With the increasing use of digital technologies in all areas of business and society and the growing connectivity of everything come greater challenges on the level of security, compliance and data protection.
Whether we like it or not: security and digital or cybersecurity in specific can’t be afterthoughts and can’t be addressed with just traditional ad hoc and limited point solutions. Cybersecurity has become a key strategic priority for digital business and becomes a topic we need to be open about in the digital transformation economy. Moreover, in order to be able to innovate and realize their digital potential in regards to any given business and customer goal, organizations want security approaches that enable them to focus on their business, a phenomenon which is changing the face of the cybersecurity industry.
Changing security perimeters and cyber risks demand a holistic security approach for digital business
For many years now the security perimeter has first moved and gradually is fading or, at the very least, is showing a more fragmented pattern.
Mobility, growing connectivity of technologies, people and processes, and the expansion of networks and clouds to include ever more data, devices and decentralized ways of working, have made the new security perimeter the “everything”. It ranges from more traditional perimeters that still exist to the user as a perimeter and even the Internet as a parameter. That’s an enormous difference with how cybersecurity was viewed upon only a few years ago.
The solution to address all these new cybersecurity risks and realities, which is not just a choice in this age of digital transformation and ubquituous connectivity, is by definition a holistic one that includes all the mentioned elements. But it’s also one that approaches security in different and more encompassing ways.
Most organizations are aware of this but very often there is a gap between realizing cybersecurity is now a key priority, moving into the boardroom, and needs far more attention and the ability to do so as there is an overall “digital crime gap“, including between the number and type of attacks organizations face and how they (can) react.
In the meantime, as organizations are putting issues such as security and compliance (with changing regulations), as well as business continuity, high on the agenda, it’s not as if the “bad guys” are sitting still either. Cybercriminals are smart, they know very well how to use new technologies and exploit vulnerabilities.
Waking up to the cybersecurity risks of the world-sized web
We don’t want to create a culture of fear or be scaremongerers but we want to emphasize how crucial it is to make your security approaches evolve and really put security at the center of your business and digital transformation efforts.
Let’s not be blind: state-sponsored hacks, far-reaching breaches and the rise in the number and diversity of attacks are all facts. Moreover, as we are including ever more digital devices and entities into our digital strategies with increasing hyper-connectivity (imagine the impact of the Internet of Things) we need to stay ahead of the curve and not just catch up with smarter cybercriminals and increasing risks.
At RSA 2016, security guru and ‘veteran’ Bruce Schneier, who is known for his strong and sometimes even controversial statements on security went very far in waking all of us up to the new realities we live in (if you’re really interested in smart thoughts on the future of security and cyberrisks follow his blog).
The Register, which interviewed Schneier at the occasion of the event, had quite the headline: “Bruce Schneier: We’re sleepwalking towards digital disaster and are too dumb to stop”.
Schneier was mainly refering to the nascent so-called world-sized web, a term he deems horrible as you can read in the interview, but which essentially is used for the Internet of Everything as Cisco calls it, with the Internet of Things and its sensors and autonomous data processing units, coming as an expansion of the web and already hyper-connected reality as we know it today with mobile, cloud systems, multiple devices, a huge range of possibilities to connect anywhere anytime and across any type of network, and of course ‘users’ who want ubiquitous access to their apps, data and more.
Cybersecurity challenges and digital risks for the future
Below are a few essential cybersecurity problems and overall risks Schneier sees.
The design of the world-sized web: fragmentation and underestimation
In the interview with The Register he mentions the unknown security impact of that world-sized web which will change everything and, according to him gives more power to the powerfull and is less being designed than created. The Internet of Things, among others, escapes from the traditional building and design of complex systems with a safety first principle to quote the interview on The Register. It is a fact that the IoT is not exactly the most standardized and designed phenomenon ever with a bunch of players, technologies, approaches and – indeed – quite often the lack of a safety first approach. Moreover, organizations – and people – are not aware enough yet of nascent evolutions in the context of cybersecurity, privacy, compliance and so on, which is clear in the underestimation of these challenges.
Predicting where technology goes doesn’t equal how it will socially affect us
We are relatively good in predicting where technology is heading but aren’t exactly good in how it will impact us socially, Bruce Schneier says on The Register. This isn’t new and not just about the future challenges of this world-sized web but we can’t say it isn’t true. Just consider: if you look at the current “security” climate and the “data” reality in a world where quite some weird things happen and people seem to be disconnected “mentally” in many ways (yes, we mean political evolutions and human behavior), one wonders what happened with the predictions on how social media would connect us more and – thus – help make the world a better place. Maybe it is for some and for Facebook but it sure isn’t in general. Have you seen the hate recently? This is just one example but there are many more and Schneier mentions some in the interview with The Register.
The complexity of a holistic security approach versus the focus of hackers
Hackers have a huge advantage over “defenders”. They need to exploit one vulnerability and done (although we see more and more real cybercrimals operating as digital entrepreneurs). Companies, on the other hand, need to make sure that a myriad of security challenges is addressed and ever increasing connectivty happens in the most secure and holistic ways. That involves technology but also processes, strategies, various end points, code, devices and certainly people.
The dangers of the ‘computer world’ in the physical world
The collision of the digital and physical world is another topic that is dear to Schneier. In an interview (video below) at RSA 2016 by ITProTV, Bruce Schneier reminds us how everything is becoming a 24/7 computer today and how the computer reality or digital reality affects the physical one. He mentions how these physical things affect us differently and are regulated differently. Think about medical devices and cars that are becoming computers instead of having computers on board. Cars can kill, he says. It’s not something to take lightheartedly and as you know cars as computers already have killed. This needs debate and regulation and not just explanation whereby human errors are sought and at all price we try to uphold the fact that it’s not the fault of ‘digital’ if something goes wrong as things will go wrong and have gone wrong. There is a reason why Tesla is looking so hard into the cause of the deadly accidents (with a focus on the human error), which were broadly reported on in recent months.
Raising cybersecurity and risk awareness
For Schneier there are many solutions to the various challenges such as disconnecting key systems and move to more distributed systems, putting limits on data storage and a need for governments to regulate technology more, with the involvement of the industry.
Of course there are different views than Schneier’s. There are also other risks and challenges. We’ve been reporting on some of them here and other sites with topics such as data and ethics/privacy, compliance as a key driver amidst changing regulations such as the European General Data Protection Regulation, challenges on the level of technologies and their potential impact, such as big data and artificial intelligence. But there are also positive evolutions and raising awareness is just one of them.
As the risk and attack surface is growing and we step into a world of more big data, algorithms, AI, technology, pervasive computing, the IoT and so on we need to have an open debate, not run away from it – regulators and industries together indeed.
We also can’t assume something is safe. Recently we saw an interview with someone on blockchain technology, which is rapidly gaining attention. The fact that blockhain has proven to be secure as the interviewee said, doesn’t mean it truly is and will be when deployed in various contexts. We can’t assume, we can’t defend any technology whatsoever, shutting the doors for debates about its potential dangers, whether it’s related with security, society or anything else.
We have seen similar warnings before of course as Schneier’s but, given the accelerating growth and scale of the use of digital technologies across all areas of society, we need people like Schneier to warn us and make us act before things go wrong. In fact, there is an increasing focus on thinking ahead in cybersecurity, among others enabled by….artificial intelligence.
At the same time many organizations still have to close those gaps between their awareness regarding security and their capabilities and realities in the here and now. But that’s for later contributions.
Stay tuned and sign up for our newsletter.
Top image: Shutterstock – Copyright: BeeBright