Sharing the same sentiments with Contos, Thompson stressed that there is a huge human factor involved in security.
"I can't emphasise how important it is for people to make good choices. If you look at how most of how advanced persistent threats are being played out, almost always there is a human element to it," he said. "A human who is an insider in the company who has cooperated with the attacker - not willingly, don't want to cause harm to the company, but they have been tricked, cajoled, or fooled - I think they are one of the key battlegrounds in security."
Future security landscape
When asked about some major security threats that they foresee within the next year, Thompson pointed out that there will be a lot more attacks against embedded devices and systems.
"Most of these systems have been around for a very long time. When they were designed, they were never meant to be connected to a network beyond a trusted user. But now, connectivity has slowly crept in but the problem remains that these systems were never built with security in mind," he said.
"Another one that we've already seen is that it has become so cheap and so accessible to customise malware now. For example, if you are a big bank, you might just get a targeted piece of malware that's concentrated only on you. That has become a reality even for mid-sized businesses today. The tooling exists to modify even commodity malware very easily," he added.
Lastly, Thompson mentioned that we share so much of our lives online voluntarily, but there is also a set of information that we share online involuntarily. Since public records are now becoming digitised and searchable, it becomes easier to find out so much about someone without even meeting them in person. In the business context, this is very beneficial, but from the security perspective, this brings about the shift of "advanced attacks" becoming more social.
He explains that the attacker will log on to social networking platforms, such as LinkedIn, and try to sniff out information posted online such as who are the company administrators, where did they go for lunch, where did they go for their recent holiday et cetera. Having a barrage of information about the victim at hand allows them to craft a targeted attack, be it email or a phone call, on that person.
"The tooling is now available for these cybercriminals to attack at this scale. That's going to be a huge issue and I don't think the industry has dealt very well with that up to this point," he said.
Sign up for CIO Asia eNewsletters.