Insights from Tessian Human Layer Security Summit | London 2020

  • 05 March 2020

On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape.

We had hundreds of people join us in-person in London and from around the world via livestream. In case you missed it, you can watch a recording of the event here: 

While the focus of the Summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panelists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.

It takes a village to secure an organization’s data, devices, and networks

Accountability is required company-wide in order to make policies, procedures, and tech solutions effective. That’s why those in cybersecurity leadership positions are laser-focused on finding new ways to engage with employees through gamification, interactive content, podcasts, and more.

“The biggest investment we make is giving our employees the right knowledge to be able to make the right decisions at the right time.”
Jamie Travis Head of Information Security, Herbert Smith Freehills

According to Timor Ahmad from Lloyd’s of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance, employees are, fortunately, becoming less passive in their roles as they relate to cybersecurity. 

As the Human Element continues to be one of the biggest risk factors in data breaches, individuals have to do their part to supplement their cybersecurity stack.

This is especially important because, by empowering your employees, you’re taking the burden not only off them, but off of your information security team. For smaller teams, this is vital.

For more insights from the panel discussion, click here.

Cybersecurity frameworks and strategies can’t be static

There’s a lot that goes into creating an effective cybersecurity framework and strategy. They take months – even years – to create and implement. But, they have to constantly evolve in tandem with both external and internal factors.

Privacy laws, regulations, compliance standards, company size, board members, budgets, individual employees – even the Coronavirus! – all effect and should, therefore, influence strategies. It’s a minefield, but unless all these things are considered and constantly re-evaluated, organizations will put themselves at risk. 

It takes a cybersecurity strategy that’s customized, and re-customized, to keep networks and devices secure and to empower and enable employees to make smart security-related decisions.

Breaking in is easier than defending

While spam, phishing scams, and more targeted attacks like spear phishing are relatively easy for attackers to pull off, spotting these nefarious emails is hard…even with training.

Interestingly, though, according to Glyn Wintle, an ethical hacker and penetration tester, employees tend to be incredibly confident in their ability to spot phishing emails, with just 3% of people saying they have a low probability of falling for a phishing scam.

“Training will only get you so far. Some amount of training will improve things, but the big problem is that the training doesn’t interest people. One of the reasons why the training doesn’t interest people is because they [apparently] know what phishing looks like. They think ‘only idiots fall for that'.”
Glyn Wintle Tradecraft

Unfortunately, confidence doesn’t equate to actual ability, especially when hackers combine bulk email lists, technical acumen, and social engineering. 

By abusing trust, piquing curiosity, and/or creating a sense of urgency, hackers can get whatever it is they’re after – from log-in credentials to a bank transfer – from at least one person out of the tens, hundreds, or thousands they’ve emailed.

Interested in learning more about cybersecurity from a hacker’s perspective? Click here.

There are some fundamental problems with cybersecurity awareness training

Mark Logdson sees three problems with cybersecurity awareness training: it’s often irrelevant to the audience or user, it’s generally quite boring, and it’s expensive in terms of investment and lost productivity during the training itself. 

Mark said it best, “We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect “Johnny” to be grateful for having spent that time in the training and to have been thoroughly entertained.”

You also hope he’s learned something.

This likely sounds familiar to both cybersecurity professionals who implement awareness training programs and the employees who take part in – or should we say endure – quarterly or annual training sessions.

Of course, Mark isn’t suggesting that organizations do away with cybersecurity awareness training; he’s simply saying it needs to be more tailored to the risk areas in each individual organization in order to be most effective.

You can read more about Mark’s approach here.

Cybersecurity isn’t just a support function, it’s an enablement function

While cybersecurity has historically been a very siloed department within organizations, it’s becoming not only more integrated into overall businesses, but it’s also becoming an enablement function.

In short, board members and employees across departments see the value in information security. In fact, more and more, representatives from cybersecurity teams are being called on to promote a business’s value proposition through its security.

It makes sense, though, especially for organizations that handle large amounts of external data for clients or customers. In this case, security becomes a unique selling point in and of itself.

“When I go to the board and say I need more money, it’s not good enough to just say “I’m going to empower my people to be more secure”. You have to be aligned with the business. ...You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.”
Mark Parr Global Director of Information Technology, HFW

For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge. 

The insights offered at our first-ever Human Layer Security Summit were invaluable, not only for cybersecurity professionals, but also for employees and consumers. We’ll be announcing the next Human Layer Security Summit soon, so be sure to subscribe to our newsletter for the latest industry and company updates.

 

#HumanLayerSecuritySummit20