On November 1, CompTIA Chief Technology Evangelist James Stanger hosted an IT Pro Webinar titled, “Risky Business: Essential Skills for Pivoting Security Resources.” CompTIA Senior Director, Technology Analysis, Seth Robinson and Zscaler Senior Director of Information Security for EMEA Chris Hodson weighed in on topics including risk management, mitigation and control; understanding today’s cyberattacks; and how to formulate an effective management strategy.
“The mindset of security has to shift from prevention to protection, because it’s no longer the case that you are going to be highly confident that you’ve kept the bad stuff out,” Robinson said. “You have to start assuming that something has gotten in.”
The Changing Threat Landscape
Hodson began by explaining what is meant by the common phrase, “the threat landscape has changed.” The attacks seen today differ from those seen 5 to 10 years ago and the techniques have become more sophisticated. But it’s not just the technology – it’s the social engineering as well.
“I think our obsession with social media and online presence has some fantastic benefits for businesses, but also, footprinting activity for the bad guys has become more easy,” he said. “It’s almost trivial to find a full profile for a senior leader and use that as a form of targeted attack.”
He added that the two main vectors of attack are still email and the web, but whereas in the past web attacks came from unsavory sites, now they can come from anywhere. Any site that you go to on a regular basis could have been infected, putting you at risk.
“We have to come from a position of being suspicious of everything,” Hodson said. “Applying a level of scanning or traffic and assuming all traffic is malicious until we’ve been proving otherwise.”
An Increase in Cyberattacks
The number of attacks has also increased exponentially. Stanger cited CompTIA research that found in the first half of 2017, 1.9 billion accounts were exposed – a 164 percent increase since 2016.
“These attackers are very very capable, much more than they have been in the past,” Robinson said. “They’re motivated by different things, and no one is safe.”
He added that small businesses often believe they are safe because they feel their data is not as important as that of “the big fish.” But Robinson countered by saying that there have been almost the same number of attacks on small organizations as large ones. Attackers can get the same type of personally identifiable data from a small or large business and then they use that in a phishing scam to get bank account information. And unfortunately, many small businesses don’t have the same ability as large ones to recover quickly.
“If you’re a small business and don’t have the capabilities of a large business, it’s not just the cost of recovering data, but how long that will take and the cost of business you might lose to downtime and reputation damage,” Robinson said.
Accepting Versus Ignoring Risk
When it comes to risk management, Hodson emphasized that we can’t protect against and mitigate all risks at the same level – it comes down to prioritizing what risks are acceptable to the business and what ones are not. He said that an acceptable risk is one where the stakeholder is aware of the facts related to the risks and agrees that it’s worth being vulnerable to.
“There’s a huge difference between risk acceptance and ignoring risk, and that’s something we need to take on board,” he said. “If someone’s accepting risk, they have a balanced, qualified view of the impact and the likelihood of that risk manifesting itself in the environment.”
Watch the on-demand webinar to learn more about risk management and earn 1 continuing education unit (CEU) toward the renewal of CompTIA A+, CompTIA Network+, CompTIA Security+, CompTIA Cloud+, CompTIA Cybersecurity Analyst (CySA+) and CompTIA Advanced Security Practitioner (CASP).