The school of hard knocks posits that the only way some people learn is from bad experiences.
That’s what’s happening judging by the reaction of infosec pros to recent months of ransomware attacks, says the global lead of Ernst & Yong’s cyber security consultancy.
“At this point in time as a response of the uprise in ransomware attacks, companies are aware of a number things we have been talking about for years: Vulnerability management, patch management, make your backups, store backups offline, make sure employees are aware of what can happen with phishing email,” Paul van Kessel said in an interview on Wednesday.
“A number of things that were common sense for a number of years but nobody was paying attention to are now on people’s forefront.”
“With WannaCry and Petya they learn the hard way that patch management, vulnerability management and backups, test the restore of backups – all of a sudden these are becoming important things.”
And while he acknowledged enterprises have patching challenges, including the need to test before implementing, his advice to CISOs is clear: Patch as soon as possible.
In Toronto for two days this week for corporate leadership meetings, the Amsterdam-based van Kessel talked for almost an hour on the challenges CISOs face, patching, phishing and budgets.
He shied away from describing his thoughts on the state of corporate Canadian cyber security, referring to an EY survey released earlier this year that there is progress in threat detection. But the report also said the results indicate more improvement is needed.
Originally he trained as an accountant, normally a dry profession. But in blogs he has no problem telling infosec pros to “stop being sloppy” and make sure they’re doing cyber security basics.
Too often cyber security is an afterthought, he has written, and IT pros still erect fences around security instead of sharing threat information with competitors.
“In former days [organizations thought] ‘We are able to protect ourselves,’ so all the investments went to protecting the company. Then at a certain point attacks began to increase and all of sudden organizations began to realize protecting yourself is not enough.”
But, he added, slowly organizations are realizing they have to be proactive and understand who attackers are and what they are doing using threat management and intelligence.
Still, van Kessel noted, CISO are allocating 80 per cent of their budgets to protecting the enterprise and only 20 per cent to detection. “Organizations are not investing in being prepared for an after-breach situation,” he complained.
Tight security budgets aren’t necessarily a problem, he also said. “I think a lot of organizations are spending [more] money on cyber security. Everything spent on cyber security is a plus, but is it spent wisely? And I think there is where organizations waste money: There is not enough focusing on studying the problem first, and spend the money in the right direction.”
For van Kessel, addressing the scourge of phishing is a matter of the right kind of awareness training: Running regular test email to see who clicks, and those who do get immediate feedback on what they did wrong. That’s “better than an online course or classroom training for one or two hours,” he said.
He also said it’s vital the C-suite and boards take awareness training to avoid being victims of spear-phishing attacks.
Van Kessel has high hopes for machine learning and artificial intelligence to help ease the burden on stressed security teams. The technology is already helping admis identify “weird things” on networks, he said. While few solutions are using machine learning now “it is very promising.” So are new approaches including wrapping transmitted data in security that ensures only the right recipient can open it.
However, his message stands to infosec pros: Don’t hope for new technology, implement what has been around for years.