Secure your business

Security conscious? Watch these three groups

There are many threats to information security. Telstra security specialist Jeremy Requena focuses on the people challenges businesses face.

Security conscious? Watch these three groups

For many, the term “security threat” conjures up notions of the mysterious workings of a shadowy underworld. But senior managers need to understand that real threats also come from people close to the organisation, including staff, IT specialists and external parties. Security consultant at Telstra Global Enterprise and Services Jeremy Requena says this is a three-pronged dilemma that needs to be identified and addressed.

As a senior manager, you may think you’re not part of the problem, yet Requena suggests senior managers might be contributing to the company’s cyber security dilemma in ways they don’t expect.

“When it comes to cyber security, a lot of people are pointing towards technology as the saviour with too little focus on people,” Requena says.

Here are three groups companies need to keep a close eye on:

End Users

Decisions made by end users are often poor, so user education is important, Requena says. Phishing emails succeed because users may open links or attachments, and people with administrative rights to their desktop can install any kind of software either deliberately or unknowingly.

IT Staff

IT staff comprise a complex case: because their level of access can have a significant impact on whether or not malicious activity is detected. Some system administrators are jack-of-all-trades with fairly comprehensive access to across organisational IT systems. These accounts have the corporate IT equivalent of the “keys to the kingdom”, and represent a significant threat to the company overall if they are targeted by a malicious third party, who can use this access to move around a corporate network largely undetected.

Many large organisations however, use a stronger set of partitions, and different access rights, to make it more difficult for systems admins to move across different networks, making malicious or unusual behaviour easier to spot.

“A key part of it is people being trained well enough to use the technology in an effective way,” explains Requena. “It’s not the technology but how you configure it that matters – you can have the best-of-breed firewall but if it’s not configured right it’s all for nothing.”

Change management is a crucial issue, people need to know why their access is being limited, or curtailed, otherwise they may look for ways to circumvent important security processes. Additionally if processes become too lengthy and cumbersome, staff may look for shortcuts or avoid vital processes.

“When it comes to security, a lot of people are pointing towards technology as the saviour with too little focus on people.”
– Jeremy Requena, Security Consultant

Telstra Global Enterprise and Services

External Parties

Surprisingly, shady underground hackers often find a path into an organisation thanks to well-intentioned insiders. Requena says risks can also be introduced into an organisation by internal staff, who are outside of the IT team, and who may not have a deep understanding of security policies and requirements. In fact he believes senior executives who have control over technology decisions can, unknowingly, place an organisation at risk.

“What I’ve found is a lot of C-level folks will go to a conference and come back with a new idea, yet there’s no good business case for doing things,” Requena says.

He cites IT transition to the cloud and bring-your-own-device trend as two trends which can unknowingly operate as an entry point for malicious activity. In many cases, managers who were loath to be seen falling behind their peers rush to adopt new technology, and unknowingly leave company vulnerable to attack from outsiders.

Requena sees the same issue with the rise of the Internet of Things. “It’s like we’re being made to react to situations that don’t exist or to change direction to fit the mould or mandate of someone who has heard what someone else is doing,” he says.

Senior security professionals need to focus on three groups:
  • End users – education is crucial, particularly around phishing emails and segregation of duties though user accounts
  • IT staff – find appropriately skilled staff and ensure you know what normal network behaviour looks like so you can spot anomalies
  • External influencers – hacking threats are one thing, but don’t be driven by emerging tech trends that don’t have obvious strategic value
Download the report

Find out more about our Telstra Cyber Security Report 2016.


Related News

Woman on her phone in an office setting
Liberate your workforce
Liberate your workforce
Making the switch to an IP-based telephony service

As traditional ISDN and PTN phone lines are decommissioned with the rollout of the National Broadband Network, Australian businesses need to find the right IP-based telephony s...

People standing around a workspace using a laptop
Optimise your IT
Optimise your IT
Fast, resilient and virtual: Our network for tomorrow

To meet Australia’s increasing demands for data, speed and network resiliency, Telstra is reimagining our network with software, virtualisation and 5G. The last decade has see...

tennis stadium
Reach global markets
Reach global markets
Over-the-top content with WTA and Perform Group

Across the world, sports fans are demanding higher quality video, with less delay and more features than ever before. We explore how the convergence of IP and traditional broad...

Better prepared: Effective security planning
Secure your business
Secure your business
Better prepared: Effective security planning

Effective security preparation doesn’t just help you manage risks – it empowers you to respond more effectively when they surface. In the last several years, security has shi...