Humans are the weakest link when it comes to protecting an organisation, said a collection of the Middle East’s top chief information security officers yesterday.
During an in-depth roundtable discussion prior to the inaugural CISO30 Awards and Forum, hosted by Tahawul Tech and Security Advisor Middle East, security heads from a variety of both public and private entities from across industries gathered to highlight the pressing challenges they’re seeing in the threat landscape today.
“Currently, the major risks that we’re seeing centre around the users themselves,” says Mario Foster, group CIO, Al Naboodah Group. “We’re seeing a lot of phishing attempts, and users not following directions from security professionals, which is ultimately leading to vulnerabilities within the organisation.”
The majority in the room agreed that this was the number one headache for CISOs, and went on to discuss methods around solving this issue in a proactive and efficient manner. Creating a sense of awareness around best practices when opening spam emails, entering company or personal details on suspicious websites, and correctly disposing of company sensitive information stored on portable devices were pinpointed as many of the attendee’s top priorities.
However, simply rolling out training exercises is not enough, said Piyush Kodape, CISO, Dubai First. “Similarly, if you set assessments that are beyond an employee’s means, it will just encourage people to cheat and attempt to share answers,” he says. “A good awareness programme should involve regular email flyers, assessments, and changing wallpapers and screensavers around the organisation to display basic information security tips.”
Dr. Reem Al-Shammari, team leader, Information Security, Kuwait Oil Company, was in agreement, and highlighted the need to create a cyber aware organisation from the top down.
“Humans are the first line of defence, and therefore we need to invest highly in them,” she says. “Normal training courses, or typical question and answer-type assessments are no longer efficient. Instead, we should be looking to entice the user to want to become cyber aware through gamification and story-telling techniques.”
Biju Hameed, head of Information Security and Compliance, Dubai Airports, put an interesting spin on the discussion, and said that security practitioners often get the education aspect slightly wrong.
“Implementing e-training courses and distributing informative flyers will not make people instantly compliant. We tend to overcomplicate the issue by bombarding these outlets with tech jargon and suddenly expect everyone to become a security expert,” he says.
Instead, Hameed believes, organisations must consider those that are the “least tech sound” to be their biggest concern, and therefore their main audience when targeting these awareness campaigns.
“When you carry out a phishing campaign, you discover people are guessing and pressing,” he says. “Our new motto is to ‘think thrice,’ to encourage users to think before they think, share and use.”