Don't assume that your employees cannot help you. They absolutely can. During the various programs to educate your end users, employees can actually be part of security sort of inputs, into your knowledge base.
For example, Raytheon Websense has a global program 'catch of the day' for all our employees who are encouraged to alert our CISO team about any incident - whether physical or cyber. Every quarter our CEO gives award to those employees that identifies situation that could have led to risk. I think businesses can adopt similar practice as they will be surprised to see the potential gaps and it also keeps the employees engaged.
Today's insider threats does not mean only company's employees.
That's right. It includes supply chain, the contractors (for your business) and these individuals have got access to the information and systems. And cybercriminals are trying to get access too.
CISOs should look at information that resides within your organization and anything that may be unusual, out of line which typical happens in your business. It might not be that the individual is stealing data but their machine being compromised. We typically recommend a baseline for normal activity and any abnormities. There might be some controls in place but one needs to immediately stop that large file of customer addresses being sent through peer to peer network.
Do look at supply chain as well as the risk might be brought through their email accounts that you are doing business with. It needs the same level of analysis assuming that at any point they could be compromised and that should not impact your business.
In today's hyper connected world, e-commerce shopping and e-wallets can be new playground for hackers.
Any new technology introduced could be a potential risk which could be managed through risk management.
For example the entry of pin number is not needed for contactless credit card In UK. Banks first tested with small amounts of money to gain confidence that the fraud did not happen as expected. They understood the situation with new technology, put controls and alerts in place and then expanded to have convenience for consumers to use transactions of larger amounts. That's the lesson to be learnt with any new technology.
As per Raytheon | Websense predictions for 2016, Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV. The increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.
Another prediction is around generic top level domains. One could register .co as top level domain but the malware authors have already choked on them. The banking sector have now adopted .bank domain and some have added technologies like DNS to provide some level of control on individuals registering on .bank domains. It also monitors people' interaction and further grows their confidence on this legitimate domain of the bank.
Sign up for CIO Asia eNewsletters.