Even Macs aren’t safe, James Lyne tells CBR.
Sophos is one of the biggest players in the web security market, and at last week’s Infosec event in London it unveiled, amongst other things, a new version of its Sophos Cloud service specifically targeted at small and medium-sized business (SMBs). CBR sat down with James Lyne, the company’s Global Head of Security Research, to talk cloud, Heartbleed, Mac security, and more.
So what are the main trends that you’re seeing this year at Infosec?
Unsurprisingly, given the amount of media coverage we’ve had over the last 12 months, the major trend is a huge focus on Advanced Persistence Threats (APTs) – there’s been a lot of discussion of how there’s been a significant spike in the number of actors in that space. I think that there’s certainly some truth to that – although a lot of it as well is frankly the delayed marketing hype catching up to what the bad guys have been doing.
There’s also just the continued theme of the fundamental new way that we’re all using technology – and I think this is one of the biggest challenges for the security industry as a whole over the next few years – so lots of focus on the cloud and mobile devices. What’s really different this year is that last year and the year before, everyone was talking about it – this year people are actually doing it. So people are having to find ways to live with the fact that they’ve adopted XYZ cloud application, they’re having to find ways to deal with the fact that they have all these mobile devices on all these different platforms, none of which have the security maturity that Microsoft has with its 20+ years of being compromised.
Big data seems to have died off a little bit, which is interesting, and I wonder if that’s due to a little bit of disillusionment. It was preached as the next big security saviour, the thing that was going to make it easier to deal with the type of threats we’ve discussed, but in reality people have discovered that collecting more data doesn’t solve the right problem – you need the intelligent rules and ways to process that and come up with a more meaningful interpretations.
Sophos is revealing its new cloud platform at Infosec, which is really targeting SMEs – why are you focusing on that specific market?
A cloud infrastructure for managing security is going to be a sensible default for the majority of organisations going forward, given the trends we’ve all talked about over the last four or five years – it just makes sense.
But SMEs are a particularly logical use case – A) they don’t tend to have a huge infrastructure in the first place for security, so it’s easier to transition and it’s easier to build up more security capability with someone like Sophos providing that for them, and B) they are generally more open to the idea of a cloud solution providing integrated, simple policies they can roll out, they’re more comfortable letting control to a security provider to do it for them – whereas larger enterprises might see that as a point of conflict, because they have to give up control.
A lot of these smaller companies don’t have a dedicated CIO or CISO – there’s a lovely phrase that came from one of our customers that is the ‘OIO’ – the Only Information Officer – which I love, because it’s true, even in a fairly moderately-sized SME, often its one or two people who are IT guys keeping the printers on, keeping the network up, as well as doing security. What I love about what we’ve been able to accomplish with the cloud platform is sensible defaults, you can provision the thing in about 2-3 minutes for a large office – I’ve done it in literally two minutes whilst listening to another conversation – which is how it should be for a small organisation, it should be that simple.
What about the human error factor though? How can companies overcome that?
I would absolutely say that good security is a combination of the people process and technology – and if you don’t have all of these, you’re going to fail. You can’t just deploy endless technology and not educate your staff and be successful – we would never deny that. Equally, only educating your staff and not running the right controls is a recipe for disaster – so we absolutely encourage small businesses, as well as frankly any enterprise, to make sure they have a good security awareness program.
Explore the use of videos, be more creative, awareness mechanisms, social engineering and penetration testing in particular – we’ve produced a lot of free assets on our website such as our ‘top tips’ packages for things like mobile and social media to try and help people build those campaigns, and there are of course a number of commercial packages offered by a variety of partners.