In a recent exclusive roundtable with Cisco, the Head of Advisory CISOs at Cisco, Wendy Nather, unpacked for us one of the major current attack vectors that cybercriminals are using, explained the security poverty line, and revealed one common mistake almost every industry makes with regards to their cybersecurity.

There is an old cliché that the only constant is change itself, and this certainly seems applicable to the cybersecurity landscape. Like the plot in the latest season of Stranger Things, we never quite know what to expect when sitting down with Cisco to talk about cybersecurity. And, like that series, we were not disappointed.  

Nather began by noting that the reason why cybersecurity is such a perennial topic, is precisely because the security landscape is ever changing and evolving. Along with the familiar threats like ransomware, the company has seen cybercriminals use new methods to try trick unsuspecting users into divulging sensitive information.

One such example is by using Multi-Factor Authentication (MFA) fatigue. The way this works is that attackers are taking advantage of push notifications by flooding users’ authentication app with so many notifications that the end user will do anything to make them stop. They then contact the user, pretending to be from the help desk and offer to help them resolve ‘’the issue on their account.’’ All the user has to do is click on link, which unbeknown to them gives the attacker control over their device.

The user isn't always wrong

However, Nather doesn’t believe that calling the user the weakest link in cybersecurity, or tasking them with getting a better grasp of cybersecurity threats, is the way to go. Rather, she puts the ultimate responsibility squarely back on the shoulders of the IT industry and the IT department specifically.

“Users should not have to understand everything about cybersecurity that we as IT professionals do. It is our job to ensure that we have multiple layers of defense so that one compromised user cannot affect an entire organization,” she stressed.

For her, the better solution is creating greater ease of use

‘’I feel as though security should be as easy to use as a spoon. It's really difficult to get a spoon wrong. The design is such that you learn how to use it as a child and you can go anywhere in the world, pick one up and instantly know how to use it. I feel that we should be designing security to be that easy to use. Then you would not have to think about it and you would not have to have ‘spoon awareness training’ once a year that everyone has to sign up for,” she added.

The everpresent problem

Nather stressed that when it comes to cybersecurity, a perennial problem is getting the basics right.

‘’The problem is that these basics are not easy to do - knowing what systems you have; what state they're in; knowing all your users; knowing what's being connected to the network and knowing what applications are in use. These are not trivial and if you look at just every breach that goes on, it ends up coming down to a difficulty executing on the basics,” she continued.

In Part 2, she details the security poverty line, and how the lack of four key components makes it more difficult to keep up with attackers.