Article content continued

3. Employees are the weakest security link inside an organization

Other facets of these attacks rely less on technology and more on the weakest link: the people. For example, Mr. Elisan said that by trolling social networks, attackers can discover family members of target executives and persuade them to visit compromised websites, or to download malware to their systems. Then the malware migrates from the executive’s home network to his or her corporate network.

That, he said, is why RSA looks at the victimology in the attacks it sees. By profiling threats and victims, it can predict future targets and proactively warn them of the risk.

“The reality of the threat landscape should make CIOs nervous,” said James McCloskey, senior research analyst at Info-Tech Research Group. “We’re talking about industrialized criminal activity.”

Because of this, he is seeing a new willingness for companies to work with managed security providers, rather than attempting to do everything in-house.

Outside threat intelligence is key, he explained, because no single source of information is a silver bullet. “If you have the right partners, they have their own threat intelligence gathering, and are beginning to talk among themselves,” he said. “To the extent that they can all share, they all benefit.”

“Vendors are no longer promulgating the idea that prevention is possible,” he added.

“As much as the message has to be that you can’t be perfectly secure, can we be adequately secure? We tend as humans to make these determinations about risk and security on a day to day basis, but somehow we’ve come to the information security world and set a bar for ourselves which is well beyond what we expect in the meat world. I’m refreshed by the fact that the conversation has shifted towards this, which means that we are having a more realistic conversation about what can be done.”

“Any CIO or board member would like to be told ‘you’re safe’. But it would be inappropriate for a CSO or a lead security manager to be saying ‘you’re safe’, without putting the context in place in terms of ‘you are safe enough in terms of the level of risk we’re willing to tolerate’. I’m seeing a shift in the willingness of audiences to recognize this.”