CeBIT devoted a great deal to IT security and internal threat management
The CeBIT 2016 rebranded itself as “innovation fair”, but it is no surprise that IT security and human behaviour in the digital world have been major concerns at the former computer trade show. IT security interests have escalated in the past few years and numerous astonishing security breach examples have surfaced.
A security researcher taking virtual control of a United Airlines plane in 2015 is just one example of these many stories, but all these incidents converge in illustrating the vulnerability of smart interactive and connected devices, and giving an insight of the extent of the damage a cyber attack can perpetuate. IT security threats are no longer solely in show rooms, but part of our daily lives.
Measures against cyber attacks are not enforced
Recently, a ransomware attack occured against a city hall near Würzburg, in Unterfranken. The local administration decided against the police and Federal Office for Information Security (BSI) recommendation to pay the ransom, claiming there was no other option to get the systems online again. However, this resolution was criticized by investigators as they believe it will further encourage cyber criminals to perpetuate cyber attacks.
This example reveals that the policies set to respond to cyber attacks are not well respected, even inside governmental institutions. Indeed, they can be ignored if there is no mechanism to enforce them.
Assume the breach
However, times have changed: organisations now have to “Assume the Breach”. The BSI and several research institutions argue that hardening systems and threat intelligence alone are no longer the way to protect assets against cyber threats. The focus shall be on the assumption of mistakes and misbehaviours.
In a recent report, the BSI confirms that ransomware attacks in Germany have multiplied tenfold from October 2015 to February 2016, emphasizing the role of privileged user accounts and employee education in these metrics. Policy enforcements and user access management are seen as crucial issues. Awareness and user compliance in the network are also recommended as preventive measures to avoid attacks.
The human factor cannot be neglected
This means that the human factor needs to be considered inside risk calculations. The auditor PWC argues in a recent survey that 48 % of all breaches are caused by human error, implying that these errors can easily bypass threat intelligence solutions.
Security vendors are focusing on devices and network segmentation, but with more employees changing positions and organisations, new threats have to be assumed. KuppingerCole sees a lack of life-cycle management for privileged users and also the danger of password leaks when people leave an organisation or when contract periods end. Most organisations cannot clarify the accountability of sessions for each user, not even those with privileged access rights.
Especially when it comes to IT tasks outsourcing, management of privileged access rights becomes more important. This exact trend has been discussed at CeBIT. Any company should think about how much control they have over the individual accounts in their networks. With more devices and users, organisations need tools to manage access rights, otherwise they have no chance to control their networks.
For more information, click bellow to download this white paper.