Cybersecurity by Design

17

September

2022

5/5 (2)

We are living in a continuously digitising world where increasingly more aspects of our life are governed by IT processes. The rapid adoption of IT means that cybersecurity incidents are on the rise (ENISA, 2022). Governments and organisations alike are investing in efforts to raise cybersecurity awareness. For example, people are being trained to treat emails carefully, especially if they contain a link or file. This increased cybersecurity awareness is expected to reduce the risk of cyber incidents happening. However, research calls the effectiveness of these awareness strategies into question. Studies show that long-term changes in the digital behaviour of individuals as a result of these awareness campaigns are little (Bada, et al. 2019). Given that awareness does not prevent the users of IT systems from compromising cybersecurity, another approach is required.

The cybersecurity by design (CSD) model changes the assumption from which the awareness model is operating. Instead of assuming that awareness will prevent people from making mistakes, the CSD model assumes that individuals will make mistakes, nevertheless. The question for software developers then becomes: how can I develop my software such that the risk of compromised cybersecurity is mitigated even if careless users utilise it? Major software companies like Microsoft and Google have already designed their software with this question in mind. In Outlook, emails from unverified senders are displayed in a protected mode where links, images, and files are disabled. This prevents users from mindlessly downloading a file or link, both of which could be potentially harmful. Naturally, the user has the option to mark the sender as verified thereby enabling the content. Another implementation of the CSD model can be found in Google Chrome. Google maintains a list of websites that might put users at risk for malware or phishing. So, when users try to navigate to a potentially harmful website, a warning message is displayed, and they are prevented from entering. Here too, users have the option of navigating to the website despite this warning.

Both examples show how software developers can aid their users in navigating the digital world more safely. The CSD model thereby shows great promise for making the digital world a safer place. However, it cannot do so all by itself. Despite the criticism that the awareness model has faced I am convinced that it can work well together with the CSD model. Being made aware of risks can always have added value, especially in a CSD proof environment. A CSD proof environment can shield users from potentially dangerous content, but it is up to the users themselves to make the final risk assessment. To be able to do so, awareness campaigns can be of help. Ultimately, it is a right balance of CSD proof software and user awareness that will add up to safe navigation of the digital world.  

Sources:

Bada, et al., 2019, ‘Cyber Security Awareness Campaigns: Why do they fail to change       behaviour?’, International Conference on Cyber Security for Sustainable Society,             accessed 10th of September 2022, https://arxiv.org/abs/1901.02672

ENISA, 2021, ‘ENISA Threat Landscape 2021’, accessed 10th of September 2022,             https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021

Please rate this

Criminals working from home

9

October

2020

No ratings yet. During the COVID-19 pandemic, the time we spent on our screens has increased drastically. Everything became remote and most of our human interaction consisted of our online contact. Instead of being able to speak with our colleagues, most of our face-to-face conversations turned to emails and Zoom calls. People who started a position while working from home may not even be able to recognize their colleagues if their cameras were not on during the virtual meetings. Working from home became the new normal, but is this transition safe? Will the threat to our cybersecurity be greater as we spend more time and share more online?

The need for keeping our data safe online has become increasingly important during the pandemic, as we spend more time interacting online, sharing more information, and working from home. Remote working has had an impact on the average cost of a data breach already, increasing it by $137,000. Employees working on private home networks rather than secure company ones are left more vulnerable. The pandemic has also limited the number of activities we can enjoy outside of our houses and provided us with more spare time. For hackers, this time was not wasted as pandemic related fraud reports, in the US, have cost around $114.4 million by mid-August 2020. Even when it comes to Zoom, our data has not been safe. In April, more than 500,000 users have been victims of a breach and the accounts were sold on the dark web. It is increasingly important for people to be aware of online threats, and for companies to ensure their cybersecurity strategies sufficiently protect our data, both as consumers and employees.

It has become increasingly attractive for cyber-criminals to attack as the value of data increases and we become more vulnerable. Individuals are not the only ones at risk, companies and other institutions have also felt the increase in cyber-crime. The laboratory at the University of California had their system frozen and ended up having to pay 116.4 bitcoins ($1.14m) to the hackers. The system was worth the money to the laboratory, since it had contained research relating to the search for a Covid-19 cure.

As more companies find ways to monetize data, there will be more money and value for cybercriminals to extort. There are many ways to protect ourselves such as checking our emails for phishing, using an anti-virus, using a VPN, strong passwords, two-factor verification, etc. However, even if we take the necessary steps to protect ourselves, we may still become victims. Facebook is constantly involved in data breaches and third-party misusage of users’ information. In 2019, 267 million Facebook user accounts were compromised with phone numbers and names obtained, then offered for sale on the dark web. Do you trust companies with protecting our data? I believe cybercrime will become an increasingly important issue as we transition to hybrid ways of working in the post-pandemic life (hopefully). Are you concerned about cybercrime and the safety of your data?

 

Sources:

https://www.pandasecurity.com/mediacenter/news/covid-cybersecurity-statistics/

https://www.ibm.com/security/data-breach

https://mitsloan.mit.edu/ideas-made-to-matter/how-to-think-about-cybersecurity-era-covid-19

https://www.forbes.com/sites/zakdoffman/2020/04/20/facebook-users-beware-hackers-just-sold-267-million-of-your-profiles-for-540/

https://www.ft.com/content/935a9004-0aa5-47a2-897a-2fe173116cc9

https://www.telegraph.co.uk/news/2019/12/20/facebook-personal-details-267-million-users-exposed-online/

Please rate this

Cybersecurity budget increases, option or need?

10

October

2017

No ratings yet. Just yesterday, the Dutch negotiators came to an agreement on leading the country. One of the most interesting things mentioned in the agreement is the increase in the budget for cybersecurity. An increase to 95 million euros in the upcoming years seems necessary, but is it really?

With the increase of the digital economy, digital risks have grown, too. Examples such as the Wannacry ransomware and Cloudbleed hack come to mind. Both hacks have direct on impact on both businesses as private citizens. These risks imply large costs for companies when they actually happen, far surpassing the cost for prevention. But there are large government risks too. In the US, 198 million voter records going back more than 10 years were publicly accessible, exposing a large cybersecurity risk. Closer to our borders we can identify the Macron campaign hack. Hackers dumped 9GB of emails from the party of Macron to undermine his run for the presidency. While these risks may not imply large costs in euros, they imply large social value.

Cybersecurity has been increasingly in the news for the last years and large companies seem to be increasingly aware of the threats. Average security budgets for companies are growing: Where a lot of companies in 2014 spent an average of 4-6% of their IT budget on security, in 2016 this number has grown to an average of 8-10% of this (meanwhile) increased budget. This budget varies based on the industry a company is in. With financial services leading at 12%, IT services sitting at 7% and education only at a mere 1-3%(Sans, 2016).

What about governments? Do they go with the trend of spending on cybersecurity? According to SANS Institute governments on average do spend 7% of their digital budget on cybersecurity, too. Looking at the increase in the upcoming Dutch cybersecurity budget, the table below shows what the spending for the leading countries in cybersecurity may look like based on a percentage of GDP. The Netherlands will grow to a 5th place internationally, following just behind the UK, France, Denmark and Australia. The US is leading the cybersecurity market by a large margin, mostly driven by its high spending on military (HCSS, 2016).

Spending on

Cybersecurity risks will keep growing as the digital economy is taking a bigger part of the total economy each year. For governments, elections and citizen private information are issues to be more aware of. As the Internet of Things is growing, so do the risks going arm in arm with this. The Netherlands seems to realize the risks with this new agreement, showing Europe and the world that they should too.

 

https://www.nu.nl/internet/4957952/tientallen-miljoenen-extra-cybersecurity-nieuwe-regering.html

Click to access HCSS-Dutch-Investments-in-ICT.pdf

https://financieel-management.nl/artikel/wereldwijde-uitgaven-cybersecurity-72-miljard-euro

https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697

Top 3 Leading Cybersecurity Countries

Please rate this

An On-Going Battle: Artificial Intelligence in Cybersecurity

14

September

2017

4.5/5 (2) Whether we are aware or not, cyber-attacks are increasingly part of our daily lives, with global, headline-grabbing ransomware attacks which utilized ‘WannaCry’ (May 2017) and ‘Petya’ (June 2017) being only the tip of the iceberg. Just for last month Symantec reported the highest global spam rate (55.3 percent) since March 2015, besides elevated web attack activity and increased email malware rate. In this situation, turning to artificial intelligence seems like a rational next step to enhance cybersecurity but it is actually far from the perfect solution.

The heart of the problem lies in the fact that artificial intelligence (AI) can be wielded by both the cyber attackers and everyone else on the other team. Hence, while IT professionals use AI to automate and augment manual tasks (e.g. screen security incident logs), analyse data as well as look for anomalies which may hint at a threat, hackers could apply the same technology to process stolen consumer big data, enabling them to quickly identify and target the next victims. Without doubt, cyber criminals are turning machine learning (ML) to their advantage, whereas security experts wrestle with the drawbacks of current solutions (e.g. ML algorithms might have difficulties when handling data with many overlapping point or abstract and unclear data points.)

Another aspect of the situation is that most AI systems require human expertise, at the very least to manage exceptions which leads us to the next obstacle: the global shortage of cybersecurity professionals. Frost & Sullivan forecasted more than 1.5 million unfilled positions in the field by 2020, despite rising salaries, increased budgets, high job satisfaction rates and low changes in employment status. Clearly, organisations must reconsider their workforce strategy, review their talent management practices and adjust their recruiting and hiring efforts accordingly.

Nonetheless, the outlook of AI in cybersecurity is bright, considering the advancement in unsupervised learning and continuous retaining. Additionally, smart technologies such as biometric authentication and user behaviour analysis promise to cover a broad set of attack vectors, further enhancing AI-powered threat detection and mitigation.

Sources:
Symantec Security Response: Monthly Threat Report, https://www.symantec.com/security_response/publications/monthlythreatreport.jsp (Accessed: 2017/09/13)

Juliette Rizkallah: Is Cybersecurity A Second Coming For AI? https://www.forbes.com/sites/forbestechcouncil/2017/05/23/is-cybersecurity-a-second-coming-for-ai/#617606b7c400 (Accessed: 2017/09/13)

Simon Crosby: Separating Fact From Fiction: The Role Of Artificial Intelligence In Cybersecurity, https://www.forbes.com/sites/forbestechcouncil/2017/08/21/separating-fact-from-fiction-the-role-of-artificial-intelligence-in-cybersecurity/3/#572c3c392516 (Accessed: 2017/09/13)

Julie Peeler:  Study: Workforce Shortfall Due To Hiring Difficulties Despite Rising Salaries, Increased Budgets And High Job Satisfaction Rate,
http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to-hiring-difficulties-despite-rising-salaries-increased-budgets-a.html (Accessed: 2017/09/13)

Please rate this