CIO

A CISO speaks out: Beyond vendor speak and fearmongering, security is about people

Let us take an intelligence-led view - the removal of uninformed fear – and replace this with understanding, writes Kevin Kanji of Transaction Services Group.

The effort required to socially engineer a click, for an aggrieved employee or contractor to abuse trust, or for a someone to make a mistake is very low

Kevin Kanji, Transaction Services Group

We are often led to believe, in our current age of huge data breaches and advanced persistent threats, that we should be primarily concerned for the direct assault by advanced cyber warriors against our information, our customers and our citizens. Others stoke our fears of the dark web, and the multitude of hidden services that exist there. A myriad of technologies are offered to counter these threats and every month there are yet new problems that we are asked to take notice of and solve (usually with blockchain).

The truth is, that by exclusively focusing our attention on these stories, we are downplaying what is hurting us here in New Zealand.

Forty six per cent of all reported security incidents to CERT NZ  are related to phishing attacks and credential theft using phishing. It remains the easiest method to execute attacks against targets to obtain further access, privileged credentials, or fraudulent transactions. The common denominator here is our people.

New Zealand feels far away from many of the world’s cyber problems. We believe that it will never happen to us; that no one would take the trouble to attack us. We are a nation of small businesses, so why would criminals target us when we don’t have the sums of money that we see scammed from large US and European corporations? The answer is simple – we are plugged in.

Digitally, we are less than 200 milliseconds away from the furthest countries. New Zealanders reportedly lost over $9million between April 2017 and May 2018 due to cyberattacks.

The effort required to socially engineer a click, for an aggrieved employee or contractor to abuse trust, or for a someone to make a mistake is very low. We are caught up in targeted attacks and are collateral damage in large global scams. The return on investment is high, and the risk to the attackers is low.

But the internet continues to be the catalyst for growth in New Zealand: Growth in retail services, growth in government engagement with citizens and growth in the innovation that New Zealanders can be rightly proud of. It is clear that we must continue to leverage the opportunities that the Internet presents.

We should examine what is important. For business and government, the education of our people on the security risks inherent in the processing and transmission of information must be the priority. They are the first line of defence and the largest attack surface of our organisations.

The challenge to successfully enabling this defence is the activation of our people as assets. Unfortunately, we have treated this as a compliance exercise for many years. Posters, emails, and senior management hammer home a message of behavioural necessity – think about our profession, think about our customers, think about your job… These are negative enforcers.

You know we use behavioural economics in many fields today – it underpins a lot of digital marketing and social policy. But we haven’t yet fully embraced this in security. We don’t positively incentivise good security behaviours.

Kevin Kanji of Transaction Services Group: "Rewarding our people for learning valuable skills and exhibiting needed behaviours is a much more positive activation of the security mindset than the traditional approach, which merely encourages people to get through the material as quickly as possible to forget it just as quickly."
Kevin Kanji of Transaction Services Group: "Rewarding our people for learning valuable skills and exhibiting needed behaviours is a much more positive activation of the security mindset than the traditional approach, which merely encourages people to get through the material as quickly as possible to forget it just as quickly."

The source of inspiration that I believe we should look to, for a method of how we integrate security into human behaviour is educational applications. Whether learning to code, comprehending a new language or experiencing an Ivy-league university course, gamification has been at the core of these new educational methods.

Rewarding our people for learning valuable skills and exhibiting needed behaviours is a much more positive activation of the security mindset than the traditional approach, which merely encourages people to get through the material as quickly as possible to forget it just as quickly. All we get for this is a tick box of compliance which returns nothing to the need for vigilance from our people against the threats of malicious and unintentional cyber damage.

Of course, to successfully increase awareness, and improve people’s behaviours, at home and in the workplace, we need to fully understand the threat. Whether in the public or private sector, the specific threats facing our sector or company are driven by our adversaries – what they want, how they intend to get it, and our individual abilities to respond.

An intelligence led view is the removal of uninformed fear – replacing this with understanding. We need to know where our risks are – what is important to us, and how to protect it. But we need to do this practically, with the realisation that we cannot apply this protection to everything every time. Therefore our people are the key. They should be incentivised to be our critical defence, and our primary investment in security.

As we continue to grow our digital capabilities, service offerings and the deeper integration of technology into our lives, we must keep pace with our cyber capability requirements – activating our people, leveraging intelligence and deploying technology to support our risk based understanding of the threats we face.

We must grow cyber capabilities so that in turn, we develop wellbeing of people in the digital age, provide a platform for growth in business and a more customer-centred and resilient government.

Kevin Kanji is the chief information security officer at Transaction Services Group, leading the design and implementation of policies, processes and technologies that support a strategy of safe and secure customers, clients and business growth. He believes that information confidence – which enables the safe sharing and networking of ideas – is a better way to use security and benefit everyone. He has been involved in security since starting his career in Financial Services, and overall has over 18 years of experience including forays into manufacturing and professional services. He is a self-confessed technology geek with love for family, travelling and craft beer, which he also brews at home.  He also holds a law degree which enables him to provide ambiguous answers to simple questions upon request. Reach him @kjkanji