On April 11th, Duo Security and Global Risk Institute (GRI) co-hosted an executive breakfast in Toronto to provide an update on current security trends and key information that leaders need to know. While board members and company executives have a growing awareness of the risks and potential cost of data breaches, many of the educational resources available are still aimed at security professionals and are most useful for those in technical roles.
GRI is a member-based research group, with 32 members from financial institutions and government agencies across Canada. The group was formed after the financial crisis to promote research and insights into emerging risks.
The presentations began with Brian O’Donnell, Executive-in-Residence at the GRI and retired bank executive, who started by sharing the results of the GRI’s latest annual member survey. Cybersecurity risks topped the list of member concerns, outranking uncertainty in the housing market, consumer debt challenges, and regulatory changes.
This seems to highlight awareness of new risks as applications and remote access by employees converge, and as contractors and third-party suppliers have significantly broadened the periphery of corporate networks. In response, hackers have been increasing the speed and sophistication of their attacks, resulting in a flood of corporate and government institutions left reeling from successful attacks.
After reviewing feedback from the survey and an overview of recent notable data breaches, Brian discussed a report published published in January by the World Economic Forum called “Advancing Cyber Resilience: Principles and Tools for Boards.” The report outlines a ten-step process with practical strategies and recommended questions for a holistic view of security, including:
- Building a culture of executive security responsibility
- Understanding the intersection of both cybersecurity and the strategic risk posed by technology (e.g. disruption), and ensuring the Board members are both sufficiently aware and knowledgeable to properly govern these risks (defined as Cyber Resilience)
- Accurately modeling which threats pose the greatest risk
- Utilizing an “Enterprise Cyber Risk Management Framework” approach to managing cyber risk, and ensuring that all employees, contractors, third-party suppliers, executives and board members understand the evolving cyber risk faced by the firm, and their role in cyber security
Duo’s presentation focused on the shift to cloud services, the vanishing perimeter, and how organizations can maintain strong security policies whether they are protecting on-site or cloud-hosted resources. Josh Yavor, Duo Security’s Director of Corporate Security and formerly Facebook’s head of corporate information security, gave an overview of the BeyondCorp model and how companies with a traditional perimeter-based security model can make incremental improvements while modernizing their approach to information security.
He then talked through Duo’s approach to Trusted Access - rather than relying on a private intranet behind a traditional firewall:
- At the point of access, Duo checks to make sure the user, their device, and the network they’re on meet the organization’s policy standards.
- The tools available in Duo Access allow organizations to easily enforce policy, conduct health checks on all devices and networks reaching critical systems, and enable self-remediation for out-of-date devices and services by users.
- Duo Beyond gives organizations the ability to enroll and set policy for corporate-managed devices for both internal and external applications, allowing for more nuanced policy settings.
The migration to cloud services and prevalence of users bringing their own devices are forcing businesses to reconsider their approach to effective security. While this poses new business challenges, executive teams willing to evaluate their approach to technology and leadership can leverage these changes for a more resilient, manageable and flexible security program.
Both the GRI and Duo agree on the need for a broader dialogue on these evolving threats in order for institutions to become and remain resilient. Addressing these threats requires commitment to strong security practices by everyone who connects to critical services, or risk being exposed by the hackers as the next “weakest link.”