The Changing Culture of InfoSec: InfoSec London 2022

In spite of the railway and tube strikes, cybersecurity architects, awareness specialists and HR professionals alike came from far and wide to visit the London-based event that we all know as InfoSec. After two years of relative silence, the event came back with a vengeance: manifesting a hub of impetuous activity and multicoloured swag once more.

Failing to notice how the ever-changing technology landscape is changing is quite common. It is none the less staggering to comprehend just how much has changed in just a few short years – which was obfuscated by the sheer noise that you'd expect from a global pandemic and the subsequent lockdowns. Now that the dust has settled, businesses are picking up where they left off, people are returning to the office, and a host of new cyber threats have shown up in full force, leaving many struggling to understand how to guard against an increasingly dangerous digital world.

Seeing all the various stalls and chatting to some of the attendees really highlighted some of these changes. This blog details some of our key takeaways from the event.

Instant Messaging has been overlooked as a potential security vulnerability

As our stand was visited by the various CISO’s, chief architects and cyber-awareness trainers, one thing that was clear was that utilising simulated phishing emails in order to raise security awareness has become quite common. That’s very encouraging to see, but what about instant messaging? Most, if not all businesses use Microsoft Teams, Slack or some other app; can they not be used to gain sensitive information? Many visitors had not seemed to have considered this vulnerability.

When you think about it, instant messaging can be even more dangerous than emails, as hackers tend to employ a certain degree of urgency in order to coerce people into providing sensitive information before they’ve had time to think things through. As the name implies, instant messaging carries with it the unwritten rule that you should reply expediently or risk being seen by your colleagues as rude, dismissive or indecisive. If someone who appears to be your close colleague asks you to check a link over IM, could you be that bit more susceptible to clicking without thinking?

This issue can be compounded by the possibility that your employees may not even use multi factor authentication, or even use the same weak password across all apps, platforms and websites. This opens the way for hackers to hijack a legitimate IM user, and the problem can only get worse from there.

Insight: 23% of our clients' employees download malicious files sent via IM before using CultureAI.

The focus is on managing integrations

Another commonality among those who visited us was that each individual lamented the mish-mash of disparate apps, tools and devices that make up the modern office software suite these days. For each app, there is a different data-set, different levels of security features and different connections for syncing each of these together; each providing another security leak for a hacker to exploit. When you consider how many gaps there are between Office 365, Google Drive, Slack, Dropbox, Monday, Basecamp, etc. and also factor in the sheer number of employees now working remotely vs in-office, it’s no wonder that businesses struggle to patch up every vulnerability. 

We felt the sense of increasing anxiety in each visitor as he or she explained the uphill battle of keeping such a technology landscape secure; maintaining constant vigilance over the disparate apps, devices and employees alike. This is where an automated platform that can monitor and correct employee behaviour across a range of programmes and devices can be a huge boon to any body’s cyber-defence.

Does security awareness management even work?

Many who visited our stand would read the words ‘human risk intelligence’ and ‘go beyond security awareness’, before approaching us and stating that security awareness doesn’t work. Upon questioning each visitor who shared this opinion, we usually found that it didn’t work for them. Why? It came down to a combination of:

·       Initiating security awareness training on an annual basis, as opposed to continuously

·       Running specific awareness activities (such as simulated phishing attacks) as part of a time-specific campaign, as opposed to running continuously

·       Relying on training content that is not engaging

·       Focusing more on naming and shaming rather than correcting behaviours through gamification.

This is why the endeavour to empower employees to guard against common attacks should be seen as a more continual effort; something to work into one’s 9-5 lifestyle, as opposed to a set of abstract training materials.

The cyber security landscape has changed

While it was good to meet so many people face-to-face once more, it became obvious to us at CultureAI that office practices have evolved in leaps and bounds since 2020, and yet each business’ cyber security has struggled to keep up. This emphasises the need for an all-encompassing platform that allows for an optimal level of visibility, automation and coaching in order to render one’s business as close to impenetrable as one can make it. In this new age of cyber theft, geopolitical saber-rattling and corporate espionage, the need to protect one’s digital assets has never been greater.