Security Insights

It’s often said that the cybersecurity and data privacy worlds rely too much on checkbox compliance exercises – and fail to get to grips with the real issues that put data and systems at risk.

But how true is that? Organisations face both increasing threats and increasing regulatory burdens. And often, CISOs and other business leaders lack a true picture of good practice.

This has prompted security researchers at Panaseer to develop a series of real-world security benchmarks.

The research came up with 18 steps, that look more deeply at security standards and controls. The paper also sheds light on why some organisations still fail to carry out basic cyber hygiene measures, and how businesses can improve.

We asked the report’s author, Charlotte Jupp, to explain the ideas behind the research.

In this episode we look at the continuing threats to critical national infrastructure, or CNI.

National infrastructure is under attack from both nation state actors, and from ransomware gangs and other crime groups.

And, as the war in Ukraine has shown, energy and power generation is especially vulnerable. Are we set to see more politically motivated cyber attacks, and are we likely to see more use of cyber warfare, alone or in combination with conventional military tactics?

Our guest this week is Jon Moran, a law enforcement veteran and former incident response consultant. He is now technical director at Tufin, where he is a close watcher of CNI and the risks it faces.

In this extended episode, we review the key cybersecurity events of 2022, and analyse likely developments, and priorities, for 2023.

We look at Log4J, ransomware and "wiper" malware; the geopolitical situation and how the war in Ukraine is impacting cyber security, and the ongoing challenge of the industry's skills shortage.

And we review CISOs' priorities for the coming year, changes in both the threat environment and the regulatory landscape, and discuss security teams will need to handle ever more complex relationships as they look to protect supply chains.

Our guests are Sue Milton, of ISACA, and ISC(2)'s Jon France. Interviews by Stephen Pritchard.

Russia's invasion of Ukraine has brought war to the European continent once again.

And the conflict has, inevitably, brought an increase in cyber attacks against both Ukraine and its supporters.

That those attacks have not done more damage, or achieved a higher profile, is largely down to the defensive capabilities both of Ukraine and NATO.

But increasingly Russia is trying to combine cyber with physical attacks on critical infrastructure in Ukraine. How can states defend themselves against these blended attacks, and new vectors such as wiper malware? And what can NATO, and other countries, learn from Ukraine's experience?

Our guest this week is Lauri Almann. He was working at Estonia's Ministry of Defence when his country came under cyber attack in 2007. He is now co-founder and chairman of CybExer, a company that runs cyber attack simulations for NATO and other governments, as well as industry.

Here, he analyses what we have seen so far in Ukraine, and what it means for cybersecurity in the West.

According to cybersecurity researchers, attackers are turning to new and dangerous methods to carry out phishing attacks.

As security teams have improved their defences, especially around email, so the attackers have adapted too. They are using fake web apps, blog posts and even exploiting the way search engines operate, to spread malware.

In this episode we speak to Ray Canzanese, the director of Netskope’s Threat Labs and the organisation behind the research. He explains the new attack vectors, and how we can counter them, to Stephen Pritchard.

Over the last few years 5G networks have expanded quickly, offering faster speeds and greater capacity than previous wireless networks.

And although take up has been fastest among consumers, businesses and the public sector are looking to 5G as well, as it offers a boost in both performance and flexibility.

Applications include the internet of things, logistics and transportation, as well as telemedicine and public safety.

But 5G could also come with a significant security impact. It offers a greater attack surface, and organisations will need to adapt if they are going to run most, perhaps all, of their business processes outside the conventional perimeter.

This week’s guest — Nathan Howe, VP of emerging technology and 5G at cloud security company Zscaler — sets out some of the risks associated with 5G, and how organisations can put it to use without compromising security.

With the skills crisis in cyber now well established, organisations are having to look beyond the conventional methods to fill vacancies.

Expanding the pool of potential talent is a key to this.

Until recently, though, little attention was paid to neurodiversity, and the idea that neurodivergent candidates -- including people with ADHD and autism -- can be highly effective cyber specialists. 

But neurodivergent people face challenges entering into the workforce. Often, very bright and talented people face long-term unemployment, as conventional recruitment and career pathways are not adapted to their needs.

In this episode, we hear from two business leaders who are trying to change this. Rob Demain is CEO and founder of e2e-assure, and Emma Philpott is CEO of IASME.

We asked them about the work they have being doing with neurodivergent applicants, and employees, and the results they have seen,

Cybersecurity spending seems to be on a never-ending upward curve. But this spending, spending, which analysts put at US$150bn annually, doesn't seem to reduce the number of cyber threats.

Could it be that we need a new approach to security?

Our guest this week is Jason Hart, CTO, EMEA at Rapid7. He argues that the problem is that we are spending money, but are not making security part of the culture, or central to how we do business.

In this episode, we look at whether a new approach could both make organisations safer, and produce a return on investment from all that spending.

Over the last six to twelve months security researchers have seen a shift in the pattern of cyber attacks, as the impact of the pandemic has largely been replaced by a focus on the Russian invasion of Ukraine.

Security firm NETSCOUT runs one of the largest monitoring projects for DDoS attacks. They have, for example, seen falls globally in DDoS activity, but an increase in the EMEA region.

Deterring and prosecuting those behind the attacks is as hard as ever, argues Richard Hummel, ASERT Threat Intelligence Lead, at NETSCOUT.

But, he says, there are steps organisations can take to counter the threat, and to keep critical online services working.

Passwords are still a cornerstone of web security, especially for consumer-facing sites.

But convincing consumers, and firms, to use stronger passwords remains a struggle

Steven Furnell is a senior member of the IEEE, and professor of cybersecurity at the University of Nottingham.

For the last 15 years, he has been tracking the password policies of leading web and ecommerce sites.  Do they, for example, allow weak or easy to guess passwords?

And how easy do they make it for users to pick stronger passwords, or to use alternatives such as multi-factor authentication?

The answers have implications, not just for security online, but for the way we use passwords in business too.

Interview by Stephen Pritchard