Corporate cybersecurity strategy
In terms of cybersecurity, all indicators show that threats are increasing because of the “All digital, All connected” transformation. We can mention Wannacry ransomware, which in 2017 contaminated hundreds of thousands of computer workstations in nearly 150 countries, but also NotPetya, a wiper attack acting in the form of a ransomware that appeared one month after WannaCry.
This observation should alert businesses of their vulnerabilities and the menaces they incur. Each company must be aware that it is eventually a target for hackers; each company must be aware of the existing risk areas and their impacts because the repercussions are serious: loss of information assets, identity theft, financial loss, reputation damage and others.
Typically, cybersecurity is based on strong perimeter defenses, like a castle in the Middle Ages. In an open, cloudified, mobile and connected environment, the paradigm has changed. Businesses need to manage and mitigate this complex cyber threat landscape to stay safe and secure; they must focus on their critical business processes and associated assets at first. To do this, companies must adopt a holistic approach to security based on risk management, requiring the top management commitment in a first phase and the definition of a corporate cybersecurity strategy aligned with business strategy and objectives.
People, Process and Technology
Cybersecurity revolves around People, Process and Technology, ranging from processes identification to data classification, establishment of a solid governance and risk management, in accordance with regulations and the imperatives of digital transformation; to the adoption of tools that involve the use of a multi-layered approach focusing on hindering the attack progress, starting from the network gateways and terminating at the end user desktop. Finally, the most important factor is the human behavior and user education and awareness. One simple action could jeopardize your entire organization – training is a key! While preventing an email virus to infiltrate across your personal devices seems a small act, it is a huge step to shift the hacker from penetrating the network.
Beyond the application, it is essential to note the cultural change implied by a new approach: rather than confining cybersecurity to an infrastructure issue, it is to include it in all business activities, including every single connected object.
A connected object, a CCTV, a printer, a refrigerated room thermometer or any means that is supposed to do something and push information back – is as exposed as a PC. But since it is not a PC, nobody thinks to protect it. For instance, the uranium enrichment centrifuges piloted by Siemens systems were the victims of Stuxnet in 2008, the connected objects have been enrolled in the Mirai botnet in 2016, the Romanian hacker has recovered all the images of the nomination of Donald Trump filmed by the surveillance cameras around. We can also mention the TRISIS malware, which, in 2017, infected the safety PLCs of the manufacturer Schneider Electric or even more a member of the Anonymous has recently spoken orally to the realtor Andy Gregg via the camera that he had just bought.
As companies adopt the “Use Your Own Devices” principle and connected objects have become a major component of our daily lives, ensuring their security is more important than ever. With the rise of the cloud, mobility and IoT, robust cybersecurity systems and frameworks can massively reduce this risk.
General Regulation for The Protection of Personal Data
On the other hand, regulations nowadays are tighter pushing business decision makers investing more in cybersecurity and allocating a specified budget to protect their information system and reduce the attack surface hence the business impact of any security incident that might occur. In particular, most companies have feared the deadline of May 25, 2018 – date of entry into force of the GDPR, the general regulation for the protection of personal data. They asked themselves a lot of questions: How to comply? What actions to put in place and where to start? The subject GDPR is not only legal, it is also organizational and affects all the processing activities of a business. The aim is to put in place a clear roadmap aiming to organize the usage of personal data that can sometimes be “sensitive” and to tackle specific areas such as privacy governance, identity and access management, data quality, security measures and policies, etc.
Today, data is at the heart of our daily activities; It must be protected as best as possible. The cloud, APIs, network or storage virtualization and even mobile are areas that increase the exhibition space of infrastructures, because they multiply points of contact or integrate intermediaries, to be monitored. Safety has become a key issue for companies aware of the need for a comprehensive approach to threats. Even international bodies and organizations are tackling the subject, focusing not just on cybersecurity, which is essentially technical, but working on cyber-resilience, which is at the heart of strategic priorities.
The Cyber Warfare Race
CyberSecurity is a trend that shows no signs of slowing down. As predicted, this new year will accelerate the pace of the cyber warfare race. Although conventional malware such as worms and trojans remain a threat, several new methods of software infiltration will become much more commonplace. The rise of Cryptojacking was observed in 2018, cryptocurrency also gained popularity last year, as even some companies have begun to accept digital backgrounds. In 2019, both personal and business PC users should be cautious of cryptographic hacking, that is, using the power of another person’s processor to execute cryptocurrency mining. Cryptographic hacking not only slows down computers, it is also a sign that your system is vulnerable, and you need to increase network protections.
It is also suggested that artificial intelligence will be used more and more by attackers. 2019 will be the year of the AI in many ways and will apply to several industries for its positive and negative effects. Unfortunately, AI does not yet have a moral compass and will therefore be used by unscrupulous individuals to find new ways to break and defeat the defenses.
In order to stay ahead of the attackers, security professionals and non-professional users need to focus on continuing education. If you can get ahead of the threats, you can protect your data.
About the author
Potech Consulting provides world class and professional IT services. Our consultants are not only well recognized experts in the IT field but also capable to understand the business needs thus aligning the Business Strategy with the IT strategy. Today’s IT projects bring about more than just functional challenges. Issues such as security, scalability, redundancy, information architecture and speed of performance are just a few of the criteria that must be evaluated in the early stages of planning an information technology project. Our experienced team of IT consultants can handle projects large and small, from needs assessment through to implementation. In order to serve its customers efficiently Potech Consulting offers the following services: Cybersecurity Services; Business Resiliency Services; Outsourcing; Training; Information Security Audits; and Information Technology Audits.