For years, information security professionals and analysts have been prescribing the concept of securing the perimeter using a layered defence-in-depth strategy. This has introduced a complex and myriad security strategy but also has seen organisations pour millions into the effort.
But even into 2020, media and security researchers continue to reveal vulnerability exploits that have spawned breaches, distrust and continuing questions on whether current cybersecurity strategies are relevant for the times.
What is the right approach to securing the enterprise?
In the SANS Institute paper, Defense in Depth: An Impractical Strategy for a Cyber World, author and security specialist Prescott Small writes that the way Defense in Depth is practised today renders the organization more vulnerable. He advocates a shift in attitudes and thinking to better address the risks faced more effectively.
FutureCIO spoke to Dmitry Volkov, co-founder, CTO and head of Threat Intelligence, Group-IB, for his take on the state of cybersecurity in 2021.
Is cybersecurity a C-Suite concern?
Dmitry Volkov: Definitely, yes. Without the understanding of relevant cyber risks an organisation is facing and the support at the top level, it is impossible to create and put an effective cybersecurity strategy into practice. Companies that take cybersecurity seriously generally have dedicated cybersecurity committees that involve the C-Suite. Having such committees allows potential cybersecurity issues to be solved quickly. An understanding of relevant cyber threats and risks, including among the C-Suite, is key to developing a proper, strategic cybersecurity plan.
Do we have a strategic view of the risks we face now? And what are the key risks today? What emerging threats should we be most concerned about in our industry?
Dmitry Volkov: The threat landscape and cyber risks vary by region, industry, and other factors. If you are an eCommerce company in Singapore, for example, then buying a solution for protection of Operational Technology (OT) networks wouldn’t be a wise investment. Every company needs to have its own risk map.
In general, dominant worldwide risks – as outlined in our annual Hi-Tech Crime Trends report 20/21 – include a growing number of sabotage attacks on critical infrastructure facilities aimed at disruption and destruction, as well as the greater risk of espionage attacks on government organizations. Financial services and eCommerce companies are increasingly suffering from relatively simple credential stuffing and social engineering attacks.
Furthermore, ransomware has become a concern for all, with neither private sector companies nor government agencies being immune to the ransomware plague. Late 2019 and 2020 have been marked by an unprecedented surge in attacks: over H2 2019-H12020, more than 500 successful ransomware attacks in more than 45 countries were reported.
On a technology level, I would say the main are the risks associated with the wider deployment of 5G which will connect a large number of devices to global networks, as well as firmware and hardware vulnerabilities that most of the existing security solutions cannot protect form properly.
Are we spending too much or too little for our online security?
Dmitry Volkov: There are thousands of IT businesses in the world now and competition forces these firms to release their products on the market as soon as possible. Under these circumstances, generally little attention is paid to cybersecurity. The paradox is that, despite the cost of cyberattacks skyrocketing over the past few years, companies of all size continue to neglect the very basics of cybersecurity. This leads to serious cyber incidents and sometimes the collapse of businesses.
In 2020, no company can afford to ignore cybersecurity. No one is immune. So this is not about spending too much or too little. It’s about wise investments into protection against threats relevant to your organization, depending on its size, location, and industry.
We are inevitably moving towards a near-ubiquitous software-defined everything future. How should information security practices, frameworks, policies be reviewed (re-assessed) to mitigate against cyber risk, one that is software-native?
Dmitry Volkov: Humans are the weakest link in cybersecurity. So, it’s dangerous to shift responsibility for cybersecurity to people. Using strong passwords, changing them constantly, and staying vigilant is important for sure, but it alone can’t save your company from cyberattacks.
Cybersecurity shouldn’t be in the hands of users but in the hands of those who provide users with various services and process their data. It’s their responsibility to ensure data integrity and safety by putting in place advanced threat hunting and intelligence solutions that allow to detect targeted attacks and monitor for leaked credentials.
Are telcos, regulators and enterprises missing anything when it comes to 5G and cybersecurity?
Dmitry Volkov: This is what we will see in the nearest future. 5G networks will connect a large number of devices to global networks, including those belonging to energy and industrial enterprises. As a result, the attack surface will increase dramatically.
Wider 5G integration significantly increases the capabilities of cybercriminals to carry out DDoS attacks, manipulate traffic, spread malware, etc. Hardware and firmware backdoors in 5G infrastructure equipment are other points of concern.
While 5G is being actively implemented, it’s important to discuss associated potential threats and ways to address them.
As CIO/CISOs re-evaluate their cybersecurity strategy for 2021, what questions should they be asking themselves, business leaders, and external security vendors?
Dmitry Volkov: An effective cybersecurity strategy is one that is based on relevant threats and risk to a business, but not only to the company itself. The most recent developments in the cyber threat landscape illustrate that a cybersecurity defence shouldn’t be just be limited to the perimeters of a business as threats can come from multiple sources (your software supplier, for example).
CIOs and CISOs should therefore be asking themselves the following question as they re-evaluate their cybersecurity strategies for 2021: who poses a threat to my company, to my partners and my clients?