Top 17 takeaways from Human Layer Security Global (Spring 2021)

Industry news

Business leaders are looking ahead to a post-pandemic workplace, and one thing is clear: insider risk is the most prevalent threat to organizations today and one of the most complex problems to solve. So, what can you do to keep sensitive data secure now and in the future?

On 22nd April 2021, we hosted Human Layer Security Global to find out. It was tough to choose but we’ve managed to pick out our top 17 takeaways from industry thought leaders and expert speakers from leading brands for you to enjoy below.

1. Non-malicious insiders are one of the biggest risks businesses face

Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk

Non-malicious insiders are far more common than malicious insiders, and one of the biggest risks organizations face. The mistakes that lead to breaches are normally made by people who are stressed, under pressure, not trained properly, or unfamiliar with best practice.

According to Club CISO data, it’s highly unlikely organizations will have a material incident caused by a malicious insider. Social engineering was the most common vector for material cybersecurity incidents. Even though these threats are external, they still need to take advantage of a non-malicious insider to cause harm.

2. Security leaders need to put controls in place to empower people to do their jobs

Rachel Wilson, Head of Cybersecurity, Morgan Stanley – Panel: The impacts of insider data breaches

The onus is on security leaders to give people the right tools to do their jobs and prevent them from causing breaches. It’s not in anyone’s best interest to make it difficult for people within an organization to report a breach.

Having said that, we don’t want to create a culture of fear when employees report themselves or colleagues. A good, positive culture helps to ensure failsafes are in place for good security – but there is of course a fine line when people make the same mistake several times over.

3. Organizations don't know the scale of outbound email data breach incidents

Neil Larkins, COO, Egress – Data-driven security: Using machine learning in the battle against breaches

Organizations tend to have a certain level of awareness of email data breaches. However, we recently launched a new version of our Egress Analytics platform that has uncovered a lot of incidents they weren’t aware of and given them insight into the true scale of the problem within their business. Usually, it’s nine to 10 times worse than they realized.

We’re surfacing these metrics so businesses can put the right protections and systems in place to keep their data secure. This is especially important given the changes in working environments over the last 12-14 months and subsequent rise in accidental breaches.

4. Security can't be all about compliance and not about behaviors

Matt Finn, Head of Information Security and Resilience, DLA Piper LLP Why organizations are putting people first in 2021

Security is often seen as the “police or business blockers” – but that’s not the philosophy of DLA Piper LLP. When security only focuses on compliance, it leads to security fatigue and people taking short cuts. So DLA Piper chose to engage people with a different approach.

They added an element of gamification with a phishing competition for their lawyers ultimately which was able to change behavior and lead to increased reporting. In doing so, they managed to make security more human – and have seen a marked increase in people contacting the security team to report incidents and talk about security.

5. Your clients' #1 priority is their data security

Rachel Wilson, Head of Cybersecurity, Morgan Stanley – Panel: The impacts of insider data breaches

Clients care deeply about data security as a whole, although not necessarily about the specific source. Polls among Morgan Stanley Wealth Management’s customers for the last four/five years have shown that their main concern is risk to their personal data.

Morgan Stanley’s clients have high expectations for the firm and a low tolerance to data breaches – regardless of whether a breach is caused by an accident or through malicious intent. However, that does mean data security can be a competitive advantage when done right!

6. Deep fakes will be the next big cause of insider breach risk

Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk

Cybercriminals follow the numbers – the more we communicate in a certain way, the more they’ll try to exploit it. Video communication has increased throughout the pandemic and cybercriminals will have taken notice.

We’re already seeing a rise in deep fake technology that’s highly convincing, and now we need to consider how social engineers will use this to take advantage of non-malicious insiders. For example, a deep fake using a CEO’s voice to create a voice message asking for a transfer of funds.

7. Trust is at the centre of insider risk

Geoff Brown, CISO, City of New York – Anatomy of insider risk in 2021

Who do you trust? It’s a calculation we make every day. We choose our friends, doctors, lawyers, social media platforms, and news sources. Trust underpins our society – but when it’s misplaced it can have devastating consequences.

Just like in other areas of our lives, we need to use our judgement to minimise exposure to insiders who could cause us risk. To combat insider risk, it’s important to create a culture in an organization where people can trust each other. They should also believe it’s in their best interest to protect their organization.

8. Email is mission critical – and security shouldn’t affect that

Matt Finn, Head of Information Security and Resilience, DLA Piper LLP Why organizations are putting people first in 2021

We’re sharing more digital content than ever and email remains a mission critical channel, so anything that slows it down is a concern. People now expect technology to dynamically respond to their behavior and have security automate in the background.

Businesses can no longer afford to have a trade-off between security and productivity. We need to build trust in technology, demonstrate its risk reduction, and keep productivity high.

9. We can't lock down communication channels we have to make them secure

Stephen Williamson, Head of Internal Audit Information and Information Security & Data Privacy, GSK – Panel: The impacts of insider data breaches

We operate collaboratively and have so many channels of communication available to us, such as email, Microsoft Teams, social media – and organizations need every one of them to be effective. They simply they wouldn’t survive by locking channels down or locking users out.

Getting the balance between productivity and keeping things secure is the crucial aspect, as every channel provides an opportunity for data to be breached. We can monitor channels but we also have to rely on our people, trusting their good behavior and awareness of doing the right thing.

10. Email DLP needs both unsupervised AND supervised machine learning to be successful

Neil Larkins, COO, Egress – Data-driven security: Using machine learning in the battle against breaches

Machine learning brings many opportunities for organizations when used appropriately. It can detect context-driven incidents that traditional solutions can’t – such as failure to use Bcc, mistyped email addresses, or domain name impersonation.

At Egress, we use supervised machine learning to help provide insight at an organizational and industry level, as well as unsupervised machine learning that parses user data to deeply understand their behaviours. A lot of the patents we’ve been recently granted have been around how we can make our technology smarter to remove the admin burden of traditional DLP solutions.

11. We need to be more "Spock" and less "Homer"

Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk

Even well-trained, educated and experienced individual can make mistakes. This is because people process information in two ways. The first is to be calm, considered and logical, which we can call the “Spock” way of thinking. In this state, people are hard to manipulate.

Phishing emails are designed to push us into the “Homer” (Simpson) way of thinking, to trigger quick thinking and emotion-based responses. These phishing emails will come from figures of authority and create a sense of urgency. When people calm down into their “Spock” state, they realise they’ve been scammed.

12. COVID-19 has accelerated insider risk

Tony Pepper, CEO, Egress – Why organizations are putting people first in 2021

The requirement for remote and hybrid working throughout the pandemic has led to an acceleration in information being shared digitally. Unfortunately, this has also led to employees working longer hours, being more distracted, and feeling more stressed than they have before.

If we weren’t prone to making mistakes, breaking the rules or being susceptible to targeted attacks, human-activated threats to security wouldn’t happen. However, none of us are perfect, and we need a change in mindset and a fundamental shift in technical approaches to mitigate insider risk.

13. If you can be hacked, you are hacked!

Geoff Brown, CISO, City of New York – Anatomy of insider risk in 2021

All organizations need to continually hunt for indicators of threats and adversaries within their data and systems. For this to work, everyone across the organization must know and agree that they’re accountable to be part of the defence – that they’re part of human layer security.

Executive sponsorship is the key to making this happen. Employees should know the exact channels for honest accountability, so that they can quickly mitigate the impacts of unwitting insider threats caused by honest mistakes.

14. Criminals don’t break in; they log in

Matt Finn, Head of Information Security and Resilience, DLA Piper LLP Why organizations are putting people first in 2021

Because most organizations now have robust perimeter securities, cybercriminals instead focus on logging in, rather than breaking in. Their primary goal is to use social engineering (phishing) to get people to hand over their credentials without even realising.

This has been an even greater risk to organizations in 2020/21 due to remote working. For example, during the pandemic DLA Piper went from 65 offices to 7,000 home offices overnight. Most organizations had a similar experience – and in this dispersed working environment, it’s more important than ever that individuals are secure.

15. Intentional insider breaches need a different approach

Stephen Williamson, Head of Internal Audit Information and Information Security & Data Privacy, GSK – Panel: The impacts of insider data breaches

Breaches can be particularly damaging when they’re intentional and pre-planned. In these incidents, individuals work out the rules and the ways around them to do maximum damage to the organization. Training and controls are good for accidental breaches, but malicious breaches need a different approach.

Anything can be circumvented over time – so while the impacts of malicious breaches might be the same as an accidental one, they need different approaches to proactive management. The key is getting employees onboard and relying more on people-based reporting.

16. Email data breaches take ~60 hours to remediate

Sudeep Venkatesh, CPO, Egress – Data-driven security: Using machine learning in the battle against breaches

Email data breaches can be costly to deal with in a number of ways. One significant cost is the resource time involved in dealing with them. Working with one of our customers, we found that each email data breach took them 60 working hours to fix on average.

This included all remediation efforts, including security, HR, and the time spend by other teams. If you multiply this by the average number of incidents a year, you can see it’s a significant risk to valuable resource time.

17. Egress continues to innovate to help organizations improve security and efficiency

Tayana Bellis, Director of Product Management, Egress – Egress in action

We’re continually improving our machine learning to understand how behaviors change, which is particularly important now as the pandemic has changed working habits. For example, working hours have changed, so we recognise our product now needs to work harder to identify between legitimate and abnormal behaviors.

Everyone makes mistakes – but distracted, stressed out people working on mobile devices make far more.  So we also plan to leverage neuro-linguistic programming (NLP) and create data models for sentiment and emotional language to get a better understanding of compromise within a business.

 

Want to see more? Check out the full recording of HLS Global or choose an individual session to watch here.  

You might also be interested in ...