Changing technologies and markets require adapting an organization's overall cybersecurity strategy, including the scope of our risk management, and then reviewing and adjusting our operational program to deliver the revised vision, said Akm Hasan, head of cybersecurity at Hays PLC.
Shadow APIs are up 900%, and API business logic abuse attacks have come to the forefront and are demanding both discovery and defensive measures from cybersecurity organizations, said James Sherlow, director of solution engineering in EMEA at Cequence Security.
According to Expel's Q1 2023 Quarterly Threat Report, criminals are exploiting 1- to 2-year-old vulnerabilities. This suggests organizations don’t know which vulnerabilities pose the biggest threats to their environments, said Andrew Hoyt, Expel's director of solution architecture.
Employees need technology that is easy to use and free of errors and that directs them to appropriate cybersecurity guidance when they have questions. Basically, they need technology that helps them to help themselves work more securely, said university professor Steve Furnell.
As more organizations undergo resource and cost pressures, 86% of managed security services customers are deciding to consolidate security tools and outsource their security requirements, according to the OpenText Cybersecurity 2023 Global Managed Security Survey.
Human Factor Security expert Robin Lennon Bylenga advised that in building an internal threat management program, it is imperative to not send mixed messages to the broader workforce. It's wise to conduct an assessment of human risk - not just IT risk, she said.
Security is about more than technology, said Paul Watts, a distinguished analyst at the Information Security Forum. It's also about people and process, he said, with the ultimate goal of adding value to what the business is trying to do. Watts discussed how security leaders can achieve this goal.
Today's CISO must have close communication with the C-suite, understand the business needs of the organization as well as its objectives and risks, and to be able to articulately translate those business objectives into technology, said Dion Alexopoulos, head of security at Camelot.
We have moved from cybersecurity strategy to cyber resilience strategy, said Fene Osakwe, a board member of the Forbes Technology Council. As a result, he said, we still start with identifying assets, but we keep going until we achieve recovery.
Practicing incident response procedures is as important as practicing fire drills, said CISO Nick Prescot of Norgine. But beyond regularly testing the plan, security leaders must foster a collaborative environment so their teams maintain a sense of calm in the heat of an incident.
Unintended bias in artificial intelligence tops deliberate misuse when it comes to the privacy concerns around use of facial recognition in public areas, with data handled by AI, according to Harry Boje, data protection and privacy officer at Paydek.
With social engineering attacks escalating, security organizations should embrace better cybersecurity awareness training to protect their organizations against insidious schemes, said Barry Coatsworth, director of risk, compliance and security at Guidehouse.
The rapid adoption of cloud is a double-edged sword. While it offers organizations great opportunities for embracing innovation, it also outpaces security measures, leaving gaps for attackers to exploit. James Campbell, CEO of Cado Security, discussed the risks and vulnerabilities.
General cyber hygiene has gotten worse at small and midsized businesses, according to Simon Newman, CEO of the Cyber Resilience Center for London. "Businesses are less able to spot that they've been a victim than they perhaps have in previous years," he said.
Attackers are increasingly using carefully crafted business logic exploits in which attackers effectively social engineer an API to do something it wasn’t intended to do, according to Stephanie Best, director of product marketing for API security at Salt Security.