The cyber security landscape is becoming more complex – from new laws, regulations and technologies, to cloud transformations and state-sponsored hacking (to name a few). Add to that the additional challenges brought about by the shift to homeworking in response to the coronavirus pandemic, and it’s clear why cyber security remains a top challenge for organizations and boards.
What trends are we seeing in cyber security?
Five cyber security trends that are shaping the geopolitical, social, and economic environments in which organizations operate are:
- The creativity of organized crime continues to challenge us, with deep fakes, careful selection of targets, and playing on increased fears of public disclosure of sensitive data to encourage the payment of ransoms.
- Speed and scale of exploitation increases, as criminals launch attacks on 5G surfaces and interconnected Internet of Things devices, and use automated tooling to more quickly spot vulnerable systems in poorly configured cloud services, web sites, and content delivery networks.
- The global commons will vanish, as countries increasingly regulate to defend ‘their corner’ of the internet, creating a complex and conflicting network of obligations across countries, which requires firms to pay increasing attention to the origin and nature of the data they process and handle.
- The lawyers are moving in, to argue the true meaning of the legislation and who’s responsible in the case of a breach.
- The death of anonymity is coming as nations mandate stricter sign-up conditions and authentication mechanisms for access to internet resources.
Read more on these five cyber security trends for 2020, as well as five changes on how companies are implementing security.
What new challenges are arising following the coronavirus pandemic?
Organizations are facing new threats associated with the ‘new normal’ of working from home:
- Increasing COVID-themed phishing scams, ransomware, and social engineering attacks, leading to the compromise of personal and corporate emails;
- Ensuring compliance to regulatory requirements across security and privacy;
- Providing secured connectivity for the remote working environment, especially as remote working has led to home networks being compromised, thus leading to corporate networks being compromised;
- Enabling secured access to critical organizational information, especially as popular videoconferencing applications lead to cyber security flaws; and
- Ensuring availability of all critical IT and security services.
2 years of digital transformation in 2 months
How do hackers operate, and what can you do to mitigate your risk?
- Keep your software and systems up to date. If there’s no vulnerability, there’s no hacking.
- Consider outsourcing the responsibility. For example, when thinking about moving to the cloud, large cloud service providers continuously update their systems, quicker than most organizations do.
They obtain privileges to get inside
- 99.7% of successful hacks on cloud solution is by password spraying on user identities.
- Implementing multi-factor identification raises the bar for hackers to get in. Remember, hackers do not break-in, they log-in.
Once inside, they extend their footprint
- Have a security incident response plan; test that plan annually; and know how to react quickly. Hackers rely on an organization’s slow response time to get deeper into its systems.
They extract information and/or disrupt the business.
- Consider giving the management of data back to the business, rather than IT.
- Consider the cost of information security – which data is public, classified, or secret?
- Before buying an IoT device, consider whether it can be updated, and whether it has a security logo. For a full overview of all security certification that exist for IoT, refer to the below list:
- Embedded Microprocessor Benchmark Consortium (EEMBC): http://www.eembc.org/index.php
- GSMA: http://www.gsma.com/
- International Electrotechnical Commission (IEC): http://www.iec.ch/
- IoT Security Foundation: www.iotsecurityfoundation.org
- NIST: https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
What are the most common cyber security mistakes vs. reality?
- Mistake #1: “We have to achieve 100% security.” In reality, this is neither feasible nor the appropriate goal. Consider your cyber security needs as you would any investment – what’s the risk vs. what’s the cost/opportunity – and respond appropriately to meet your risk threshold.
- Mistake #2: “Hackers break in.” In reality, hackers log in because of weak identity protection (see above).
- Mistake #3: “The Cloud is more or less secure.” In reality, a secure cloud transition is not a secure cloud transformation.
- In a Cloud Transition, companies stay with traditional security measure (VPN tunnel, firewalls, Anti-Virus, etc.).
- In a Cloud Transformation, organizations will equally focus of security measures that can only be offered via the Cloud (Conditional Access, Data Loss Prevention models, machine learning on hacking patterns, etc.).
- Mistake #4: “Cyber security compliance is all about effective monitoring.” In reality, the ability to learn and be agile is just as important as the ability to monitor
- Mistake #5: “We need all the best tools the market can offer.” In reality, you need cyber integration – a coherent solution that can be monitored from a single interface.
Here are some key questions for your board and management to consider:
- How frequently is the maturity of the company’s cyber security risk management framework evaluated?
- How is the company keeping up with regulatory changes and new legal requirements?
- Is the company staying abreast of industry practices and connecting with law enforcement?
- Does the company have an incident readiness and response plan that has been reviewed and tested? Have you done an attack simulation?
- Is the board getting the information it needs (e.g. a cyber dashboard) to oversee cyber security efforts?
- Does the company have the talent it needs to keep pace with evolving cyber security threats?
- In considering the new ways of working:
- Is the company’s endpoint security sufficient, e.g. encryption, passwords, regular updates, etc.?
- How will the end-user connect? Can the company’s firewall and VPN gateway cope with the increase in remote connections?
- What type of data is being extracted? Are the company’s SAS-based application reviews properly configured?
- Does the company need to reconsider the measurements or KPIs for its enterprise network monitoring?
- Are your policies and processes regarding teleworking properly (re)defined?
The threat landscape is changing and organizations need to respond accordingly. The new normal will drive collaboration and organizations should be rethinking their security models accordingly. It’s important to regularly challenge the robustness of your cyber defense framework and third party ecosystem.
The Board Leadership Center offers non-executive and executive board members and those working closely with them (including CROs and Heads of Internal Audit) a place within a community of board-level peers and access to topical seminars and ‘lunch and learn’ Board Academy sessions, invaluable resources and thought leadership, and lively and engaging networking opportunities.
Partner and Chairman
T: +32 2 7083686