Original Dutch article: http://my.socialtoaster.com/splash/cjbRT/ written by Annelies Heuvelmans
The year 2020 has just begun, and Security Management already spoke with several cybersecurity experts about the threats, but also the innovations that will turn the tide, that we must take into account in 2020. One of the essential points you have to keep in mind is the employee, as they have a crucial role. If it does not recognize the importance of proper security, then even the best security policy will fall like a house of cards.
“In recent years, cybercriminals have discovered the world of operational technology (OT),” says Bastiaan Bakker, director of Business Development at Motiv. For example, the Operational Security Trends Report from Fortinet shows that as many as 77 per cents of all OT managers have been dealing with malware in the past 12 months.
Bakker explains: “One of the reasons for this is the far-reaching professionalization of the criminal circuit. Cybercriminals are forming teams with specialists who make clever use of vulnerabilities within companies. Government-driven hacking groups are also active in carrying out attack and damage techniques within OT. We, therefore, see that the demand for specialist security of operational technology is quickly increasing. Given the high degree of dependence on operational systems, which, for example, regulate our electricity and drinking water supply, security plays a crucial role. However, the environments differ significantly from traditional IT environments. OT environments are often less easy to replace because of usually old legacy and the high complexity of the domain.
“Employee awareness is an important part.”Bastiaan Bakker, Director of Business Development at Motive
The first step is to map your OT environment. Where do you see links between your IT and OT environments? And who has access to what? The management, as well as the authorization, must be set up well and mature. Employee awareness is an essential part of this. You can equip your environment with the best security solutions. Still, if your staff is insufficiently aware of the crucial role they play as gatekeepers of the company, this investment is of little use.”
Mats Ros, managing security and privacy consultant at IT service provider Ilionx, agrees with this statement. “Apart from the technical enforcement of good security, we always come back to one point in the IT world: people are the weakest link. After all, people make mistakes. Of course, there are already enough solutions and tooling to instruct people and lift them to a higher level of consciousness, but taking your employees with them is more complicated. What I notice is that only fifty percent of employees get started with this tooling. That is, of course, way too low. The other half does not see the importance of it and is therefore much quicker susceptible to a phishing email.
“By using gamification, the support base will grow, and it makes the tooling more fun.”Mats Ros, Managing security and privacy consultant at IT Service Provider Ilionx
By using gamification – a game component that employees challenge to measure up with their colleagues on a scoreboard – the support base will grow, and it makes the tooling more fun. For example, we developed a solution for our own ISO 27001 certification that precisely ensures this.
The SaaS solution, including point counting, looks at how many questions you have answered and how often you give the correct answer. Employees can compare their results with colleagues, but this can also be disabled. Achievements and certificates make this even more fun. For example, someone who completes a quiz at night earns the ‘night owl’ achievement. In this way, you playfully raise the support base and make your employees aware of the much-needed contribution they make to keeping the organization safe.
Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales, sees a future without passwords: “The time when the use of passwords only offers sufficient protection is far behind us. Seventy percent of employees reuse passwords from work and personal accounts. Unsurprisingly, 81 percent of hack-related data breaches start with a user’s identity, such as a weak or stolen password. In 2020, a world without passwords will become more and more reality. “
Geeraerts continues: “Until now, multi-factor authentication has been the most apparent solution for tackling the password challenge. Access is granted to a user based on his identity, something he owns, and something he knows. Although this method is more secure than the traditional password, it is less user-friendly due to the time-consuming operations. Access Management solutions with password-free security offer a solution.
There is never a one size fits all solution.Dirk Geeraerts, regional director for cloud protection and licensing activity at Thales
PKI or a one-time password via a token or device that is used to give users access, in combination with biometric data or a PIN. It offers a solution to the vulnerability of traditional passwords. Also, organizations can thereby increase the ease of login and user-friendliness. However, it would be best if you did not forget: even with this form of authentication, there is never one size fits all. It is always important to match the authentication method to the security needs to ensure the highest level of security.”
Organizations see the necessity and have the financial room to invest in security, but they lack the people to make security solutions profitable. “We also see an increase in the demand for managed security services, with which organizations are entirely relieved. This trend will intensify in the coming years. We also see the rise of automation of security. Simple incidents can be automatically handled so that engineers can focus on complex incidents. This also compensates for the shortage of security engineers, “said Twan van Ravestein, Cyber Security Expert at Telindus.
In 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter.Twan van Ravestein, Cyber Security Expert at Telindus
“Automation takes place along different axes in 2020. With artificial intelligence and machine learning solutions, you can set up the analysis of network traffic in such a way that deviations and strange behavior can be detected quickly within the business context of the customer.
You are then able to automatically take the right measures to, for example, repair leaks. Systems for User Behavior Analytics (UBA) and Security Orchestration, Automation, and Response (SOAR) are becoming increasingly sophisticated. Finally, in 2020, more and more organizations will embrace the zero trust principle and view the network without a perimeter. In the cloud age, you can certainly no longer speak in terms of a secure internal network and the insecure outside world. This awareness will penetrate many boardrooms,” concludes Van Ravestein.