This article was written by Roger Camrass, Director of Research for CIONET International, and is based on conversations during a virtual event on how to manage the escalating cyber risk. The event was sponsored by Zscaler
The move to hybrid working and multi-cloud services has expanded cyber threat vectors dramatically. Recent developments around the globe such as war in the Ukraine have further exacerbated this situation. As a result, state actors and cyber-criminals have intensified their efforts to disrupt corporations and damage critical infrastructure. As attacks become more frequent, legacy approaches such as firewalls may fail to meet the current challenges. It is time to re-evaluate cyber defences.
According to Christoph Heidler, head of transformation strategy at Zscaler, organisations need to introduce a new approach based on Zero Trust to protect themselves from a growing number of state actors and criminals.
Christoph made an interesting comparison between modern public telephone switching networks where anyone can connect to a chosen third party without encountering controls, and the earlier days of telephony where calls could only be made by operators who set up connections and often listened into calls. This guaranteed tight security over all person-to-person communications. The latter scenario mirrors what Zscaler is advancing with Zero-Trust as today’s best practice.
State actors such as Russia, Iran, North Korea and China have always been in the attack front line. Being state funded they use the most sophisticated tools and innovate at rapid pace. Global uncertainties have fuelled higher levels of attack in recent months, especially from Russia and China. The situation can only get worse. Inflation and recession will encourage more criminal activity at home as well as abroad.
Meanwhile the cyber defence sector is learning fast. Companies such as Zscaler are building powerful capabilities such as Zero Trust platforms with careful attention to ID management. We can expect that Quantum Computing will be deployed by state actors within a few years, breaking every conceivable defence. Innovation is needed in both the supply and customer segments to stay ahead of such aggressors.
Several delegates spoke about their experiences dealing with boards. The feeling was that cyber itself does not resonate well with non-technical peers, only the broader aspects of risk mitigation appear to be relevant for discussion. Some delegates spoke about the need to include IT and Cyber in the corporate risk register. This requires quantification of risk and detailed risk mitigation procedures. Not all organisations or sectors have achieved this today.
Budgets for cyber defences vary widely between sector, for example financial services spends up to 20% of IT budget on security.
Boards do recognise that the world has become extremely volatile, and that business resilience is a key imperative. Attacks will occur so organisations must be prepared to respond quickly to reduce their impact on operations. Ukraine and global supply chain disruption are damaging business confidence. Tighter governance measures are required, especially in defending against cyber-attack.
One delegate suggested that CISOs should train to become story tellers rather than technical analysts. Boards respond well to stories even though they may touch on technicalities.
Many examples were given of transformational changes taking place within IT itself that opens the door for higher attack levels:
Many of these additional risk factors can be addressed by tighter governance. At the design stage, procedures such as DevSecOps can build security into new applications and reduce both design costs and chances of attack. The move by some organisations to integrated (or more centralised) governance of IT can also help reduce vulnerabilities by imposing standard frameworks. Government seemed to be well placed here through a combination of support from NCSC, GCHQ and frameworks that are being promoted by cabinet office.
All delegates accepted that attacks cannot be reduced to zero however strong defences may be. Organisations must seek to understand and quantify the risk of cyber attacks and take advice from regulators to stay within acceptable guidelines. One delegate stressed the need to build detailed inventories of IT assets such as software, hardware and data. By knowing what you have, risk mitigation becomes more of a science than an art.
Both Zscaler and delegates offered much practical advice on how to deal with cyber attacks and reduce business risk:
Did you enjoy this report so far? Join the CIONET Community to continue reading this report alongside five key take-aways. A leading European, peer-to-peer networking. We currently welcome more than 10,000 members from across the globe.