While such training are definitely important, the company first has to determine the effectivity of different training as well as the best methods to educate the employees.
How to mitigate risks linked to connecting to Cloud?
First of all, as a company, you need to ask yourself what are the risks that you care about and what is your risk appetite for each and every risk.
After that part is completed (or at least initially evaluated), you are advised to initiate a threat modelling assessment so you would be able to understand the attack vector(s), your existing weaknesses, and by that, your evaluation for potential mitigation would be more effective.
When it comes to the mitigation options themselves, it depends on the results of the two aforementioned assessments, for instance, if as part of the threat modelling you reach to the conclusion that your key weakest links are your access control mechanisms or proper logging and monitoring, and your risk appetite assessment states that your risk appetite for unauthorised access is lower than the one related to repudiation – your mitigation plan should reflect that.
Could effective employee training be helpful in predicting an early detection of data breaches? Is such training already in place?
I am happy that this question distinguishes between yet-another-employee-training, those which are commonly being performed to “tick the mark”, and those which are practically effective, in a way that the employees can understand what are the key indicators which worth paying attention to in order to determine, even implicitly, whether there is or was a data breach. In order to make these trainings effective, you should be able to measure the effectiveness level. Since different type of employees has different way of learning what are the signs for a potential data breach, you are advised to be creative, for instance by providing multiple training methods.
How to put in place protection strategies that deter attacks and ensure the security of information of your customers? How to gain and keep their trust?
For this question I would distinguish between deter attacks and deter attackers as the ways to deter attacks are mainly around performing the right threat modelling, understanding the misuse cases and business impact, and to address it with proper security controls, where the ways to deter attackers would be the combination of implementing proper security controls, alongside direct deterrence measures such as non-repudiation controls (mainly effective with regards to the insider threat) or strong enough visible security controls which would “help” the attacker to perceive the organisation’s security posture as more resilient.
With the combination of practical security controls alongside proper processes, you would significantly reduce the probability of data loss or data disclosure, and by that will retain your customer’s trust respectively.
Nir CHERVONI, Head of Data Security at Booking.com is a seasoned information security leader with extensive information technology, information security, and strategic security planning skills. He is currently heading the data security department at Booking.com, while in his previous position Nir acted as the CISO of Credorax Group – a FinTech company, providing merchant acquiring services, cross-border payments, and banking services. Nir also acts as board advisor for a couple of cyber security startups, helping them to shape their products and services to achieve optimum business results. Nir brings vast knowledge and experience in the field of information security in large scale corporations and FinTech companies. As a bonus – Nir is a musician in his spare time.