When protection is built into a program
Today, most means of protection are “mounted”. This means that information systems are designed separately from security systems. Protection is implemented on top of the infrastructure, like a network. But this approach does not always work, especially in post-COVID times, when the number of phishing threats has increased by 600%. Every day, mass media report about leaks, hacks, blackmail, and other cyber incidents. Standard protection is becoming scarce, so organizations have turned to a new and promising trend in cyber resilience – Security by Design (SbD). What is its essence and how does it help businesses?
How has COVID-19 affected cyber resilience?
A cyber-resilient organization can withstand cyber-attacks and recover quickly, without significant damage. Whereas cybersecurity combines tools and technologies that keep attackers away, cyber resilience focuses on addressing the business impact of attacks.
To implement cyber resilience, it is necessary to perform four important operations:
- protection,
- detection,
- response,
- recovery.
Cyber resilience shapes long-term thinking. An organization creates a fault-tolerant system that ensures business continuity.
Even though the number of cyberattacks is growing together with the increasing number of applications, IoT devices, and Internet users, a real cyber boom occurred in 2020. Attackers took advantage of the situation with COVID-19 and began to send out emails everywhere on behalf of the WHO. Alleged representatives of the organization offered to follow a link to get recommendations on combating coronavirus or read statistics for a particular region.
The next situation that created a stir among criminals was the transition of employees to remote work. This is where incidents with organizations that did not prepare VPN servers for possible attacks rained down. Corporate denial-of-service (DoS) attacks became commonplace. The attackers used corporate emails to send purportedly updated workplace policies concerning COVID-19 to remote employees.
For organizations, these risks can cost up to $3.9 million spent to cope with blackmail, $20 million in GDPR fines, financial losses due to downtime, and loss of reputation. That is why organizations should rethink their “cyber defense after incident” approach and move towards an embedded solution – Security by Design.
Infographic 1: https://www.amdhservicesltd.com/wp-content/uploads/2021/12/CyberResiliencyInfographic-scaled.jpg
Source: amdhservicesltd.com
Security by Design: what defines this approach to cyber resilience?
Security by Design refers to how organizations think about cybersecurity at the start of a project. Developers design an application in such a way as to reduce the number of vulnerabilities that can compromise the company’s security.
The security lifecycle is the same as the SDLC of a product: it starts with an idea and ends with delivery and support. During software creation, specialists constantly monitor possible cybersecurity risks and eliminate them.
Security by Design includes the following processes and practices:
- Checkpoints.
Checkpoints are temporary points in the software life cycle. At each point, the security of the system is assessed, and it is decided what to do next: continue the business or terminate the project.
- Actions.
These are the procedures that keep a system secure. For example, the same technical tasks that test the stability of the system are performed alongside software development.
- Plan.
A plan defines the steps that need to be taken when creating software to achieve the goal of Security by Design.
With the Security by Design approach, developers implement security early in the SDLC. System or application security is planned as part of the architecture from the start.
Security specifications are encoded in templates and ensure that the desired configuration is present. At the same time, if the infrastructure changes, it is not necessary to do an audit. An in-depth security assessment is also not required if infrastructure patterns change significantly. With Security by Design, there is less repetitive work to be done and more attention to real problems is paid.
Infographic 2: https://personalinteractor.eu/wp-content/uploads/2015/11/secure-by-design.jpg
Source: personalinteractor.eu
Principles of Security by Design
For Security by Design to function, you need to keep to its three principles.
Principle 1. Minimum attack surface area.
An attack surface includes all external points of entry and communication of the system. The attack surface can be associated with:
- software (OS, libraries, read/write access);
- a network (open ports, active IP address, network flows, protocols);
- a human (phishing, social engineering).
A defense system with a wide attack surface is more vulnerable to cyber threats because it is more difficult to set up. When all entry points are defined, it is worth involving proven monitoring and protection tools. A very complex and vulnerable security system should be constantly assessed for reliability.
To reduce the attack surface, it’s important to strengthen defense and close underused services and ports. This will limit the likelihood of remote interaction with this system.
Principle 2: Least privilege.
The administrator should only have access to certain administrative zones. Tasks, roles, and rights should be distributed between employees who interact with a corporate network. When the environment is partitioned, it is more difficult to compromise it. Even if an attack occurs, it will have limited consequences.
Principle 3. Defense in depth.
Defense in depth means that a combination of security methods or tools is used to prevent hacks. To set up such a defense, you should take the following steps:
- set security goals;
- create a system architecture to define control and evaluation points;
- develop a defense policy;
- regularly monitor the protection against attacks.
Infographic 3: https://blogs.sap.com/wp-content/uploads/2021/11/2sec.jpg
Source: sap.com
Why is Security by Design important for companies?
Security by Design is important for the following reasons:
Security is harder to implement in an evolving system
Moreover, it may take time and additional funds to correct the problems that have arisen in the reliability of a system. In a competitive environment where time to market can make or break a business, leaders are looking to accelerate product development. Therefore, the development and testing of cybersecurity are often ignored, because they consider it unnecessary work.
But such a rush will result in security problems and even greater costs in the future. Experts say that addressing protection issues at an early stage costs 100 times less than at a later stage. Companies that provide cybersecurity resilience services can help you avoid this waste.
Popular IoT devices are not always reliable
Users are buying IoT devices for their homes more often and trust them with personal information. But this trust is not always proven efficient.
Hackers exploit consumer devices’ weak security and 24/7 connectivity (toasters, washing machines, or webcams). Even though IoT devices have limited power and memory, they can be gathered in botnets into a huge army of robots. Compromised devices are used to hack into equipment on the same network, steal personal data, or perform other illegal activities.
The number of cyberattacks is growing
There are at least 20 types of cyber attacks in the world, and this list is regularly updated with new advanced types. Approximately 300,000 items of malware are generated daily by cybercriminals and a hacker attack occurs every 39 seconds. Moreover, both small and large organizations suffer from such incidents.
This statistic suggests that Security by Design will soon be no longer a recommendation but a vital part of the cybersecurity resilience of companies of all levels and sizes.
Conclusion
The pandemic has forced businesses to go online and embrace digital business practices. As business models become dependent on technology, companies should pay more attention to cybersecurity and increase investment in tools for reducing cyber risks.
One-size-fits-all cybersecurity solutions are rarely appropriate for specific organizations with different IT infrastructures. Therefore, it will be better to have a reliable cyber security partner – an IT company that will conduct cyber resilience assessment and create a custom solution to protect company assets.
