CIO Cyber & Risk Network November 2019
The Cyber and Risk Network November gathering focused on the following areas:
1. Phishing. This is a conduit for both business email compromise, account takeover, and ransomware. A highly valuable control that a number of the participants recommended was the use of Multi-Factor Authentication (MFA).
- A vendor in this space that was discussed - although none of the participants had deployed it - was Menlo Security.
- Mimecast was also named as a vendor that a number of the participants were using, and also viewed favourably. The roadmap of Microsoft for security. This discussion included: licensing implications, vendor management and Microsoft Powerapps, and the impact of these in the enterprise environment.
2. Security awareness training. Various approaches to encouraging better security behaviour were discussed, including supporting senior executives and their families, through to finding the balance between awareness training and technical safety rails.
- One participant shared that security awareness training took their organisation from a click rate of 35% down to 15% in simulated phishing attacks.
- The participants also discussed the various approaches to dealing with those individuals that do not seem to respond to training and keep clicking.
3. Trusted insiders. Our guest speaker spoke about core issues to be aware of around trusted insiders potentially turning. A final recommendation from the guest speaker was to ensure that staff know that when they report anything to the organisation ("if you see something, say something") that they are showing the organisation that they can be trusted.