In 2017, ransomware, phishing, and IoT attacks pummeled businesses. What security trends will emerge in the coming years? Malgorzata Zabieglinska-Lupa, ICT product manager, Comarch ICT, recently had the chance to speak to Paulina Swiatek, business solution manager, and Maciej Rosolek, IT risk & security department manager, about trends in the security technology market and what companies can do to protect themselves.
Malgorzata Zabieglinska-Lupa: Security is one of the fastest growing sectors in the IT market. The hot areas for security growth are security analytics, SIEM tools, threat intelligence, mobile and cloud security. Why is security always a catch-up game?
Maciej Rosolek: I’ll try to answer this question as illustratively as possible. Protective measures taken by security departments throughout the world can be compared to a dam on a river, with the river standing for malicious people’s activities. We build a dam to resist pressure from the river – applying best practices, available knowledge and experience.
Now having a dam, we feel safe, protected against a potential flood. After some time, the water will erode our dam. When the breaches are tiny, we can easily fix them, but as time passes there are more and more leaks, as water doesn’t give up easily and finds new cracks to go through. The situation arises in which it is impossible or uneconomical to fix our dam further. On the basis of the experience gained during fixing the first dam, we build another one which is stronger, tighter, and therefore safer. However, the river is relentless, it becomes more and more rapid, and after some time our dam starts to leak again. This is more or less how our work looks (by ‘our’ I mean security teams around the world).
According to best practices, knowledge and experience, we develop protection which is then penetrated by people who want to get to the other side. As a result of the development technological advances and high computing power accessible to everyone, there are more and more tools which make it possible for hackers and crackers (malicious people) to drill tunnels in our dam, which must be fixed immediately.
Paulina Swiatek: The world of IT is rapidly changing; the quickest changes can be seen in the development of intrusions and attack methods. Sometimes it seems that hackers are the fastest learning IT sub-group. Hence, security could be seen as a catch-up game. To anticipate an attack, we must be a step ahead of the hackers. Of course, it is difficult to achieve this without the appropriate expenditure on employee training and investment in IT infrastructure. This is why it might be said that, in this game, the success of a hacking attack may be related directly to the time and money that will be spent on this purpose.
"The world of IT is rapidly changing; the quickest changes can be seen in the development of intrusions and attack methods"
Malgorzata Zabieglinska-Lupa: Have you seen any major change in organizations’ attitudes to security in the past few years? Is it a strategic business consideration, or is it still considered something separate?
Paulina Swiatek: Security has always been seen as a cost, and therefore the question arises… is it really necessary? Hopefully, this perspective is changing, partly because hacking attacks, of different kinds, are more and more common. It is really hard to avoid hearing about them, for example when UK hospitals were hit with massive ransomware attacks, when sensitive documents possessed by Edward Snowden were leaked, or when intimate photographs of a celebrity make their way into the public eye. It’s the kind of news that hits us every day and makes people think more seriously about IT security. There are also more and more companies that have been hacked, and now their owners understand that you can lose much more money when you are hacked than you might have spent on IT security solutions to protect against those attacks. IT security strategy should be considered and built together with business strategy. Unfortunately, this is not always the case. Treating a company’s IT security and its strategy as separate issues makes IT security more expensive and less in line with a company’s needs.
Malgorzata Zabieglinska-Lupa: What trends do you think we'll see in the IT security space in the next few months?
Maciej Rosolek: Each day brings new threats – at the last security conference I learned that more than 100,000 new viruses/malware elements were created daily. It is hard to cope with such an avalanche of threats using ‘ordinary’ anti-virus software based on signatures, or using people to analyze logs and security events. We need automatic ‘thinking’ solutions which will be able to recognize, on the basis of the analysis conducted, whether a particular file or action can pose a threat.
Therefore, we are talking about all kinds of security devices with machine learning functionality, including:
- SIEM tools which have to correlate data from various sources, and, on that basis, decide whether a given system/user behavior indicates a potential intrusion
- IPS/IDS systems with learning functions
- Flow analysis systems with learning functions
- And many other ‘intelligent’ solutions…
I believe that machine learning will be the functionality that complements security systems and improves the security of organizations and of the data entrusted to them.
Paulina Swiatek: In relation to the new EU directive – GDPR – coming into force in May 2018 – it can be assumed that many companies will be forced to analyze, verify and improve the quality of their IT security. Otherwise, they may be exposed to significant financial penalties. A lot of companies do not have the required resources, especially when it comes to the competence of their IT security employees, so they will need support from external companies that specialize in IT security (IT integrators and IT service providers). All this should lead to a trend showing an increase in IT security spending.
Malgorzata Zabieglinska-Lupa: Paulina started to talk about GDPR. Can you elaborate on this topic? How will this regulation impact security strategies in companies? How can a company be ready for all the changes that GDPR will bring?
Maciej Rosolek: The EU Regulation on Personal Data Protection has been widely discussed recently, but frankly speaking, if it weren’t for the horrendous penalties for disclosing personal data set out in this regulation no one would probably care about this issue. Why do I say that? The Act on the Protection of Personal Data was produced – correct me if I’m wrong – in 1997. It has been amended several times, but have its provisions been observed? I guess that aware companies and businesses have observed them, but they constitute only a small percentage of enterprises which store or process sensitive data. I will not conceal the fact that I’m pleased with the provisions of this Resolution – I hope that it will lead to many companies treating security issues with due diligence, protecting what is important for us – our personal data.
How should we prepare ourselves for changes? First and foremost, the Resolution has to be read and understood, places where personal data are stored have to be located, and it should be checked who has access to the data and how many ‘paths’ lead to them. Then, a risk analysis should be carried out and processes and ‘proper protections’ should be devised. When it comes to protection, there is no one ‘template’ such as ‘You have to equip yourself with A, B, C or D systems/devices’. Everyone should find the appropriate solutions to protect data stored or entrusted to them.
"Everyone should find the appropriate solutions to protect data stored or entrusted to them"
Malgorzata Zabieglinska-Lupa: No matter how many security solutions are implemented, enterprises will always be a target for cyber-thieves. How can a successful IT security strategy be developed? What should companies focus on?
Paulina Swiatek: IT security strategy should take into account a few important factors, such as business and corporate strategy, IT strategy, compliance and standards, regularly repeated analysis of threats, risks and current security state. The starting point for building an IT security strategy should be the determination of goals and direction of the company and its business. Then, the assessment of the current security state should take place. Within this assessment, deep knowledge of the company, its processes, functions and business is needed. The security strategy should always be compatible with the business and company strategy, taking into account future plans and products. If we know where we are, and we understand where the company is heading, we can start working on specifying the desired state of the company’s security and methods, including the steps and detailed phases required to get us there. It is worth remembering that IT security is constantly changing, which forces us to review our IT security strategy level constantly, and to measure its effectiveness and make improvement where required.
Malgorzata Zabieglinska-Lupa: To close, I would like to ask both of you how end users can be made aware of the importance of data security and privacy?
Paulina Swiatek: The end user is always the weakest point in the company’s IT security. Even the most elaborate, professional tools, that cost a fortune, will not do anything unless employees are aware of the dangers and how they should behave. Today, making users more aware of security seems to be a bit easier, because we see more and more news about data leaks. Irrespective of this, we should initially assume that employees have a very low level of IT security awareness. It is also good practice to carry out periodic employee security training, with mandatory exams to test knowledge of the company’s security policy and how to handle and deal with sensitive information in order to avoid violating that policy and exposing yourself or the company to leaks of confidential data.
Maciej Rosolek: This question touches on a key security issue (and threat) for our sensitive data, and the end users constitute this threat. The security of the data stored in companies relies mainly on the knowledge and awareness of end users. It is therefore of utmost importance to carry out awareness-raising actions and information campaigns on basic security issues, such as:
- Password policy
- Giving access to data from the user’s account to third parties
- Copying data to a local drive
- Susceptibility to socio-technical attacks
- And many more
All issues are described in the company’s security policy. It also defines the necessity to carry out awareness-raising actions for employees. Each newly appointed member of staff should attend training on security issues and take a test afterwards. That is not all. In order to consolidate this knowledge, each employee should review security issues and take a test at least once a year. Additionally, there should be security events organized for employees, where methods for obtaining data are shown, and where employees are made aware of possible socio-technical attacks. There are plenty of ways...current technology gives us many tools for communication – we just have to be willing to use them.
You can find more information about IT Risk & Security management here.