If you stumbled upon this article and you’ve started reading it, it’s because, somehow, cybersecurity concerns you.
See, you’re doing the right thing. Areas of armed conflict that are happening now may be geographically far from you, but cyber warfare is happening all around us, every single day. And you’re likely holding the weapon that could harm either you or the organisation you work for.
A tablet, a smartphone, a nice, slick laptop, all of these can be swords of the harakiri or jigai of the XXI century. The difference is that the blades are replaced by passwords, the ones that access information so valuable that you’re willing to pay for its safe keeping.
No, the previous sentence isn’t the one of a tabloid or one with alarmist intent. We’re at war and in need of becoming human firewalls ourselves.
Technology won’t save us. We’ll save ourselves (if we want). There is this techno-optimistic mindset, already existing for some decades, that creates imaginaries and generates expectations about what technology can do for us. Bear in mind that every single step we’ve taken to advance humankind has brought risks and inherent weaknesses as well. That’s alright, as long as we’re prepared to mitigate those risks and find the trick to turn those weaknesses into opportunities.
Technology has been an enabler of a better quality of life and has brought us here. And until decades ago developments were within the boundaries of our common understanding. But now, the digital add-on, the “intelligence” variable and the fact that today’s interconnected devices collect and process sizable amounts of data that no human being could even possibly do, means that risks and challenge management is taken to a whole new level. Computers are not self conscious but what they are is faster than people. That’s a fact.
The latest edition of the Cybersecurity and Privacy Days 2021 was full of reflections like the ones above. In fact so many, that putting them all in a 2000-word blog article has been a challenge. This article lists six food-for-discussion ideas and summarises the top issues that made the 6th edition of the event so special.
Cybersecurity and Privacy Days 2021: the food-for-discussion ideas
All together, the topics presented and discussed during the event revolved around the current anarchic, almost chaotic present we face—a mix of still-in-pandemic times, growing geopolitical, economic and technology-driven conflicts between the world’s superpowers, the worrying first effects of climate change and, yes, growing technological developments—and how cybersecurity plays a role.
The six food-for-discussion ideas listed below elicited heated exchanges:
- The cybersecurity world is too complex, too complicated and too integrated into the business itself—operations, processes, tactics—for the governance of it to be given to a specific function in the organisation. That’s ultimately detrimental for what the cybersecurity of today needs so as to be effective. What if DPOs and CISOs don’t get any budget but the departments dealing with everyday business, the ones that have to guarantee operations, get it instead?
- The promise and excitement of new technologies often dulls the security variable, or makes it seem secondary. Yet the attackers of tomorrow rely on the same techniques as the defenders of tomorrow. They will use the Internet of Things (IoT), artificial intelligence (AI) and its siblings machine learning and deep learning, and cloud computing.
- Knowledge (about us, about businesses) is a weapon to access our data, especially sensitive data. Today’s cyber crimes appeal to our psychology—our ego, our inner feelings, our secret desires and personal needs—to be perpetrated.
- Compliance is not security. Legislation around security emerges and, although it’s needed to protect the legitimate interests of businesses and society, it increases pressure on organisations and citizens. What’s more worrying though, is that it gives the wrong impression of security. Compliance doesn’t equal effective security measures.
- Data protection has taken up some of the challenges posed by catchy and optimistic agendas about “smart”, notably the smart cities. At least at the moment governments aren’t truly ready to develop smart cities because of their inability to process gigantic amounts of data in an efficient way.
- Businesses are pushed to include digital sovereignty on their agendas. Because, and that’s an undeniable fact, data handling is overruled by national legislation. They have to think carefully who they do business with and where their data colonies will be.
The cybersecurity of oneself
Social engineering in the context of cybersecurity has nothing to do with the one related to social sciences. On the contrary, it is weaponised psychology that targets individuals and workers to effectively damage information security efforts.
What would lead you to share a password? What’s that triggering factor or situation that takes you to the point when you’re willing to share confidential data, personal or not? Slowly, well-orchestrated, dangerously intimate, when using social engineering a cyber attacker manipulates people’s wills and surreptitiously collects their data. Behind an effective social engineering attack there is always the trust element (or ingredient).
But there is open-source intelligence too. With it, cyber attackers collect publicly available information that we share on social media and other digital channels to understand how we behave and get information that helps them break our personal security keys or craft a well-though strategy for us to trust them. What happens next is well-known: we willingly share our data, like children, transparently.
Some businesses are putting in place comprehensive cybersecurity education, teaching employees how to recognise an attack but, do they also know how to respond to them? Security awareness is only the first layer when educating on cybersecurity. Businesses want to go further to develop skills, and run vulnerability assessments at human level too.
Part of the work done to fight social-engineering-based attacks includes identifying and working with the most vulnerable business departments. Security audits and reports shouldn’t only be focused on technical aspects but should include the people level as well.
The cybersecurity of everyone
Effective cybersecurity poses a technical challenge—that’s the obvious well-acknowledged part of the equation—but also a behavioral one. As long as managers and employees can provide access to systems and high-value information, they become targets, and cybersecurity depends on them too.
The cybersecurity of everyone, the one that turns each and all of us into firewalls, requires a change of culture on any organisational level.
Dealing with the security and data protection needed in times of war by creating and empowering a security department is (obviously) necessary but it falls far short. Attackers are inclusive—although not for the good reasons—and if they care about our political leaning or your favorite football club it is because both can lead to open doors, the ones of our intimacy. Include security and data protection within all other departments too at the point that it becomes part of the DNA of the organisation.
Because of these anarchic times and the digital transformation urge, take the time to thoroughly understand your business ecosystem and operating model, and identify your competencies, assets, and potential risks before adding new digital technology to your stack.
For instance, let’s bring up the case of partnering with third parties. While outsourcing some functions is advantageous because businesses can improve efficiency and focus on added-value tasks, cyber incidents that occur in providers’ or collaborators’ infrastructure are more common than you may think. This highlights the importance of owning one’s risks, and closely monitoring existing business partners’ functions.
The hermit’s strategy doesn’t help much in the cybersecurity war. Engaging actively with peers to share cybersecurity ideas, news on the field, trends and best practices on ways to protect, respond and recover from cyber incidents when they occur is always a good idea.
And get rid of the still common belief that prevention is the cornerstone of a cyberdefense. It is not. Detection and adequate and timely response are the only options we have left to survive.
The cybersecurity of Europe (or digital sovereignty)
Some months ago, four European female leaders—including former German Chancellor Angela Merkel—spoke up on digital sovereignty, stating clearly “Now is the time for Europe to be digitally sovereign”. But… why?
92% of data from the West is hosted in the US. Think of what this number means in terms of information security and cybersecurity: most European countries are relying on data centers on the other side of the Atlantic pond to store European citizens’ information. Arguably charming, the phrase “data in foreign clouds,” isn’t really that much so: we’re relying on a foreign country anyway.
If we cannot have control over our own digital destiny—the data, hardware and software—on all levels, especially at the country level, we aren’t digitally sovereign. However, pursuing digital sovereignty nowadays is everything but an easy endeavour. How can we stop virtual ships crossing borders?
In warfare times, everything is allowed, or so they say. Bear in mind that data handling is overruled by national legislation, and some countries offer safe harbours for cyber attackers to thrive.
Businesses should think carefully who they do business with and where their data will be stored.
The cybersecurity of everything
IoT is a synonym for the internet of everything (or at least we fancy to call it like so). On the other side of the coin, then, there must be the necessary cybersecurity that guarantees that people and businesses using interconnected new technologies can operate in a safe manner.
The level of what’s connected is unprecedented, bringing risks we don’t know yet. An interesting example is the need for solid cybersecurity in the electric mobility infrastructure, for instance, charging stations.
It might be the newness of the technology, or the excitement around it but, while the need for cybersecurity in industrial control automation systems—for power plants for example— isn’t questioned, few people think of charging stations’ security. The demand and interest for having more charging stations for electric vehicles is growing, but we aren’t yet considering hacking and security as an important thing.
The case of charging stations is only one example of dozens of them, and counting.
The world seems to look at new technology wearing innovation lenses but not (yet) with the ones of the cybersecurity perspective. The cybersecurity of everything needs cybersecurity by design to mitigate risks in the long term.
A note on why the CEO, CISO and DPO need to work closer together
The bottom line is that, in business, successful cybersecurity needs governance, resources and commitment. Today’s main cybersecurity challenge is the business realising—managers, leaders—that the “hot potato” is really on their plate. They shouldn’t anymore leave security and data protection—because of the complexity and impact on the business— to one person or one sole department within the organisation. Convincing them of that is for most CSOs, CISOs, and DPOs the biggest challenge at this time. They know they can’t fight cyber warfare alone.
Indeed, businesses must take cybersecurity for what, until now, is considered a CISO-only responsibility. But this isn’t a one-sided task because, on the other side of the coin, CISOs have to talk more business language and look actively for responsible innovation.
The cybersecurity of today is the one of everyone, involving all departments in the organisation. Nevertheless, some CISOs seem to be reluctant to let it be so. In this podcast, Paul Oor, the interviewee, gives an explanation: “It’s because it’s a fun job; you have some power, not too much but you have some power… and it’s always difficult to share that power […] It can be perceived by business leaders as a weakness.”
But there hasn’t been any other moment before when the need for CISOs, DPOs and CEOs to work together is more than necessary.
Technology won’t save us but, if we conceive it responsibly and with a human and humanistic mindset, it will help us keep safe. But, from whom, you may wonder. It would be easier and less bitter if there was an alien or an outer space force to blame, but you know that, at least for now, that’s only part of our childhood fantasies. The truth is we’ve been fighting battles against ourselves, against our peers, since the beginning of our common history. The cybersecurity battle is just one more of them, sophisticated, shapeless, ubiquitous.
Be a firewall. That’s what’s needed for now.
What we think
This year, the Cybersecurity and Privacy Days’ theme was focusing on chaos and changing times. We’re living in a world of constant change, and COVID has been a further catalyst, especially concerning data. There is a duality that we are all up against, that of the rising demand for digital information—which has become the lifeblood of the interconnected business ecosystem—and the rising need for companies to guard this increasingly valuable asset from skilled threat actors. How businesses can navigate through this chaotic situation was at the very heart of our event.