Cyber-security is a business necessity
Statistics show that 93% of all large enterprises were targeted by cyber attacks in 2016 alone. “But cyber-security has become a complex issue as business has embraced the internet, cloud, and mobile working,” he told the CyberSec European Cyber Security Forum in Krakow.
In developing a cybersecurity strategy, Nowak said organizations need to understand the most common aims of any cyber attack.
These are to stop the flow of data, to disturb the flow of data; modify data; steal data; or discredit the targeted organization, in the public and private sector, including governments.
An important element of cybersecurity, said Nowak, is to ensure that enterprises, governments, and individuals all do their share in terms of keeping cyberspace secure.
“Just like someone who is infected with a virus can pass that on to someone else, any entity not following cybersecurity best practices can create vulnerabilities for others in the cyber community,” he said.
Therefore, Nowak said no individual person, business, organization or government can achieve cyber-security alone. “We need some national and international regulation; telecoms agreements because telcos provide the networks; inter-sectoral co-operation; and for governments, businesses, organizations, and individuals to all take responsibility for securing their part of cyberspace,” he said.
Focusing on the telecoms sector, Nowak said telecoms and service provider agreements are important because they have to have a comparable level of security.
“If one telco is going to react to a particular situation, partner telcos should react be able to react at the same time and in the same way so that neither one’s actions undermine the other,” he said.
Customer care at the network level, not just at the device level, is also important, according to Nowak to isolate customers from a potential criminal activity.
In general, he said businesses should have a professional approach to cybersecurity that takes into account other users of cyberspace.
“This includes producing and selling secure products, so a company that produces smart TVs should ensure that their products are engineered in such a way that security is part of the design to ensure that connecting the TV to the internet does not expose users to risk,” said Nowak.
“Businesses need to change their way of thinking and pay more attention to the way they design products rather than creating products that can be manufactured as quickly and cheaply as possible,” he said.
Examining the internal network and external connections
To achieve a high level of cybersecurity in any business that is in compliance with regulations, Nowak said the first step is to examine the architecture of the internal network and external connections.
“Step two is to adopt an OSI model approach, because we should not concentrate only on the application level, or the network level or the data processing level. We must look at all levels because it is not possible to have connections between two computers or use services without going through each level, and so we should be looking at security at each level of the OSI model,” he said.
The third step, said Nowak, is incident management, which requires processes for detection, reaction, recovery, and protection for the people, procedures, and technology at play in any IT environment. “Businesses must pay equal attention to all these components, otherwise the incident response capability will not work properly or effectively,” he said.
With the people component in mind, Nowak said system developers need to have an understanding of security issues, which includes designing systems not only thinking about the functionality but also about the security. Staff responsible for cybersecurity must also be well-trained, system administrators should be highly-qualified and well-supervised, and users should be aware of cyber risks.
Systems should be designed so that they will not work if correct procedures are not followed, he said, and finally when it comes to technology, devices should be Trust-certified, there should be tools to monitor the status of network and services security, software should be resistant to unauthorised modification, and technology development should keep pace with the risks.
“Step four is ensuring security at every step of a system’s lifecycle because a security chain is only as strong as its weakest link,” said Nowak.
“We will have a lot of security problems as long as people are not informed of dangers, children are not educated on how to behave on a network, engineers design systems thinking only about functionality, architects consider only the efficiency and capacity of the network and security managers seek to solve security problems using only technology.” Contact Musato Technologies to learn more about how to protect your business from cyber-attacks.
An article by Warwick Ashford