you can still restore your data from the backup.

What were some of the other important insights that came from F-secure’s Ransomware report?

One interesting trend is the shift by criminals from ransomware to cryptojacking as a way to make money from their victims. With cryptojacking, rather than encrypting your files and extorting money from you to have them decrypted, cryptojacking involves installing malicious code on your PC that will steal CPU power and bandwidth with which the criminals will mine cryptocurrencies in the background. This trend has been fueled by the recent bubble we are seeing in the value of various virtual currencies, such as Bitcoin, making the mining of coins by using the victim’s computer resources an attractive alternative to ransomware.

Just about everybody gets endpoint security wrong in one way or another. What best practices do you recommend for CISOs/organizations to ensure that their loose ends are protected?

Apart from the standard recommendations of ensuring that all systems are fully patched and up-to-date, and for using reputable antivirus software on your endpoints, I think it is critical that you train your people in good operational security. Most targeted attacks these days start with a phishing email, which are alarmingly effective at getting an employee to voluntarily divulge their login credentials. F-Secure’s own white hat hackers, who regularly do red teaming security assessments, frequently gain a foothold inside the target organization by devising a phishing attack that can easily trick the employees into giving up their login credentials. Using a training solution to provide employees with a greater understanding of the dangers, as well as giving meaningful practice in spotting such attacks goes a long way towards making your company’s infrastructure safer.


Add new comment