Plugging the gap in security - Focus On: Cyber Security (Abstract)

12 March 2017

Ergo Security Consultant Colin Keenan talks to Quinton O'Reilly from the Sunday Business Post about preventing and dealing with threats within a business. 

A recent stat from Microsoft says that 50 per cent of the worst breaches in 2015 “were caused by inadvertent human error” which suggests education and awareness need to be worked on. It’s something that Colin Keenan, a security consultant at Ergo, believes there is a gap in regarding security. “It’s one thing to look at technical solutions to a lot of these security challenges, but where we see things being missed are in relation to security awareness campaigns within an organisation,” said Keenan. “Your staff are the number one defence to a lot of the issues you see on a dayto-day basis.” “A lot of the malware comes in via email, and a lot of them are still being opened by end users, so awareness training and education is absolutely key and it’s often overlooked. It’s a lot cheaper to do this than it is a lot of times to put technical solutions in place to prevent and block malware coming in.”

Keenan mentions how Ergo is seeing email addresses being spoofed so it looks like a colleague or someone from management is mailing you, something that can catch people out. “They’re almost phishing attempts, and people are still falling for them, which highlights the risk of the gap between awareness and education,”
said Keenan. “It’s probably one of the easier things to plug but it’s often overlooked.”

Keenan mentions that no solution will ever guarantee 100 per cent security, people will probably make errors because it’s human nature, but you can instil a culture into the company which will help improve security. “It almost goes back to your day one within a company,” he said. “If there’s a culture within your organisation where your security is at the forefront of everything you do and everything you think about . . . there’s always going to be a defence there.”

While employees may use laptops, smartphones and tablets, organisations should ask themselves a number of key questions like what services and data should be available should be available. “[For one], absolutely everything should not be available,” said Keenan. “Your entire IT infrastructure should not be available unless there is a very strong business case for it. You have got to ask yourself: ‘What services should be made available?’, ‘What data should be available for certain systems that may be deemed as a higher risk?’ and ‘What data should not be available?’ “[The last one is] a key one. You might have some applications and some systems that you never want to be available outside of your main building or main office . . . it all comes down to your impact analysis and your risk assessments. That’s a huge piece: knowing what should be available and, if you do make it available, what are the risks and what are the controls you need to put in place to keep it safe.”

Thankfully, he has found with his work with clients, that they’re becoming more open-minded when it comes to introducing new changes once the risk is made clear. Also, he makes it clear that being security-minded does not mean harder processes. “Generally, you’re trying to get something that’s going to allow productivity to flourish, while ensuring a sufficient level of control,” said Keenan. “We go in and work with the business to understand what the risks are, and we plan a
solution around those risks.” Overall, it boils down to ensuring that culture is in place and people knowing where their responsibilities lie. Once
they know where the boundaries are, it makes things easier for both the employees and the business. “You really need to put more emphasis on acceptable use
and what the expectations are, the education around security and in general, it’s just asking people to think twice.”

<< Back to News Listing
Our Clients
  • Goal
"We built up a great relationship with Ergo, they understood our challenges & designed a solution around them"
IT Manager, GOAL