According to a global study, CEOs reported cyber security risk as the number one threat to their company’s growth over the next three years. This represents a significant increase from fifth place in 2020, and places it ahead of regulatory, tax and supply chain risks. To combat it, organisations would do well to focus on five priorities for 2022: the cloud, security automation, the supply chain, resilience strategies, and the adoption of a zero-trust policy.
Adapting security for the cloud
Cyber security and cloud security are gradually becoming synonymous. The cyber security principles of data protection, identity and access management, infrastructure security, vulnerability management, and security monitoring are all applicable to cloud environments. The ‘what’ and the ‘why’ have not changed much, but the ‘where’ and the ‘how’ have. What is different now is the operational environment and the various types of technology available to build security posture.
As cloud security is now highly mature in certain regions around the world, such as in the US, organisations in the GCC can benefit from this body of knowledge to avoid mistakes made by early adopters.
In addition, organisations willing to consume security as a cloud service will also find that the services available can offer credible solutions that align well with today’s hybrid working from home (WFH)/in-office models.
Leveraging security automation
Security automation becomes even more important in the era of hyper-virtualised environments of software-defined networks, storage and cloud. These ecosystems can only be effective with high degrees of automation. Where infrastructure is defined in code, manual orchestration can create bottlenecks, friction and higher risk of misconfiguration due to human error. Automation may help shift the identification and mitigation of vulnerabilities to earlier stages in the system development lifecycle.
As demand for cyber security professionals far outstrips supply, the proliferation of cyber threats is stretching security teams. An organisation’s ability to leverage security automation will enable it to respond faster and also free up talent to focus on higher cognitive tasks.
Securing the supply chain
Becoming a digital-first organisation implies a data-centric approach in which data is shared on a near-constant basis throughout a complex and connected ecosystem of partners and suppliers. This data fluidity between third, fourth and fifth parties can create numerous opportunities for threat actors to compromise systems and data. In 2021, there was an increase in the number of cybercrimes targeting supply chains and networks of organisations and governments.
Encrypted threats of all types globally rose by 167 percent (to 10.4 million attacks) in 2021 compared with the previous year, while ransomware attacks rose by 105 percent to 623.3 million attacks. A chain is only as strong as its weakest link—hence cyber security of the supply chain becomes mission critical for service continuity.
Accelerated digital transformation augments the risks of an ever-expanding third-party ecosystem. Organisations face the challenges of identifying, negotiating, agreeing to and implementing ways of shifting from the traditional periodic compliance-based assessments of their supply chain to new paradigms that revolve around proactive continuous monitoring and assurance of the supply chain’s security posture.
Reframing cyber resilience
Despite the best efforts of cyber security teams, breaches still happen as the asymmetry between attackers and defenders stacks the odds in the attacker’s favor. Defenders need to mitigate all vulnerabilities, whereas an attacker only needs to find one chink in the armor. This requires a mindset shift from merely focusing on prevention, to equally valuing timely detection, containment, eradication and recovery. Organisations should work on sustaining business continuity in the face of cyber adversity lasting multiple weeks, while also managing media, regulatory and public attention.
The chief information security officer (CISO) and their team cannot ensure cyber resilience without the active support of senior management and business stakeholders. It is therefore critical that business leaders participate in the cyber resilience conversation and are trained to act appropriately when cyber incidents occur.
Zero-trust policy
Until relatively recently, security was implemented by stacking controls at the border of the organisational perimeter, treating anything within the perimeter as trustworthy and beyond it as untrustworthy. Inside the perimeter, efforts were focused on stopping outsiders getting in, while ‘trusted’ insiders were allowed to freely roam on the estate. This paradigm had flaws even then and was aptly called ‘the candy security principle’: hard and crunchy on the outside but soft and chewy on the inside.
This traditional model is clearly not fit-for-purpose in an era when many organisations are being turned inside out: corporate applications and data are hosted outside the secure perimeter (e.g. cloud) and users are highly mobile.
‘Zero trust’ involves taking the zoning model to its logical extreme, with every asset being in a zone by itself, where trust is no longer conveyed or assumed by virtue of location, but validated, verified and continuously assessed.
The security principles underpinning zero trust are borderless design, context awareness, dynamic access controls, active risk analysis and real-time monitoring. The concept of identity has become the de-facto new perimeter.
Dimitrios Petropoulos is a partner for cyber at KPMG Lower Gulf Limited
