Digitization initiatives have continued to be successful in the Middle East, and with the rapid adoption of digital technologies, comes added and growing exposure to risks of cyber-attacks. These attacks are now sophisticated and have the potential to derail the progress and benefits of digitization.
To guarantee that the appropriate strategic methods are put into place to protect digital assets, CISOs of enterprises around the region play a vital role in minimising and navigating these risks.
Cisco’s CISO Advisories experts are sharing key topics to keep in mind when CISOs prepare to reduce threats this year:
Being a CISO has never been more complex. There are more sophisticated attacks, scarcity of resources, the challenges of communicating effectively with the board, and more demanding, regulatory drivers being implemented rapidly within the region.
With so much to consider, CISOS must have a clear understanding of the core elements of what they protect. Questions like ‘where is the data?’, ‘who is accessing it?’, ‘what applications is the organization using?’, ‘where and what is in the cloud?’ will continue to be asked, with an overarching need to make management of the security function more flexible and simpler for the user. This visibility will also inevitably help ease quicker decision-making and less of an operational overhead when it comes to regulatory compliance.
In the Middle East, the use of cyber insurance or coverage is becoming more and more important. Cyber insurance, despite being the most recent and quickly developing field, offers financial security that encourages innovation and risk-taking in digitalization. Insurers’ demands for more attribution, or the science of identifying a cybercriminal by matching the data acquired from an attack with evidence gathered from previous assaults that have been linked to known culprits, will keep the subject in the spotlight this year. In the future, CISOs will need to be more prepared and have a clear understanding of how much credit has been given when negotiating contracts.
Zero Trust implementations, while being the most secure approach a firm can take, are long journeys that take multiple years for major enterprises to carry out, so they must start as they mean to go on.
The principles of zero trust fundamentally reverse typical security techniques, shifting from safeguarding from the outside in (covering your company’s perimeter from external threats) to protecting from the inside out. However, in many circumstances, that can be easier said than done (guarding individual assets from all threats, both internal and external). This is particularly difficult for large businesses because there are so many distinct silos, stakeholders, and business divisions to take into account.
The key to success on a zero-trust journey is to set up the right governance mode with the relevant stakeholders and communicate all changes.
As with last year, ransomware continues to be the main tactical issue and concern facing CISOs. More specifically, the uncertainty around when and how an attack could be launched against the organization is a constant threat.
CISOs will continue to prioritize basic security measures to prevent or minimize the effects of attacks. They will also closely examine the process and authorization for paying ransom demands in the event of a ransomware attack.
In the past, CISOs have emphasized the importance of raising security awareness through practices such as sending simulated phishing emails. However, there is now growing scepticism about the effectiveness of this approach.
For the most effective security awareness, culture is key. This means that everyone should see themselves as part of the security team, like the approach that has been taken when approaching the issue of safety in many high-risk industries. CISOs this year will now be keen to bring about a change to a security culture by making security inclusive, looking to create security champions within the organization, and finding new methods to communicate the security message.
The finest talent may choose to leave or join a company if the infrastructure is not flexible, as hybrid work is increasingly the rule rather than the exception. This element can be influenced by overly rigorous security procedures, cumbersome security with excessive friction points, and restrictions on the resources and equipment that can be used.
CISOs should not have to worry about causing employee frustration and burnout. Therefore, security efforts should focus on implementing user-friendly methods, such as passwordless or risk-based authentication, to increase flexibility and enhance the overall user experience.
Just when we thought it was safe to go back into the organization with MFA protecting us, along came methods of attack that rely on push-based authentication vulnerabilities including:
• The barrage of push notifications – Multiple successive push notifications to bother a user into accepting a push for a fraudulent login attempt;
• Push Fatigue – Constant MFA means users pay less attention to the details of their login, causing a user to accept a push login without thinking.
In the forthcoming year, CISOs will look to update their solutions and introduce new ways to authenticate, along with increased communications to users on the topic.