Also co-authored by Luisa Colucci, Lucia Cozzolino, Silvia Peschiera, Emilia Cozzolino and Vita Santa Barletta.
European Cyber Security Month (ECSM), celebrated every year in October, is a European Union (EU) advocacy campaign designed to promote security awareness among citizens.
ECSM has continued to grow since its inception in 2012. The 2018 agenda featured more than 350 events and activities across all EU member countries. ECSM’s schedule also included a rich series of conferences, training sessions, videos, webinars, demonstrations and more, giving eager participants many opportunities to get involved and learn more about security.
The contributors of this article participated in many events and collected many questions about the cybersecurity industry from other attendees. This article gathers those frequent questions, whose answers initially seemed obvious and straightforward, but were very quickly unveiled to more complicated than we previously thought.
Is Cybersecurity a Challenge or an Opportunity?
For people working in the industry, cybersecurity is an opportunity. This may not be the answer people expect, but being direct is important, and the reality is that cybersecurity drives a multibillion-dollar market. Today, the cybersecurity industry is absorbing a lot of talent, and a lot more will be requested in the future. Let’s start with the challenges.
The first challenge organizations face is the need for growth. Enterprises must adopt new technologies or they will be left behind. It is not just about being more profitable. If healthcare devices that are inserted into the body required a medical inquiry for tuning yesterday, today this can be done without a medical inquiry as the medical device can be controlled with WiFi — but it can also be hacked. Therefore, threats impact growth. Compliance also impacts growth. In fact, if compliance is about the execution of security controls necessary to mitigate the possibility of an attack, if there is a penalty associated with the compliance, the penalty has an impact on the financials of an enterprise.
The second element to consider is that enterprises have invested a lot in different technologies and processes, but have not spent enough integrating them. Processes are actually less integrated than products. For example, security information and event management (SIEM) is rarely integrated with vulnerability management or patch management, and misconfiguration actually continues to be one of the major vectors for data breaches.
Another challenge is the ever-growing mass of operational technology (OT) and Internet of Things (IoT) devices connected to network infrastructure. The adoption of IT practices related to these devices is a good thing, but it is not always as straightforward as one might imagine because processes are totally different and vary from one industry to another. For example, if something goes wrong on a train, the train stops. However, if something goes wrong on a plane, you cannot just stop it midflight. In addition, we are exposed to highly sophisticated malware agencies that can develop phishing campaigns and malware, control devices and recycle cryptocurrencies.
Moving to the opportunities, many tend to think that the cybercriminal population is different than the traditional criminal population, but this is not true. Because of the cyberworld, criminals have just been moved into the cyberspace, leaving the overall entropy unchanged with the difference that in the real world, the perfect crime is possible. In the cyber world, threat actors always leave something behind — a trace. We need technologies that can help us find those traces among billions of unstructured records. Artificial Intelligence (AI) can help with such a task. Finally, criminals also use the cyber world. This is a great opportunity to use the same investigation techniques developed in cybersecurity to stop the more old-fashioned and traditional criminals.
Who Are the Bad Guys?
We cannot always claim that those who work on the defensive side are good, and those who work on the attacking side are bad. This would be like saying that those who carry a gun are inherently bad — it is not as simple as one might think. We actually need to consider two elements. The first is that many increasingly think cybersecurity is something that has an intrinsic value, and that someone else can take care of it. For example, if we develop a camera with a traditional operating system where a password is stored on the firmware, we would tend to think that someone else will secure the password.
The second is the belief that what happens in the cyber world is only real when the benefits are perceived. But when things go wrong, then it is bad. In the real world, if a door is open, we do not enter unless we are either invited or authorized to do so. The same should happen in the cyber world. Instead of trying to work out who is bad or who is good, we should increase security awareness and start thinking that what happens in the cyber world is serious and real, and could lead to dramatic situations with serious consequences.
Does Compliance Help?
Compliance helps if it is a continuous process and if we believe in the security controls we have been forced to implement. If it is just a moment to pass the audit, this does not help. Like most security controls, compliance requires a periodic execution of set controls. Systems and applications are administered by humans, and humans make mistakes. Yet new vulnerabilities are discovered every day. What seems secure today may not be secure tomorrow. The only solution to this ever-changing landscape is the periodic execution of a strong set of controls.
How Much Should We Invest in Cybersecurity?
Usually, investment is based on the value of the business and the assets. Today, IoT adoption is creating a definite shift because the IoT provides threat actors with millions of devices — with no substantial revenue/cost impact — that they can use to launch an attack. Therefore, when we introduce a device into our network architecture, we must protect it and protect ourselves from it during the entire life cycle. This is something we should highly consider while building a secure ecosystem. The cybersecurity has an intrinsic value, but we should all work toward keeping a safe environment and improving security awareness, and we cannot assume that someone else will take care of it.
What Happens When You Are Breached?
Beyond the fines and penalties, the loss of customer trust is arguably the greatest damage that will result from a cyberattack. Customers do not really care about the money enterprises spend on security; all they care about is the fact that a company lost their data. The scariest thing is that today’s cybercriminals are real, advanced and persistent, so once they gain a foothold, they have access to your infrastructure and they will take every possible step to ensure they will continue to have access. Therefore, if you stop an attack, do not assume you are in the clear. You should always assume that attackers are inside your network, even if you have not yet discovered what they are after.