04.12.2019
Security by design: the new cyber security paradigm
We are living in remarkable times as ongoing digitalization transforms the world in which we live. It is estimated that by 2025, an average person will interact with connected devices around 4,800 times per day – that’s one interaction every 18 seconds. This speed of innovation is, however, also expanding the ‘attack surface’ and creating opportunities for threat actors to reach what is one of organizations’ most valuable assets: their data. Cyber security must therefore be integrated into the fabric of organizations: in other words, organizations must be secure by design. Security by design introduces agile security controls that can adapt to changing digital environments and is based on the following four elements: an understanding of the threat landscape; people; scalability; and speed. In addition, security by design must be underpinned by a robust ethics framework.
Understanding the threat landscape
Cyber criminals and state-sponsored actors are using innovative techniques to steal data, commit fraud, extort money and paralyze critical national infrastructures.
2017 was the year of ransomware. 2018 was the year of cryptojacking, as well as hardware flaws such as Spectre and Meltdown. In 2019, these cyber threats are still going strong: malware used to process cryptocurrency transactions using other people’s computing power remains popular and variants in ransomware have increased nearly 50% since 2018. In addition, we are still facing vulnerabilities that are ‘wormable’, which means, for example, that patches issued for existing vulnerabilities may still be leveraged by cyber criminals to create the next Wannacry or NotPetya. Hardware flaws spawned more attacks and 2019 brought new cyber threats into the spotlight, such as Domain Name Service hijacking campaigns (to steal data by diverting traffic to spoof websites), inter-cloud attacks and cross-platform malware that moves from IT environments to industrial platforms, or vice versa.
In future, we will see more threat actors harnessing AI to launch ever more sophisticated attacks. It is, therefore, undeniable that traditional cyber security methods will not be a match for attacks perpetrated by smart machines: the need for cyber security by design is urgent.
People
Security by design should focus on people as much as technologies, and organizations need to ensure that all their employees are cyber aware and cyber vigilant.
Organizations lacking the necessary human as well as technological cyber security resources struggle to keep their security teams updated on the latest threats and technologies. Organizations should therefore identify expert partners who can walk this journey with them.
With an undeniable shortage of cyber security skills, it is predicted that by 2022, around 1.8 million cyber security jobs will be unfilled. As Europe’s number one cyber security provider, Atos is active in addressing this challenge. With over 5,000 cyber security professionals and 14 security centers, we operate dedicated cyber security skills recruitment and development programs – including our Cyber Academy and Digital Growth Network in Cyber Security.
Scalability
With the move to cloud and the arrival of a hyper-connected world, organizations need flexible and scalable cyber security solutions and services. For example, the adoption of edge computing (whereby vast computing power is transferred out into the network) is accelerating; swarm computing will be yet another major transformation, bringing together edge, multi-cloud and Internet of Things devices into highly distributed, hyper-connected computing environments.
New cyber security solutions will be orientated towards data-centric security, whereby the data itself is secured. Even today, advances in the use of strong encryption to protect data is in turn used to encrypt malware to avoid detection. In advanced prescriptive security environments, security controls will self-adapt to the changing threat landscape, all interconnected by prescriptive Security Operations Centre and security analytics either at the edge or in the cloud.
Cyber security specialists are also preparing for the quantum revolution by adopting quantum-safe encryption and leveraging the vast power of quantum computing to improve cyber security analytics for detection and response.
Speed
Cyber security should never slow down or block digital transformation, with security by design empowering organizations on their digital journey.
At the same time, the speed of cyber security innovation is so fast that organizations sometimes find themselves investing in a technology only to soon discover another that is more effective or efficient. Moving to procuring cyber security ‘as a service’– instead of having to maintain their own cyber security infrastructures – will better enable organizations to adapt to changing challenges and threats and optimize the cost-efficiency of cyber security.
Instinct and intelligence
Security by design must be underpinned by a robust and evolving ethics framework. Data privacy and ethics are shaped by the changing regulatory landscape, with clear warnings from governments and others about the need for auditability and transparency in AI algorithms. Directing the power of AI is as much about what AI should do, as what it can do.
Organizations must therefore adopt an ethical framework that will guarantee that ethics and privacy controls are implemented throughout the data lifecycle, including the programming and adoption of AI and automation.
Given the pervasiveness and power of AI, the future of cyber security itself will be AI-powered, thwarting complex attacks and leveraging the best defense mechanisms to win the battle. Success will be thanks to the careful balance between instinct and intelligence and between human and machine – working together to protect people and infrastructures.