Mark Brown, Global Managing Director at BSI Cybersecurity and Information Resilience, discusses cybersecurity awareness, challenges in the industry and the development of a comprehensive programme to alleviate cyber-attacks.
As cyber-attacks cost the global economy hundreds of billions of dollars each year, BSI Consulting Services are committed to negating the threat. The company has invested heavily to expand its global expertise and deliver services that enable its clients to better respond to cyber threats and develop more resilience to threats by encouraging cybersecurity awareness, as well as training courses, consultation, and services.
The cybersecurity industry and its challenges
What cybersecurity challenges are currently being faced by businesses and households?
The lack of understanding about cybersecurity is still a major current challenge. A great example is the Internet of Things (IoT) devices; we went from 10 smart devices per house in 2020 to 50 in 2021. It is clear that people love their smart technology, but do they know how dangerous these devices are from a cybersecurity perspective?
The same holds true for businesses, more and more smart technology is being added to various industries, but again there is a lack of understanding of the nature of IoT, which is not secure by design. The blind trust comes from the nature of the device; it is “smart,” therefore leading to the belief that it has to be “secure.” Businesses and households will see a rise in cyber-attacks and need to understand these attack vectors and mitigate IoT risks. It starts with passwords, strong Wi-Fi security, and the fundamental question, “Do I need this device?”
How has the field of cybersecurity developed in the last few years and how do you anticipate it changing in the future?
The most significant change has been in higher education; you can earn various degrees in the field of cybersecurity. There is a whole new generation coming into the cybersecurity field with a textbook start where many of us had to learn on the job, react and grow organically. These professionals already have a working knowledge of policies, standards, and regulations, creating common ground as they step into their cybersecurity careers. Combining both those knowledge sets and perceptions will help create a more secure world.
Is it necessary for the government to implement policies to tackle cyber-attacks and educate the public on cybersecurity?
Governments should implement policies and put regulations in place as this would introduce a common rhetoric for people and businesses to speak about cybersecurity. The public needs to be aware of the dangers of cyber-attacks as people will protect things they care about. The issue thus becomes how to incentivise a population to care about cybersecurity when it still feels like science fiction. At the core of this challenge is creating a common framework and language that drives understanding and, ultimately, action.
BSI’s role in cybersecurity and awareness
What is BSI offering in the field of cybersecurity and cybersecurity awareness?
October was Cybersecurity Awareness month and BSI considers cybersecurity awareness to be a key pillar of any organisation’s security programme. Research shows that the human element is a factor in the majority of successful breaches, and it is estimated that by 2025, 99% of cloud security failures will be the customers’ fault. From misconfigured devices and incorrect access settings to inadvertent clicking on links and attachments within emails, organisations have a duty of care to their stakeholders to ensure their team members have the appropriate training provided, as well as a programme of continuous learning and improvement in place.
We are a Proofpoint accredited partner and can assist organisations in creating custom security awareness programmes, continuous assessments, and detailed reporting to ensure those team members being targeted have the knowledge and tools available to deal with attacks and that management have the information they need to make informed risk management decisions.
Do you believe there is more for companies like BSI to do in terms of cybersecurity awareness? How do you see the company moving forward in the future?
We are actively working to get the message across that irrespective of how good an organisation’s technologies, processes, policies, or procedures are, without the required level of staff awareness and sense of responsibility, incidents will occur. We are seeing a constant evolution of threat intelligence and integration between our technology partners that allow for informed, automated, and orchestrated decisions to be made and enacted. For example, where your email security and security awareness platforms are linked as Proofpoint’s are, then as email threats increase on specific targeted staff members their security awareness posture is automatically modified to a higher state to ensure they receive the right training and assessments to meet those threats.
Reducing the risk of cyber-attacks
What is Payment Card Industry Data Security Standard?
PCI Security Standards are developed specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it. They include standards for merchants, service providers, and financial institutions on security practices technologies and processes, as well as standards for developers and vendors for creating secure payment products and solutions.
Why is it important for organisations to implement PCI DSS?
Organisations should implement PCI DSS in order to reduce the risk of credit card breach by reducing the risk of successful cyber-attacks and reduces associated fines, retain lower transaction fees, and reduce the likelihood of being cut off from card processing networks.
How can BSI assist with the implementation of PCI DSS?
BSI Group has a global Payment Card Industry Data Security Standard (PCI DSS) presence and our PCI Qualified Security Assessors (QSAs) verify that the standard is being adhered to and ensure that organisations truly realise the return on security investment the standard provides. As PCI DSS consultants we understand the desire for low friction and continuous secure delivery. We work collaboratively ensuring organisations meet their PCI DSS compliance objectives by leading you through the PCI journey from initial review to full alignment with the standard in the most efficient and least intrusive manner possible.
What are the core principles of Zero Trust Network Access?
Effectively Zero Trust Network Access (ZTNA) is where inherent trust in any network component is removed and thus an assumption is made that the network is compromised.
There are a number of core principles which can be summed up as “Trust nothing, verify everything” and are summarised as followed:
- Ensure you have detailed knowledge of your users, devices, and services
- Authenticate and authorise everywhere
- Focus on and monitor all identity management components including users, services, and devices
- Ensure a comprehensive policy management platform is in place ensuring all requests are authorised by polices that can be locally managed with global distribution
It should be borne in mind that zero trust is a journey not a destination and that this journey should be undertaken in phases to maximise protection whilst minimising implementation risks.
How can ZTNA assist with the digital transformation of an organisation?
ZTNA provides organisation’s that have completed or are executing a digital transformation strategy with the security coverage they need to complete their investment with piece of mind. Moving from a fixed perimeter security architecture to a perimeter defined by users, applications, and devices, ZTNA protects any user connecting from any device at any time from any location by employing adaptive, contextual and identity aware access to applications with reduced implementation times and attack surfaces.
What can ZTNA offer that cannot be delivered by VPN?
A virtual private network (VPN) allows once authenticated, unrestricted access to an internal network, i.e., the network is trusted. This allows potentially compromised users or indeed malware to move laterally across the internal network to look to gain escalated privileges, identify sensitive data and ultimately make their way to the domain controllers. In addition, in order to improve security, the user experience is improved, thus negating both the need to logon and establish VPN credentials to enable the secure tunnel is created on a daily or more frequent basis but also users experience an improvement in network performance as they can avail of their local internet breakout point as against a backhaul to the organisations VPN’s infrastructure.