Cyber Security – Page 2 – Management Events

March 22, 2023

Microsoft Europe CSA: AI & Humans Must Evolve Together in Cybersecurity

The digital evolution brought along automation which enabled transformations of economies and businesses on a large scale. What does the rise of artificial intelligence tools and machine learning in the digital landscape mean for cybersecurity and how can humans evolve together alongside these technologies?

We caught up with Sarah Armstrong Smith, Microsoft’s European Chief Security Advisor about the impact of AI on cybersecurity and what the future of cybersecurity could look like.

1. Digital Acceleration Brings Evolved Threats

It’s estimated in the next five years that over half of the world’s data will live in the cloud. With that comes huge computational power that is available on demand and at scale, giving us the agility and flexibility to innovate.

A clear effect of this is the accelerated development and use of smart technology in recent years. For example, more companies are investing in digital twins which enables them to try different things and run diagnostics without having to do it in a physical environment.

However, this comes with concerns about security, particularly in high-tech areas that deal with intellectual property and other sensitive data.

The global spending on cybersecurity is estimated to grow to about 1 trillion in just a few years.

What does this mean for security? Multiple factors must be considered to ensure privacy, security, and compliance with regulations. Beyond that, there’s also the defensive side of anticipating and managing evolving threats. Not only do we need to obtain information, but we also need to know how to act on it efficiently in real-time. This is where AI comes into play.

2. Security is in Transformation

The early discourse on AI verged on alarmist with warnings that the technology would eradicate jobs and leave millions of workers out of an income. In fact, the World Economic Forum projected that AI and automation would displace over 5 million jobs by 2020. However, the open market now has about 6 million unfilled cybersecurity jobs alone. In fact, there is a huge demand for talent in robotics, machine learning, IoT, big data, and AI.

The mass migration of businesses to the cloud at different levels of maturity has shifted expectations on the type of connectivity provided, devices used, and trustworthiness of those devices. Most enterprises are running a hybrid business model due to challenges with the legacy estate. This complicates cyber security efforts. Security leaders are compelled to understand the integration between the IT, IoT and cloud environments in order to ensure a connected ecosystem that is smart, reliable and safe.

With all that combined, there is an increased attack surface and multiple blind spots. Particularly, organizations are still deeply fragmented when it comes to their approaches. At the same time, cyberattacks are rising exponentially.

Moreover, attackers are becoming more sophisticated. They can move very quickly and outmaneuver security operations and technologies of even larger organizations because they are not constrained by regulatory requirements. Attackers are also investing heavily in automation and scripting.

Every time attackers bring out new malware or new attacks, we learn those, we counteract them, we have detections, we’re automatically blocking the malware, and different attempts that they’re trying. However, we know that resources are at a premium and we can’t just add and throw more money at it.

“We have to think of ways in which we can increase the attacker’s cost and reduce our cost with our ability to act and respond as quickly as possible.”

3. What Can CISOs Do?

A. Prevention of threats

The first imperative is we need to prevent as many threats as possible with automation. We have to detect, we have to respond quickly and we have to continually learn. As much as the attackers are learning our defenses, they’re learning about the technologies that we have, they’re learning how to counteract that. When they’re counteracting that, the whole cycle starts again. We’re seeing this perpetual cycle of prevention, detection and response.

B. Understand human attacker decision cycle

With human operator attacks, particularly ransomware operators and nation-state actors, part of their attack profile is really their ability to observe. They have to sit, watch and learn about your environment.

We know that attackers understand IT infrastructure very well. What they don’t understand is how you specifically deployed technologies in your environment or other technologies you are utilizing. They have to learn and orient across your environment, and potentially keep elevating privilege. They have to get access to different parts of the infrastructure to learn what to do and what attack is going to work best in this environment.

This is the kind of cycle we’re really looking at when it comes to that human attacker decision cycle. From a security operations perspective, our job is really to understand this cycle. Irrespective of the fact that they probably have been in that network for weeks or months, it’s really at the point where they have triggered some kind of action that we respond.

We need to get better. We need to be proactive and preempt. We need to understand how the attacker is operating, understand this cycle, and get into the mind of the attacker for us to be able to make some decisions.

Where this comes to is our ability to defend and act quicker across that entire cycle, meaning we need to maximize the visibility of our network. We need diversity of threat intelligence, and we need that from different sources. Importantly, we need that real-time information.

C. Automation + humans in threat detection and response

The other thing that we need to do is reduce the number of manual steps or potential errors that may occur. Part of this is about the ability to automate that detection and response. From security operations, we don’t want to be pivoting across different technologies because that decreases the time that we have to act. It potentially means there are going to be more errors because we’ve got conflicting or duplication of information.

With that, we have to maximize human impact. We’ve got to get this information and intelligence in front of our humans because it’s humans that understand the context, it’s humans that understand the business risk, and it’s humans that understand consequences.

“We’ve got to get the human and automation layer right. This is about continuous learning.“

We need automation, we need those evasion techniques. However, we also can’t stop every single attack now because attackers are evolving at pace. Instead, we have to assume a compromise mindset.

What the Future Looks Like in AI & Cybersecurity?

In terms of the future, we’re going to see more use of virtual reality and mixed reality. We’ve already talked about how AI and automation are going to really shift our ability to get deep insight. Looking at how attacks are evolving, it’s estimated that we’re going to see an IoT botnet, which is probably going to be able to launch one of the biggest DDoS attacks that we’ve ever seen. We will probably also see a cyber attack of such magnitude that one of the countries will be forced to carry out a physical attack against the nation state that targeted them.

We will also start to see not just digital buildings, but digital cities which increases the attack surface. We’re going to see the proliferation of cyber-attacks at scale, infiltrating the IT the IoT, and OT simultaneously. That’s going to drive the need for regulatory control and human oversight with regard to how these AI and ML machines are working, the decisions that they’re making, and the ability to cause a disruption at that scale.

AI & Humans Must Evolve Together

We’ve got to use AI and ML, but we have to also understand the behaviors of those humans and overlay these technologies with human expertise. We then have to increase our speed and quality of detection and response to be dynamic in real-time to threats as it happens. We have to keep speeding up the response with our orchestration and automation.

As we’re moving farther into that mixed augmented reality, the real value for security operators is to actually visualize that infrastructure. When they can see the attackers coming through the network, they can see them literally moving across the estate, it means they can start to take action at scale.

“Ultimately, we are not going to take any humans out of the equation. In fact, the reality is we’re going to have more augmentation between the AI and the human combined.“

August 22, 2022

What Do You Do If You Fall Victim to a Cyber Attack?

As cyber attacks become a more constant threat, organizations are forced to examine their risk management strategies. Checkpoint found that there were 50% more attacks per week on corporate networks in 2021 compared to the previous year.

On top of that, more than 55% of large companies are not effective at stopping cyber attacks, identifying and fixing breaches, or containing the impact. Accenture’s State of Cybersecurity Resilience 2021 report also noted that 81% of CISO said that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020.

We spoke to Nuno Martins da Silveira Teodoro, Cyber Security and Privacy Officer of Huawei Portugal and Tom Hofmann, CISO and DPO of Eniwa AG about whether humans really are the weakest link as well as the role CISOs play in this increasingly risky security landscape.

Nuno Martins da Silveira Teodoro is a cybersecurity expert with experience in cybersecurity strategies and programs, threat intelligence, cybercrime and warfare, and data privacy. He has worked with regulating bodies and managed international certifications and cyber programs.

Tom Hofmann has over 20 years of experience implementing projects from Finland to Tokyo and an interest in how to leverage human-centered innovation in social and technical systems.

We need more engaging cyber awareness training

When asked why humans are still the weakest link in cybersecurity despite hours of training, Teodoro counters that humans are simply the “most probable link to be exploited” given the sheer number of employees in any given organization.

He added, “You only need one to execute what criminal actors want.”

Specifically, he pointed out that bad actors try to exploit people’s needs to help and support others. This, combined with a lack of cybersecurity awareness from just one person in an organization can have devastating effects.

Attackers are becoming savvier by exploiting chinks in the human chain via social engineering. So even the latest technology can leave an organization vulnerable if people lack the right level of cyber awareness. According to the Identity Theft Resource Center’s 2021 Data Breach Report, social engineering attacks such as smishing, phishing, and business email compromise (BEC) were the most common cause of cyber breaches in 2021.

In fact, the 2022 State of Phish report found that 78% of organizations experienced email-based ransomware attacks in 2021. Moreover, 79% experienced spear phishing attacks while 87% experienced bulk phishing.

Attackers have all the time in the world to exploit humans in an organization and they’re getting very good at it. In contrast, businesses are simply unable to spend all their time and resources training their employees, which presents a disadvantage.

As such, Teodoro suggested engaging employees in a pragmatic way when training as opposed to showing slides or running computer-based simulations that they do not identify with.

He said: “This is where I usually try to target the training courses we do, which is to identify the fine details that can indicate that someone is a victim or an attempted social engineering attack.”

Hofmann agreed that forcing people who are overworked and understaffed to watch boring training videos are ineffective, adding that blaming employees for falling victim to phishing attacks would also be pointless. Instead, he advocated for leaders to try to understand the problems their employees face and what they need to be more secure.

Human-centric approach to cybersecurity

On the question of a human-centric design of cybersecurity, Hofmann explained that it’s about combining technical and business viability. However, this is made difficult when there is a lack of trust between employees and their supervisors.

Hofmann recalled that in his experience, project managers’ bonuses are tied to certain projects. Under pressure to deliver, they do all they can even if it means coming up with workarounds that may compromise security.

Teodoro elaborated, “For sure, penalization is something that creates a culture of fear, and it creates a culture of not alerting or reporting anything or hiding things that could otherwise be critical.”

“I think we should foster a culture of transparency, a culture of openness, and a culture where everyone is at ease to report to the upper management or CIO or to anyone who has the responsibility that they believe something is wrong, even if it started with them,” he added.

Hofmann, who agreed, stressed that the only way to build this sort of trust is for leaders to go out and meet people, while also refraining from using blame or shame.

Even so, both speakers conceded that this will be difficult to do. An organization-wide cultural shift requires the cooperation of each department. The challenge is that everyone has their own agenda and way of doing things. Each person also responds differently to engagement and security awareness training. This means CISOs are faced with the mammoth task of figuring out how to best engage employees across the organization and merge them together to create a holistic version of security culture.

When asked about the greatest contributor to behavioral change in cyber awareness, Teodoro suggested creating ‘Cyber Champions’. These are employees from different business areas who can spread the message while also using them as a conduit to understanding what each team is concerned with daily in terms of security.

Gain more insights on how the newest technologies can impact your business in our ME Business Buzz Outlook webinar series with industry experts.

Ransomware: To Pay or Not to Pay

According to the Sophos State of Ransomware 2022 report, there was a 78% increase in the number of organizations hit by ransomware attacks alone in 2021. It is also an expensive breach. On average, the cost of rectifying the impact of ransomware attacks the same year was USD 1.4 million.

On whether organizations should pay the ransom, Teodoro and Hofmann both agreed that it is the absolute last resort.

Hofmann specifically noted that paying the ransom only serves to fuel the “ransomware pandemic”. The only exception he would consider is if someone’s life is on the line – for example, if a hospital was hit by a ransomware attack and needed to recovery access to their life-saving systems. He warned, however, that there’s no guarantee that everything will return to normal once a ransom is paid because decryption keys do not always work.

Teodoro went on to emphasized that resolving a ransomware attack is a complex process, even if you did decide to pay. Finance leaders should consider if they know how to negotiate with ransomware attackers and if they have a team in place with the required expertise to handle such situations.

This is particularly important given that in 2021, 65% of ransomware attacks resulted in data being encrypted, while only 4% of organizations that were breached recovered all their data, according to the Sophos report. Additionally, 90% of organizations that experienced a ransomware attack has faced operation issues as a result while 86% faced a loss of revenue.

As such, the experts recommended setting up a crisis management team for cyber attacks to contain the incident and manage the fallout both internally and externally. After all, haven an incident does occur, it has the potential to turn into a crisis.

Teodoro said, “If you have everything on crisis management prepared, you will know that being vocal, transparent, honest, and confront the public facing audience and your customers in a direct and open way are the best possible thing you can do. If you try to hide or conceal it, you will lose all your credibility.”

Noting that communication is vital, Hofmann noted his surprise at how leadership in many organizations remain reluctant to openly address breaches on the assumption that it would hurt their brand. He described this as a “biased decision”.

He explained: “I would rather trust a company who is open about it and who is transparent about what they are doing rather than a company that is hiding stuff from me. As a customer, I would ask, do I trust this organization with my data?”

May 27, 2022

Challenges and Benefits of Cybersecurity Mesh

The idea of a cybersecurity mesh as the way forward in this evolving digital landscape isn’t new. In fact, several security providers have been providing comprehensive and consolidated security solutions over the last few years based on the cybersecurity mesh approach including the Fortinet Security Fabric, Checkpoint Security Infinity, and Arhamsoft.

However, the concept gained traction when Gartner tagged it as a top strategic technology trend in 2022. The firm noted that the rapid evolution and sophistication of cyberattacks in tandem with organizations migrating to hybrid multicloud systems creates a “perfect storm” of security risk that needs to be addressed.

What is Cybersecurity Mesh Architecture?

As described by the firm, a Cybersecurity Mesh Artchitecture (CSMA) is a “composable and scalable approach to extending security controls, even to widely distributed assets”. This approach is said to be incredibly suitable for modular networks that are consistent with hybrid multi-cloud architectures.

In traditional cybersecurity approaches, security controls are typically implemented at the network perimeter or within specific devices or applications. However, as organizations and their digital ecosystems become more complex and distributed, this perimeter-centric approach becomes less effective.

Cybersecurity mesh takes a more adaptive and dynamic approach. It envisions a security framework where security controls are woven into every aspect of the digital environment, forming a “mesh” of interconnected security services and capabilities. This approach allows for more granular and context-aware security, enabling protection at various layers, from individual devices and endpoints to applications and data.

Key features and principles of cybersecurity mesh architecture include:

Distributed and pervasive security: Security controls are distributed across multiple components and devices, extending protection beyond the traditional perimeter.
Identity-centric security: The focus is on securing individual identities and devices, rather than just protecting the network as a whole. This approach helps mitigate risks associated with unauthorized access and compromised credentials.
Dynamic and adaptive security: The mesh adapts to the changing security landscape and evolving threats, adjusting security controls based on real-time risk assessments and contextual information.
Scalability and flexibility: The cybersecurity mesh architecture allows for scalable deployment and integration of various security solutions, accommodating the diverse needs of modern digital environments.
Interoperability: Cybersecurity mesh promotes interoperability between different security technologies and services, enabling seamless communication and collaboration between them.

By adopting this cyber mesh architecture, organizations can achieve a more resilient and responsive security posture. It helps address the challenges posed by distributed architectures, cloud services, IoT devices, and the increasing sophistication of cyber threats.

Cybersecurity Mesh Architecture: Overview

*Source: Gartner Top Strategic Security Trends for 2022 – Cybersecurity Mesh*

In essence, each tool in the IT infrastructure within the CSMA operates as a cog in a greater machine. The framework proposed by Gartner is based on four layers:

Security analysis and intelligence: which analyses past cybersecurity attacks, as well as data and lessons from other tools, to inform future trigger responses and actions

Distributed identity fabric: a decentralization of identity management, identity proofing and entitlement management, creating an environment of adaptive access

Consolidated policy and posture management: the ability to translate central policy into native configuration of each individual security tool

Consolidated dashboards: offering a holistic view of the entire security ecosystem

The CSMA framework appears to offer significant benefits over the traditional IT security model.

BENEFITS OF CYBERSECURITY MESH

Fortinet highlights the benefits of cybersecurity mesh, emphasizing that CSMA is poised to help organizations transition from obsolete legacy security systems to an integrated cybersecurity approach. This integration is vital as it enhances security, promotes operability among different security tools, and fosters agility.

This novel approach offers several crucial benefits, according to cybersecurity providers.

Responsive Security

The intelligent security design of a CSMA increases the agility and resilience of an organization’s security setup. With security tools working together on the same standards of zero trust, this approach ensures that an organization’s network receives the best real-time defense against known and evolving threats.

A cybersecurity mesh is better able to handle more IAM (identity access management) requests, allowing for more mobile, adaptive, and unified access management. This means an organization will have a more reliable approach to managing access and control of its digital assets that is more spread out now than ever before.

*Source: IBM Cost of Data Breach Report 2021*

This is especially significant as IBM reported that companies with a workforce that is more than 50% remote took 58 days longer to identify and contain breaches than those with less than 50% remote employees.

Improved collaboration

CSMA extends security across the entire organizational network while allowing IT departments to secure all systems and access points with a single set of interoperating tools and technologies.

With the shift towards hybrid cloud solutions and remote work, organizations are making efforts to not only integrate third-party applications and services but also to ensure that those technologies are appropriately secure.

This setup also improved the speed and efficacy of threat detection, and consequently response and prevention strategies as well. The information gathered by each security tool can be leveraged within the ecosystem to quickly address each security threat that may crop up.

Flexibility and Scalability

A key feature of CSMA is its distributed nature, creating individual security perimeters around each access point within an entire network and ecosystem. What this allows is deep visibility of the network edges, ensuring that all areas are protected in equal measure.

The flexibility that this creates in a security system also gives organizations more agility to build new IT infrastructure and introduce new solutions as needed without compromising protection. An IT department is better able to keep up with the evolution of expanding and distributed IT infrastructure within the CSMA.

Redefined cybersecurity perimeter

Switching from the traditional “walled city” approach of cybersecurity where a perimeter is set up around the network may have been effective when it was first introduced. However, now that applications, data, devices, and users are operating outside of the traditional data centers and offices, CSMA becomes vital.

The redefined cybersecurity perimeter that is key in the CSMA reduces the time taken to deploy security measures and responses as it offers a distributed identity fabric that establishes trusted access at each entry point into the network.

On that note, CSMA is also expected to reduce insider threat incidents according to Gartner. These include credential thefts and attacks by malicious insiders which can cost organizations about $15.38 million per incident.

*Source: 2022 Cost of Insider Threats Global Report*

There has been an increase in the frequency of insider threats from 60% in 2020 to 67% in 2022, in part due to the dramatic shift to remote and hybrid working as well as the “Great Resignation”. People are leaving organizations but still have access to critical data, systems, and infrastructure within the organization – this creates more vulnerabilities.

The CSMA approach of building new perimeters and layered defenses around each device and network access point could make all the difference in mitigating this issue.

Simplified Deployment and Management

The agility of a CSMA also benefits organizations by making it easier and quicker for security teams to deploy and configure new solutions. Gartner’s proposed consolidated dashboard, which makes up one of the layers of CSMA, would enable organizations to better adapt their security structure to meet evolving business and security needs.

An integrated security architecture would remove the need for security teams to switch between and operate various tools, which takes up precious time. Instead, it frees them up to focus on deploying and configuring solutions and frees them up for other critical security tasks, thereby improving efficiency overall.

Challenges of CSMA

While the benefits are many, totally overhauling the approach to security can pose several challenges.

Some key challenges include:

Ensuring proper training and support

This is a relatively new framework and implementing it requires a significant change in the mindset. Organizations that want to build a CSMA will have to make significant investments in ensuring that their IT personnel are prepared and well supported during the transition.

Ensuring secure and simple identity-based system

A key aspect of CSMA, as mentioned before, is the newly defined security perimeter. Organizations will have to ensure that users are able to securely and easily access the network without it being a distraction that would lead to reduced productivity.

Difficult and costly to apply to an existing ecosystem

The CSMA would be much easier to incorporate during the planning stage of a security ecosystem, conducting discussions and reviews of security procedures with cloud and platform providers. Organizations that are looking to make this shift with an existing ecosystem may find it more challenging to do so.

Cybersecurity mesh is at the core of zero trust philosophy. This shift in mindset required to make the shift could pose a significant hurdle, not to mention the cost that it might incur to implement a system based on this approach.

Though the CSMA seems to bring with it many benefits, the challenges of making such a major shift in the security framework remain. Despite that, will CISOs and security leaders make the leap?

April 12, 2022

What’s Your Cybersecurity Budget?

The damage cyberattacks cause organizations is on the rise, costing them millions. Although cybersecurity spending is projected to increase dramatically, CISOs must structure their cybersecurity budgets based on their organization’s needs, vulnerabilities, and swiftly evolving trends such as the shift towards remote/hybrid work and a growing reliance on cloud services. Read on to discover the key current factors driving cybersecurity budget prioritizations.

The rising cost of cybersecurity breaches

A report by the Identity Theft Research Centre noted that data breaches in 2021 exceeded that in 2020 with an estimated 281.5 million people affected. The cost of this is monumental, especially for businesses. The average cost of cybercrime amounts to $1.79 million per minute for businesses, highlighting the impact that cybersecurity has on an organization’s operations.

It is no surprise then that cybersecurity budgets are on the rise each year in line with this evolution. Approximately 44% of IT professionals cited improving cybersecurity as a justification for increased IT investments according to the ESG research report on its Technology Spending Intentions Survey in 2022.

In fact, cybersecurity spending is growing at a faster rate than overall IT spending, with 44% of security leaders expecting their budgets to increase in the next 12 months according to CSO’s 2021 Security Priorities Studies. This is in line with the findings reported in PwC’s 2022 Global Digital Trust Insights report stating that 69% of organizations predict a rise in their cyber spending for the year.

Additionally, tech research firm Gartner projected that spending on information security and risk management will top $172 billion in 2022, a $17 billion increase from 2021 and $35 billion more than in 2020.

In 2021, Microsoft announced a $20 billion cybersecurity budget over the next five years while Google CEO Sundar Pichai announced that the company is investing $10 billion in that same period.

Cybersecurity spending priorities

Though the projections for cybersecurity spending increase each year, it is still limited. As CISOs grapple with increased risk, they are also searching for ways to spend their funds most efficiently.

One way to do that is to understand the threat landscape and needs of the organization. In the last three years, Gartner predicted the top five areas to show security spending growth are application security, cloud security, data security, identity access management, and infrastructure protection.

Current developments will also affect budget priorities. In the two days following the start of the Russia-Ukraine war, suspected Russian-sourced cyberattacks were observed by US-based cybersecurity agencies, an increase of over 800%.

In March, the hacker group Anonymous warned that it would attack major corporations that have not pulled out of Russia since the war began. It was later reported that the group had hacked Nestle and leaked over 10GB of important data including client information, emails, and passwords. Other organizations that were targeted include Burger King, Subway, and cloud computing firm Citrix.

The US Department of Homeland Security, FBI, and others have issued warnings for organizations to be prepared for further threats.

Cloud Security is a key focus

The global pivot to remote work catalyzed by the COVID-19 pandemic has redefined many organizational structures and led to a growing reliance on cloud services and digital tools, leaving them vulnerable to different types of cyberattacks.

An IDC survey by Ermetic found that 79% of companies experienced at least one cloud data breach in the last 18 months. This is alarming given that 92% of an organization’s IT environment is cloud-based, making cloud security a key concern for CISOs and other C-level professionals.

Unsurprisingly, CISOs are prioritizing cloud security, which would drive budget priorities. According to ESG, 62% of the IT personnel surveyed said they are planning to increase spending on cloud application security while 56% said they are investing in cloud infrastructure security.

We have also found, as shown in our latest Cybersecurity Investments trend report, that 60% of CISOs and their C-level counterparts are focusing on cloud security, specifically third-party management and resilience or Zero-Trust Architecture. Many of the organizations interviewed also noted that they are looking to expand their cloud solutions and adopt a hybrid cloud, thus enabling them to secure their processing data on-site.

Employee Awareness can reduce security risks

Another area of focus for CISOs is employee awareness, with 58% of organizations citing it as a key focus of their cybersecurity strategies. A Ponemon Institute study showed that 68% of organizations have experienced at least one endpoint attack, compromising their IT infrastructure and data.

Similarly, IBM found that a staggering 95% of cybersecurity breaches were caused by human error.

As Mika Susi, former Executive Director of the Finnish Information Security Cluster said: “Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network.”

Eliminating that factor would mean that 19 out of 20 cybersecurity breaches may not have occurred at all. Though it would be impossible to solve human error completely, it is crucial to implement strong policies and training programs to equip employees with the right knowledge and tools to avoid potential cyber threats, which would decrease security-related risks by as much as 70%.

One of the challenges with improving employee awareness is that there hasn’t been enough of a focus on building a culture within organizations to identify risks.

“As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees is key to making an actual risk-based culture,” says Magnus Solberg, VP & Head of Security Governance at Storebrand.

Implementing a bottom-up approach to training employees to think in and act in a risk-based manner is one way to mitigate the human factor, says Mr. Solberg. He also suggests arming employees with tools to perform more structured and documented assessments, both mental tools as well as stronger policies, guidelines, and software.

Cybersecurity resilience and readiness

At the same time, cybersecurity leaders are actively searching for new strategies to quickly detect and respond to cyber breaches.

In 2021, there was a major surge in cyberattacks compared to previous years. According to SonicWall’s Cyber Threat Report, there was a 105% increase in ransomware attacks that year from the previous year. Narrowing down, government institutions saw a 1,885% increase and the healthcare industry saw a 755% increase in such attacks. According to Sophos’ State of Ransomware 2021 report, retail, education, and business & services sectors were hit with the most ransomware attacks.

In July 2021, Swedish supermarket chain Coop was forced to shut down over 400 stores due to a major ransomware attack on its point-of-sale systems. This was part of the same ransomware attack which affected over 200 businesses, mainly in the US. More recently, several oil storage and transport companies across Europe were hit with ransomware attacks. Specifically, Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands were all forced to operate at limited capacity due to the attack.

Sophos’ report also revealed that, on average, it costs an organization a total of S$1.85 million to recover from a ransomware attack, up 143% from the previous year. The findings also showed that only 8% of organizations that fell victim to a ransomware attack were able to recover all their data after paying a ransom. Approximately 29% only managed to recover no more than half their data.

Beyond that, a recent survey found that 66% of respondents suffered a significant loss of revenue following a ransomware attack while 53% reported that their brand images were negatively affected. Alarmingly, 29% said ransomware attacks led to employee layoffs.

The cost of a ransomware attack or recovering from other forms of cyberattacks could set organizations back a major chunk of their budgets if they are not prepared in advance. In fact, the increased cost of ransomware attacks has also driven up premiums on cyber insurance policies, adding to the need for organizations to be financially prepared.

CISOs are constantly looking for ways to strengthen their organization’s ability to resist and recover from a multitude of threats, which in turn informs their cybersecurity investment priorities. What other factors should organizations consider when setting their cybersecurity budgets?

December 23, 2021

ECSO’s Luigi Rebuffi: Bridging the Gap In Trust and Talents Within Cybersecurity

The impact that COVID-19 has had on cybersecurity has shown how much work businesses still need to do when dealing with cyber threats. From attacks such as the SolarWinds hack, there is a need for CISOs to build awareness, prevention, and security practices into their organization’s culture.

As the Secretary-General and Founder of the European Cyber Security Organisation (ECSO), Luigi Rebuffi shares with us his insights on the role of Public-Private Partnerships (PPP) in digital security, the challenges that come with it, and how organizations are bridging the talent gap within cybersecurity.

Understanding The Role of Public-Private Partnerships in Digital Security

Private-Public Partnerships (PPP) in cybersecurity continue to be a necessity for both the government and the private sector to overcome the increase in cyber threats. While PPPs can serve as a foundation for effective critical infrastructure security and resilience strategies, there is still a need for clarity from both sides.

Rebuffi highlights how cooperation will be key in setting up an effective relationship between the government and businesses to effectively use PPP in cybersecurity.

How can PPP be used effectively for both the private and public sectors to overcome digital threats?

When looking at a public-private partnership, the traditional relationship in the private sector gives information to the public sector, which will then assess the situation and give guidance on how to solve the crisis.

However, a more dynamic cooperation must be continuously built up in order to be ready and react rapidly in an efficient partnership in case of a crisis. That is what we’re trying to set up with ECSO, since 2016, where there is full cooperation in different elements of the cybersecurity ecosystem.

Cooperation with the public for policy and legislation to give certain advice and standards, certifications, investments, discussion on the cyber threats, and what are the cyber threats that the private sector is facing every day, not only during the crisis periods.

And the cooperation should not only be about overcoming the crisis but also about how you support the companies, including SMEs and startups through education training in the development of certain innovative technologies and services.

It is a full spectrum of cooperation. Not just a quick fix in the case of a crisis, like the SolarWind attack. And we need to change that, to have that full public-private cooperation across different ecosystems. It is a bilateral relationship, not just a transfer of information.

Establishing Trust and Overcoming the Challenges In Public-Private Partnerships

The creation of the PPP was meant to improve the collaboration between private stakeholders and the public agency for Information Sharing. However, establishing trust has always been the biggest barrier for many businesses to engage in PPP.

Rebuffi reiterates the point that the key foundation in building a solid bridge between the private and the public sector will be on CISOs to build trust while overcoming the challenges that come with incorporating PPP within their organization.

What can organizations do to foster trust and improve the relationship between the public and private sector and bridge the gap in PPP?

Trust is not easy to build, especially in this period characterized by COVID-19. Establishing trust via remote connection is not an easy task, especially when you are working on sensitive matters such as cyber security. You need a kind of bottom-up approach where you first build up trust in your sector.

For example, if you are in the private sector, it is easier to build up trust with the people that you know, the people who are around you, in your region, in your country, and your sector. So you build trust from the bottom up.

The problem then is to see how you can link with other sectors or from other countries.

What challenges does the CISO face in establishing and nurturing PPP within their organization?

CISOs are still struggling because they are still trying to convince their management of the importance of cybersecurity, IT systems, and the investments needed. It is something that I imagine will be exacerbated by the acceleration of the digital transformation due to COVID-19.

The challenge will be more pushed towards getting the system working to have better control of data so that when we talk about digital sovereignty, we can think about better control of data. Looking ahead to cybersecurity trends in 2024, CISOs will likely encounter evolving challenges in managing these aspects, necessitating even more robust and forward-thinking strategies. They will need to stay abreast of the latest developments and adapt to the rapidly changing cyber landscape. And CISOs who are dealing with security, sensitive applications, and services, would need trusted and reliable supply chains.

So, on one end, they have to overcome the skepticism within their organization while finding resources to “feed” their systems correctly and find trust in reliable solutions. Of course, there’s also the problem of educating employees, as the human factor is also non-negligible.

Fostering Talent to Bridge The Cybersecurity Skill Gap

With cybersecurity becoming an integral part of an organization’s business strategy, the demand for talent has grown significantly as well. However, the number of skilled and qualified workers is still well below the demand, with gender balance still being a major issue.

Rebuffi continues to advocate for more gender balance in cybersecurity through the Women4Cyber Foundation and highlights how CISO and IT leaders can still help nurture an environment for building talents in cybersecurity.

How can IT leaders and CISOs attract, retain, or build cybersecurity talents within their organization?

CISOs, IT leaders, and I would also say human resources, have to show to the talents that they have the opportunity in this cybersecurity domain for a structured and well-paid career.

Some people are interested in working in cybersecurity as it is a career that is evolving continuously. You keep learn and you face challenges in a very dynamic environment while somehow contributing to the growth of the society or organization. But talents want to be properly compensated and want to see a path in their career.

And of course, IT leaders and CISOs have to show their employees that they can give adequate education and training to those who want and are looking to transition from a traditional job to one that is more linked to the digital sector due to the digital transformation.

How have initiatives such as Women4Cyber helped in fostering cybersecurity talents?

We are at the beginning stages with Women4Cyber, which is growing like a strong wave, and now we see the creation of national chapters across Europe. We are starting to see that people want to cooperate with different activities, support inclusion, and increase the participation of women in cybersecurity.

And this is important to us because we cannot exclude 50% of the population from the talent pool simply because they are women, and businesses are slowly learning that and trying to be better.

I will say that we are seeing smaller companies, like IT startups, and larger companies awakening and looking for experts, as well as hiring more women. But as I said, the movement is a strong wave that will come up and businesses have to realize that we desperately need people and they need to support that.

November 23, 2021

How Banks Stay Competitive in a Digital Landscape with Increased Cyber Threats

In banking and finance, the transformation strategy needs to have the customer experience in focus to build trust, which is crucial in today’s digital life with fewer physical customer meetings.

Banks must be agile in their business model to quickly create new applications that are required for an optimized user experience, says Ricardo Ferreira, Field CISO at Fortinet.

With DORA (Digital Operational Resilience Act), European financial institutions get new guidelines aimed at reducing the risk of cyber-attacks. Fortinet helps its customers comply with these regulatory requirements. – We can protect everything that has access to the network and banks should have a security architecture that includes multiple private and public cloud platforms. What makes Fortinet unique is that we can take a holistic approach to security in the financial institutions’ digital transformation journey, says Lars Berggren, Country Manager Fortinet Sweden.

An improved user experience with Bank 4.0

In the Nordics, cash handling has decreased significantly in recent years, while digital payment solutions have increased rapidly. Swedish banks, for example, were early in launching internet banks, but in recent years the focus has shifted to make sure they comply with the regulatory requirements. With new Fintech companies attracting customers, Swedish banks need to put more effort into their digital development to be competitive. Cyberattacks and threats are becoming more and more sophisticated. Fortinet provides support in the digital transformation and has crucial expertise in risks and threats

– Cloud-based platforms, both private and public cloud, are crucial for banks when developing solutions for a better, high-quality user experience. The transformation that banks need to go through, with new digital platforms and a more agile business model, is what we refer to as Bank 4.0. Today, you need to be fast and flexible to protect yourself and there must be a proactive security platform that supports the business and provides a holistic view, says Lars Berggren.

Secure the brand reputation of your bank

Digitalization brings many opportunities for the banks, such as increased sales, finding new business models and applications as well as refined customer offerings. Fortinet can help improve user-friendliness and at the same time secure the bank’s brand reputation by reducing the risk of cyber-attacks, says Ricardo Ferreira.

Read more about the driving forces in the market that are affecting banks right now, and how an improved infrastructure for cyber security can strengthen your competitiveness, in this e-book.

About Fortinet

According to Gartner, Fortinet is a leading provider of cybersecurity solutions and enables companies to build secure digital infrastructure and be at the forefront of their digitalization journey. The Fortinet Security Fabric platform provides broad, integrated, and automated protection for the entire digital attack surface, by securing critical devices, data, applications, and connections from the data center to the cloud as well as to the home office.

*This article was contributed by Lars Berggren of Fortinet.

November 9, 2021

Die Grundlagen für einen echten Zero Trust-Sicherheitsansatz

Die digitale Transformation hat die Kommunikation und den Arbeitsalltag in modernen Unternehmen grundlegend verändert. Mit zunehmender Mobilität der Mitarbeiter werden eigenen Geräte sowohl für die persönliche Kommunikation als auch für den Beruf genutzt, so dass damit auf Geschäftsanwendungen und -daten über öffentliche Netze zugegriffen wird. Gleichzeitig wurden sensible Geschäftsdaten immer weiter verteilt und befinden sich außerhalb des Unternehmenspreimeters in SaaS-Anwendungen wie Microsoft 365 und privaten Anwendungen in AWS, Azure oder Google Cloud-Plattformen.

Der Prozess der digitalen Transformation steigert die Agilität und den Informationsfluss von Unternehmen, vergrößert jedoch ebenfalls die Angriffsfläche dramatisch und setzt Unternehmen neuen Bedrohungen aus. Dies hat dazu geführt, dass die traditionelle Firewall-basierte Netzwerksicherheit zugunsten einer Cloud-basierten Zero-Trust-Architektur überdacht wird. Allerdings wird der Begriff Zero Trust in den letzten Jahren inflationär behandelt mit der Folge der Verwirrung von Unternehmen und zögerlicher Umsetzung.

Was bedeuted ist Zero Trust?

Obwohl das Konzept von Zero Trust in der Cybersicherheitsbranche seit mehr als einem Jahrzehnt existiert, versteckt sich hinter dem Begriff nicht einfach eine einzelne Technologie, wie im Falle von Identitäts-Management, Fernzugriff oder Netzwerksegmentierung. Zero Trust ist ein ganzheitlicher Ansatz zur Absicherung moderner Organisationen. Er basiert auf dem Prinzip des Least Privileged Access und damit dem Grundsatz, dass kein Benutzer und keine Anwendung von vorneherein als vertrauenswürdig eingestuft werden sollten. Ohne den Vertrauensvorschuss muss jeglicher Zugriff auf Basis der Anwenderauthentifizierung und des Kontexts eingerichtet werden. Unternehmensrichtlinien dienen bei diesem Konzept auf jedem Schritt als Gatekeeper.

Im Kern wird eine Zero-Trust-Sicherheitsplattform von drei Eckpfeilern gebildet:

Konnektivität basiert auf Identität und Richtlinien werden Kontext-basiert erstellt
Anwendungen werden für Angreifern unsichtbar gemacht
Verwendung einer proxy-basierten Architektur zur Verbindung mit Anwendungen und zur Überprüfung des Datenverkehrs

Identitäts-und Richtlinien-basierte Konnektivität

Herkömmliche VPNs und Firewalls bringen die Benutzer für den Anwendungszugriff in das Netz. Sobald der Benutzer im Netzwerk ist, erhöht sich durch gewährte Vertrauen das Risiko von lateralen Bewegungen durch eingeschleppte Malware. Im Gegensatz dazu verwendet Zero Trust eine Kontext- und Identitäts-basierte Authentifizierung und Richtlinienüberprüfung, um verifizierte Benutzer sicher mit ganz bestimmten, genehmigten Anwendungen zu verbinden, ohne Benutzer direkt auf das Unternehmensnetzwerk zugreifen zu lassen. Dies verhindert laterale Bewegungen und reduziert so das Geschäftsrisiko. Da die Netzwerkressourcen niemals dem Internet ausgesetzt werden, können sich Unternehmen auf diese Weise vor Ransomware, DDoS und gezielten Angriffen schützen.

Anwendungen werden für Außenstehende unsichtbar

Die Migration von Anwendungen in die Cloud vergrößert die Angriffsfläche eines Unternehmens erheblich. Herkömmliche Firewalls veröffentlichen Anwendungen im Internet, so dass sie von Benutzern aber eben auch Hackern gefunden werden können. Ein Zero Trust-Ansatz vermeidet es, das Unternehmensnetzwerk dem Internet auszusetzen, indem Quellidentitäten verborgen und IP-Adressen verschleiert werden. Die Angriffsfläche eines Unternehmens lässt sich reduzieren, indem Anwendungen für Angreifer unsichtbar und nur für autorisierte Benutzer zugänglich sind. Damit können Unternehmen ihren Zugriff auf Anwendungen im Internet, in SaaS sowie in öffentlichen oder privaten Clouds sicher gestalten.

Proxy-basierte Architektur zur Verbindung mit Anwendungen und zur Überprüfung des Datenverkehrs

Next-Generation Firewalls haben Schwierigkeiten, verschlüsselte Datenverkehr flächendeckend und ohne Leistungseinbußen zu prüfen. Dies zwingt Unternehmen oft dazu, sich zwischen schneller Verfügbarkeit und Sicherheit zu entscheiden, wobei oft die Verfügbarkeit gewinnt. Die Prüfung des verschlüsselten Datenverkehrs wird demzufolge umgangen, was zu einem größeren Risiko von Cybersecurity-Bedrohungen und Datenverlusten führen kann. Darüber hinaus verwenden Firewalls einen Passthrough-Ansatz, der es unbekannten Inhalten ermöglicht, ihr Ziel zu erreichen, bevor eine Analyse auf Malware abgeschlossen ist. Erst wenn eine Bedrohung erkannt wird, wird eine Warnung verschickt. Das kann unter Umständen zu spät sein, um die Ausführung der Malware zu verhindern.

Ein wirksamer Schutz vor Bedrohungen und Datenverlusten erfordert stattdessen eine Proxy-Architektur, die SSL-Sitzungen prüft, den Inhalt von Transaktionen analysiert und in Echtzeit Richtlinien- und Sicherheitsentscheidungen trifft, bevor der Datenverkehr an sein Ziel weitergeleitet wird. All dies muss außerdem in großem Umfang und ohne Beeinträchtigung der Leistung erfolgen, unabhängig davon, von wo aus die Benutzer eine Verbindung herstellen.

Zero Trust sorgt für moderne Sicherheit

Die erfolgreiche Einführung von Zero Trust beginnt mit der richtigen Plattform, die auf den oben genannten Säulen basiert. Zur Umsetzung müssen sich IT-Entscheidungsträger von traditionellen Denkweisen verabschieden. Moderne Sicherheit geht mit einer ganzheitlichen Transformation einher, die in das Gesamtkonzept der Cloud passt und das Ökosystem der Konnektivität mit Security verbindet. Die Zscaler Zscaler Zero Trust Exchange schafft die notwendige Grundlage dafür.

October 21, 2021

Magnus Solberg: Does Your Organization Have a Robust Security Culture?

Hybrid work models and digital device dependency have greatly increased an organization’s susceptibility to cyber attacks. As these attacks become more intense and complex, cyber resilience and awareness are critical. We speak with Magnus Solberg, VP & Head of Security Governance at Storebrand, on his experience building the company’s security culture, the link between cybersecurity and risk management, and more.

How are cybersecurity and risk management connected in today’s organizations?

Cybersecurity and risk management are at this point deeply intertwined. In almost every industry, cyber risk is in the top three categories of both operational and business risks. This is because nearly all critical assets are now digital. Of course, this leads to an enormous number of risks that an organization didn’t have 20 years ago.

Unfortunately, the sheer speed of this development has caused difficulties for a lot of organizations. This goes down to simple things like definitions of risk, and of static policies and processes. Many governance structures are not rigged for disruptive change, such as “new categories of threats and risks.” I think that anchoring the understanding and competence necessary to include cyber in broader risk management is also a challenge. Beyond tech companies, it’s a fact that the board of directors and to a certain extent, C-suites, do not include technologists, which slows down the adoption of modern risk management. Cybersecurity and risk management are very connected but there is still a long way to go to make them as connected as they should be.

What makes for a robust risk culture beyond the traditional 3LoD?

As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees are key to making an actual risk-based culture.

You need to really engage the human factor by having a bottom-up approach that enables your employees to think and act in a risk-based approach as a reflex. This can be done by teaching them about threats and potential consequences by training them to perform not only ad hoc, subconscious risk assessments, but also give them the tools to perform more structured and documented assessments – mental tools as well as strong policies and guidelines, and the proper software tools. In my opinion, building a robust security culture is both dependent on and a fundamental ingredient of building a robust risk culture.

What are the most effective digital tools and technologies in risk management?

Can I answer PowerPoint and Excel? Or even the good old whiteboard? [laughs] Of course, I’m only partly joking because I think the biggest revolution in the last couple of years has been the way home officing has exploded the way we utilize collaboration platforms. At the same time, these platforms were forced to provide more robust solutions for things like proper access control, document or file revision history, classification, and of course, API connectivity to other tools. This means that we can get a lot of what we need in terms of managing risks.

Workshops, creating assessments, performing audits, and even tracking remediation can be done via these platforms. We can use everything from OneNote to the tired but time-tested spreadsheets without losing control because it’s all protected, indexed, and searchable. That being said, I still see the need for a proper enterprise risk management tool that tracks risks, makes people accountable and responsible and of course, pleases our auditors. Exactly which technological solution or which software that should be, I don’t really have any strong opinions about but there are a lot of good ERM tools out there.

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity?

It’s irrefutable but it’s the wrong way of looking at it. People are not a simple chain in a link, people are at the nexus of it all. The only reason why we have cybersecurity issues is that there are people out there who are after either stealing, changing, or making information unavailable. No company was ever created simply to be secure: We exist to create services or products for people, and there are people out there who want to benefit illegally from that. Some experts like to say that people are the weakest link, but so is technology. People are the ones configuring that technology or using that technology wrong. Some even have the hubris of buying their way into security, which is equally a weak link. I think putting the blame on people for poor security is misunderstanding the issue completely. You can’t have security without people. But then again because of people, we need security.

What were the biggest challenges during the implementation of Storebrand’s security culture program and how did you overcome them?

We’ve been at it for six years and we started very much from scratch. When we started, there was nothing in terms of security awareness training, much less a security culture program. There were several challenges that had to do with mid-management buy-in. Although we did have support from the top management, we were also not given an adequate budget or allowed to make the training portion of the program mandatory. The latter made it especially hard to motivate our mid-level managers to introduce this training to their employees. Mid-level management is all about delivering results and eating up their time and resources does not land you on their friend list.

So, it did take a lot of time and dedication to make them understand that a secure employee is a low-risk employee. As soon as we reached that turning point, it was immensely satisfying, because mid-level managers are key to enhancing the security message to all their employees. But they’re also an important target group, constituting human risks in themselves. As time went on, we could point to concrete results including the avoidance of huge risks due to more risk-aware workers. We finally received an unbroken chain of buy-in all the way from the top and down via the mid-level managers. That ended up landing us a nice budget and made training mandatory.

How did you develop the program’s framework to ensure it was dynamic enough to handle the evolving threat landscape?

The framework we developed is in its essence, dynamic, and scalable because it’s all about answering five fundamental questions: Why are we going to do this? Who are we? What do we need to address? How should we go about doing that, and When should we do it?

In order to answer these questions, we revise and update a number of working documents. For example, we have a program strategy, a target group analysis, and learning objectives based on the current threat and risk landscape. We then test out a lot of different learning platforms and other engagement activities. This is done continuously to allow for emerging risks to be included almost instantly. However, we also do it more formally once every two years, where we do a full audit and revision of the whole program. We’re actually in the middle of doing a full revamp and plan to launch a new version of the program next summer.

How do you measure the program’s success?

We use a lot of different metrics to measure success and have KPIs linked to distribution, which measures how many employees we reach and how many complete various parts of the training. We have KPIs linked to knowledge where we can see if an employee received and internalized the message. Finally, there are KPIs related to behavior — this allows us to see if training has actually changed risky behavioral patterns.

Additionally, we perform a group-wide security culture audit every two years performed by our internal audit, who, among other things, performs a comprehensive self-assessment that is sent to all employees. With this independent report, we get a clear picture of how we fare with security culture and whether the success of the program addresses our current needs.

Our most recent group-wide security culture audit was completed in January this year, the third one we’ve had in six years. That means we can now begin to accumulate historical data that shows encouraging results. Yes, our employees are more competent, more motivated, and a lot more risk-aware than they were before the program started.

Finally, another measure of success is a bit more qualitative. It has to do with how the program itself has been received. We do gain a lot of positive attention from both regular employees as well as the high reps. And even externally: My team and I do presentations at various conferences, and for other companies as well, just to share how we have “cracked the human code.”

Can you share some current highlights of the program?

Yeah, absolutely. As I mentioned earlier, we are in the middle of our biannual revamp. I think one of the best things about maturing the program is its correspondence with the maturing of the organization. We now have various security tools on the technology side that help us create more individually tailored training programs. For example, every employee is invested with a security score, which is automatically set defined by their actions — whether they fall for phishing assessments if they are reporting incidents, and so on. This also paves the way for rudimentary gamification, which will be quite fun to see how we can implement.

Secondly, I’ll have to highlight our security month. This is something we’ve been doing for six years, and it’s been one of the most important boosts to communicate risk and security, and by extension, the security culture program itself. Every October, we skip the focus on corporate security and put the focus on each person instead. “Why is security important for you and your loved ones?” We pull in external speakers every week to address some common people security problems, such as social media, digital tracking and manipulation, and fake news. We also have weekly security quizzes that are a bit tongue in cheek as well as having great prizes. We do hackathons, we do cool stunts such as “hack yourself”’ competitions, and we do physical stands with security cupcakes. It’s a lot of work, but very fun.

One of our goals is to make our employees more secure at home, which means they are going to be more secure at work. But also, it has to do with simply marketing our security efforts by getting out there and meeting people. It makes security, if not fun, then at least interesting, because for a lot of people security is boring, or they think it has nothing to do with them.

On a personal note, I felt we were getting somewhere a couple of years ago when I was invited to do a three-hour workshop on building our security culture program at the security conference in the EU parliament in Strasbourg. Knowing that we built something that works and helping other organizations do the same makes me very happy and fulfilled.

*The answers have been edited for length and clarity.

September 8, 2021

Mika Susi: How Companies Can Remain One Step Ahead of Cybercriminals

With cybercrime, it is now not a question of ‘if’ but ‘when.’ Today’s cybercriminals are more advanced, quickly adapting their tactics with each improvement in an organization’s security system. How can IT leaders ensure that cybersecurity systems are powerful enough to keep even the smartest cybercriminals at bay?

We had an opportunity to pick the brain of Mika Susi, former Executive Director of the Finnish Information Security Cluster, on how cybercriminals think, the role of cybersecurity in risk management, steps to improve employee cybersecurity programs, and more.

What weak spots do cybercriminals look out for before carrying out an attack?

It is true that digitalization tends to expand the attack surface on an organization. Many criminals carry out intelligence gatherings on their victims before the attack. There are several weak spots that are commonly utilized. Unpatched vulnerabilities are a common target for criminals. Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network. Therefore, you must assess your cyber risk environment through technology, people and partners.

What role does cybersecurity play in an organization’s risk management strategy?

Nowadays, cybersecurity should definitely be on every organization´s strategic risk management agenda. You just can´t avoid it anymore. Cybersecurity issues are currently a very relevant strategic question for most organizations. Your top-level executives should at least be aware of security issues concerning business continuity, communications, and R&D.

As a whole, a good level of security should not slow down digitalization. A well-planned and executed digitalization process, where security is taken carefully into consideration, enables safe and secure digital operations, better efficiency and resilience for the organization. Therefore, security is not an obstacle — it should be seen as an enabler.

How can IT leaders ensure that they are making the right IT security investments?

Investments should always be based on a good risk management process. This means that they are efficient and tailored precisely to an organization´s needs. There is no investment rulebook or checklist that can be applied to every environment. An organization must understand its own unique risk environment and through that set out the most urgent and effective investment needs.

What are the biggest challenges organizations face when building cyber resilience?

There is of course always the question of the need for funds and investments. Unfortunately, not all organizations are ready to invest heavily in cybersecurity. I think the major challenge for many organizations is to understand cybersecurity as a strategic level question. It is not just some IT guy in the basement using his company´s money to buy fancy security gadgets.

Building a good level of cybersecurity is an all-encompassing mission for an organization. It´s about people, leadership, communications, partners, learning and continuous development. In other words, it´s a process that will never be 100% completed. But if you invest in it, you will eventually see a good return on your investment.

What immediate measures should organizations take after experiencing a cyber attack?

Of course, it is necessary to start the containment and recovery process immediately. This means that you have to understand what is happening and what has happened already — in other words, gain the current situational picture. There is no other way to define the measures needed. If you feel uncertain about this, you can always contact professionals to help you. I would like to stress that readiness for both external and internal communications is crucial.

At the same time, it is important to remember that there are several regulatory reporting requirements concerning data leaks and breaches. Contacting the relevant authorities like the national cybersecurity center or the police is also very advisable as they can offer help and advice.

Do you think employees are the weakest link when it comes to an organization’s level of cybersecurity? How can cybersecurity training programs for employees be improved?

This might be a mantra that everyone is tired of, but in some respects, it is still a valid argument. We are all vulnerable to scams and fraud, and we can be socially engineered to do something harmful in a digital environment. However, well-trained and motivated employees are a great strength for an organization. If they notice risks, they will react, assess and report. In that case, they are definitely not the weakest links.

I see that basic knowledge of cybersecurity issues is currently a normal part of working life. Therefore, cybersecurity training programs should be very close to everyday working environments and situations. They should form a basis for continuous development for all.

Additionally, they should include some motivational aspects like reward systems. In many successful companies with good security culture personnel, reward systems have been integrated into security training programs. That is something I would like to see more.

What are the emerging cybersecurity and cybercrime trends in 2022?

This is always a good question! Nothing is harder than predicting – especially predicting the future. However, I can say that we are still going to see the constant evolution of cybercrime. Criminals develop their tactics further and we are going to see a continuous flood and changes in ransomware and other online fraud campaigns.

Secondly, one thing that already affects many organizations is growing regulation. We see this everywhere. Every company should prepare for growing cybersecurity compliance requirements. From a technological side, I think questions concerning cloud security, IoT and the security of wireless networks will be relevant in the next few years. Many organizations have uncertainty about these issues, and it is important for all organizations to experience the benefits from digitalization and developing technologies. I see that security´s role is to enable growth and efficiency, and not to hinder them.

*The answers have been edited for length and clarity.

August 24, 2021

The Top Worry In Cloud Security for 2021

The cloud is an environment full of potential. It provides easy access to technologies that simply weren’t available a decade ago. You can now launch the equivalent of an entire data center with a single command.

Scaling to meet the demands of millions of customers can be entirely automated. Advanced machine learning analysis is as simple as one API call. This has allowed teams to speed up innovation and focus almost exclusively on delivering business value.

But it’s not all unicorns and rainbows.

The assumption was that alongside this increased potential, the security challenges we see on-premises would grow as well. Teams should be struggling with zero days, vulnerability chains, and shadow IT.

It turns out they aren’t. At least those issues are nowhere near the top of their list of concerns. The top security challenge for builders in the cloud is very straightforward.

Their biggest challenge is making mistakes in the form of service misconfigurations.

Shared Responsibility

First, let’s look at the evidence around the initial assumption that people make about cloud security. They assume the cloud service providers themselves are a big risk. The data doesn’t support this at all.

Each of the big four cloud service providers; Alibaba Cloud, AWS, Google Cloud, and Microsoft Azure, have had two security breaches in their services over the past five years…combined. Now, before we get into each of these, it’s important to note that each of the big four has had to deal with tons of security vulnerabilities over this timeframe.

A large number of cloud services are simplified managed service offerings of popular commercial or open-source projects. These projects have had various security issues that the providers have had to deal with.

The advantage for us as users, and builders, is how operations work in the cloud. All operational work done in any cloud follows the Shared Responsibility Model. It’s very straightforward.

There are six primary areas where daily operational work is required. Depending on the type of service you are using in the cloud, your responsibilities shift. If you’re using instances or virtual machines, you are responsible for the operating system, the applications running on that OS, and your data. As you move to an entirely managed service, you are only responsible for the data you process and store with the service.

For all types of cloud services, you are responsible for service configuration. despite having a clear line of responsibilities, the providers offer many features to help you meet your responsibilities and adjust the services to suit your needs.

Cloud Service Provider Issues

Now, let us take a look at providers’ security issues over the past five years… the first one is from March 2020. In this case, Google Cloud paid out a $100,000 reward through their bug bounty program to a security researcher who found a privilege escalation issue in Google Cloud Shell.

This is a service that provides a browser-based interface to the command line of a virtual machine running in your account. Under the covers, this shell is simply a container running an application to provide the required access. The researcher noticed that they were able to use a socket connection in the container to compromise the host machine and escalate their access.

The root cause? A misconfiguration in the access to that socket.

The second example is from January 2020 and it involved a service offered in Microsoft Azure. Here an issue was reported in the Microsoft App Service offering. This vulnerability allowed an attacker to escape the expected boundaries of the service and access a limited-scope deployment server with elevated privileges.

The reason? A misconfiguration in the open-source tool used to provide this web app hosting service.

In both cases, the vulnerabilities were responsibly disclosed and quickly fixed. Neither issues lead to any reported customer impacts. Both of these cases were in higher-level cloud services. These are services that the provider’s teams built using other services on the platform. As a result, and in line with the shared responsibility model, they were at risk of a service misconfiguration.

Even hyper-scale providers face this challenge!

3rd Party Validation

There’s more evidence to support the fact that misconfigurations are the biggest issue in cloud security. Security researchers in the community who study cloud issues have all published findings that align with this premise. Whether from other security vendors or industry organizations, the findings agree: that 65-70% of all security issues in the cloud start with a misconfiguration.

Making it worse, 45% of organizations believe that privacy and security challenges are a barrier to cloud adoption.

Why is that worse?

When understood, the shared responsibility model makes it easier to maintain a strong security posture. Organizations should be pushing to move faster to the cloud to improve their security!

Direct evidence

However, surveys and targeted research projects only go so far. What does the publicly available evidence say? Here’s a list of some of the most visible cloud security breaches in recent years;

If you filter out all the reports of cloud hacks and breaches to remove incidents that were not cloud-specific—so those where the issue wasn’t related to the cloud, the service just happened to be there—over two billion sensitive records have been exposed through a breach in cloud security.

Let’s take this further and remove every single breach that wasn’t due to a single misconfiguration.

Yes, single. One wrong setting. One incorrect permission. One simple mistake…caused all of these breaches.

That leaves the Capital One breach. This more complicated event was caused by …two misconfigurations and a bug. An in-depth analysis of this breach shows that the bug was inconsequential to the overall impact which was 100 million customer records being exposed.

What’s more, is that Capital One is a very mature cloud user. They are a reference customer for AWS, they’ve been a huge advocate of the cloud within the community and were the incubator for the very popular open-source security, governance, and management tool, Cloud Custodian.

This is a team that knows what they are doing. And yet, they still made a mistake.

Pace of Change

That’s really what misconfigurations are. They are mistakes. Sometimes those mistakes are oversights, and other times an incorrect choices made due to a lack of awareness.

It all comes back to the power made accessible by the cloud. Reducing these barriers has had a commensurate increase in the pace of innovation. Teams are moving faster. As these teams mature, they can maintain a high rate of innovation with a low failure rate.

In fact, 43% of teams who have adopted a DevOps philosophy can deploy at least once a week while maintaining a failure rate of under 15%.

Critically, when they do encounter a failure, they can resolve it within the day…more impressively 46% of those teams resolve those issues within the hour. But, as we know, cybercriminals don’t need a day. Any opening can be enough to gain a foothold creating an incident.

What about teams that aren’t at this pace? Well, the other 57% of teams, the majority of which are large enterprises, often feel that their lack of pace provides protection. Moving cautiously in the cloud allows them to take a more measured approach and reduce their error rates.

While this may be true—and there’s no evidence to support or disprove this assumption—change is still happening around them. The cloud service providers themselves are moving at a rapid pace.

In 2020, the big four hyper-scale providers released over 5,000 new features for their services. For single cloud users, that means almost 2 new features a day…at a minimum. For the growing set of multi-cloud users, the pace of change only increases. So even if your team is moving slowly, the ground underneath them is shifting rapidly.

Goal of cybersecurity

Now the goal of cybersecurity is actually quite simple. The goal is to ensure that whatever is built works as intended and only as intended. In a traditional on-premises environment, this standard approach is a strong perimeter and deep visibility across the enterprise.

That doesn’t work in the cloud. The pace of change is too rapid, both internally and with the provider. Smaller teams are building more and more. Quite often, by design, these teams act outside of the central CIO infrastructure.

This requires that security is treated as another aspect of building well. It cannot be treated as a stand-alone activity. This sounds like a monumental task, but it’s not. It starts with two key questions;

What else can this do?
Are you sure?

This container running the code creates the financial reports. What else can it do? Can it access other types of data? Are you even sure it’s the right container?

This is where security controls provide the most value.

Top pain points to address

Most of the time when we talk about security controls, we talk about what they stop. Using an intrusion prevention system can stop worms and other types of network attacks. Anti-malware controls can stop ransomware, crypto miners, and other malicious behaviors.

For every security control, we have a list of things it stops. This is excellent and works well with subject matter experts…a.k.a the security team.

Builders have a different perspective. Builders want to build. When framed in the proper context, it’s easy to show how security controls can help them build better.

Posture management helps ensure that settings stay set regardless of how many times a team deploys during the week. Network controls assure teams that only valid traffic ever reaches their code. Container admission control makes sure that the right container is deployed at the right time.

Security controls do so much more than just stop things from happening. They provide answers to critical questions that builders are starting to ask.

“What else can this do?”. Very little thanks to these security controls.

“Are you sure?” Yes. I have these controls in place to make sure.

When built well and deployed intelligently, security controls help teams deliver more dependable, easier-to-observe, and more reliable solutions.

Security helps you build better.