Oktober 29, 2019: Magda Chelly works for the cyber security advisory and training company Responsible Cyber. She spends most of her time as “CISO on demand” supporting organisations concerning security challenges. At Command Control the Singapore based expert will show how companies can get cyber ready and cyber resilient. In the run-up of the summit we spoke with her on the overall cybersecurity situation.
The central subject of Command Control 2020 will be cyber resilience. What is your understanding of this approach? And why should organisations pursue this strategy?
Chelly: As organizations increasingly deploy new technologies and focus on cloud adoption, artificial intelligence, and blockchain business implementations to enhance their products and ser-vices, their risk surface rises with new cyber risks. The current transformation from traditional business models to fully digitalized ones require businesses to consider security and privacy by design in order to become cyber-ready and build their cyber resilience.
The interconnected ecosystem brought by digitalization and the lack of borders on the Internet carries to the business stakeholders additional significant challenges, going from compliance with local privacy regulations to assurance of efficient security controls to protect their own digital assets. In this shifting landscape, where the interconnections go beyond technology, and impact partners, clients and vendors as well, businesses require a more mature approach to cyber security where the three major pillars: people, process and technology are imple-mented efficiently avoiding a check-the-box exercise.
Building a business cyber resiliency entails the management involvement and willingness to understand the importance of cyber risks nowadays and define them as one of the top enter-prise risks. Cyber resilience is – in my opinion – equivalent of a maturity level where the or-ganization itself is fully conscious of the implications of the technology adoption, and under-stands its risks, accordingly, avoiding a focus ONLY on technology, and ensures an adequate incident management process. It never was IF but is always WHEN the company will be un-der attack.
As per the current head titles in the news, data breaches are becoming a popular topic, and it does not seem to decrease over the days. Therefore, a layered defence including people, process and technology is the only way to achieve resilience for businesses.
Cybersecurity is sometimes just seen as a pure necessity or annoying duty. How can organizations make more of it? How can they use it proactively as a competitive advantage? Could this be the key to become a winner of digital transformation?
Chelly: Online fraud, scams and identity thefts are growing at an increasing rate, in alignment with the growing number of cyber-attacks and data breaches. According to a survey released by RSA Security and LightSpeed Research already several years ago, consumers were happy to in-crease their online transactions if the companies ensured them strong authentication. The responders also confirmed that they were willing to switch companies having stronger authen-tication methods.
Business is all about trust and this trust needs to be provided to customers, in general. Thus, can organizations be trusted in an era where the data is completely digitalized if they do not implement the right controls to ensure confidentiality, integrity and availability of the data? As per a PwC consumer intelligence report, nearly 87% of consumers say they will take their business away if they don’t trust a company is managing their data responsibly. And, only 25% of respondents have confidence in companies handling their sensitive personal data re-sponsibly.
In nowadays world, building and having a cyber ready and resilient business is a competitive advantage and should be a business priority. If your customers are not able to trust you, they will not be able to continue doing business with you.
From your perspective what are the biggest security challenges organizations will face during the upcoming 12 months and how can they best possible master them?
Chelly: As per ENISA’s report, the upcoming cyber threats for the next years are crypto mining, malware including ransomware and phishing. Those are the most popular type of attacks that I have been seeing across industries.
Every day, we have around 350 000 new malware that are released by cyber criminals, and therefore this numbers proves that this particular threat is definitely not stopping. Ransom-ware has been popular in Asia, and the polymorphic nature of the malware makes it very hard for technology alone to address the attack in a timeline manner. That said, the security challenges that organizations are facing are in particular due to a lack of understanding of their cyber risks, lack of efficiency of security controls, and new technol-ogies adoptions without analysing the associated risks and risk surface increase.
The forecasts for 2025 include as well additional challenges related to Internet of Things, Arti-ficial Intelligence, Machine Learning, and Quantum Technology.The implementation of quantum computing capabilities raises important questions about cur-rent security controls, including for example cryptographic algorithms and their resilience. It also raises questions about the practical implementation as the technology development might be faster in some geographical areas vs others, creating important disparities between organi-zations, and countries as well. This accelerates as well ethical, economic and other socio-political concerns including worldwide criminal activities.The Internet of Thing would create an immense network of data flows across the global eco-system that would require either strict regulation or imposed security framework to enhance the overall security of those new connected devices.
Predictions show that machine learning will have an important impact on the human part, with an increasing automation around processes. This might help efforts in the area of identity theft, fraud and data breaches. However, at the same time the technology might be as well used for bad by the criminal groups.