Today, most means of protection are “mounted.” This means that information systems are designed separately from security systems. Protection is implemented on top of the infrastructure, like a network. But this approach does not always work, especially in post-COVID times, when the number of phishing threats has increased by 600%. Every day, mass media report about leaks, hacks, blackmail and other cyber incidents. Standard protection is becoming scarce, so organizations have turned to a new and promising trend in cyber resilience – Security by Design (SbD). What is its essence and how does it help businesses?
How has COVID-19 affected cyber resilience?
A cyber-resilient organization can withstand cyber-attacks and recover quickly, without significant damage. Whereas cybersecurity combines tools and technologies that keep attackers away, cyber resilience focuses on addressing the business impact of attacks.
To implement cyber resilience, it is necessary to perform four important operations:
Cyber resilience shapes long-term thinking. An organization creates a fault-tolerant system that ensures business continuity.
Even though the number of cyberattacks is growing together with the increasing number of applications, IoT devices and Internet users, a real cyber boom occurred in 2020. Attackers took advantage of the situation with COVID-19 and began to send out emails everywhere allegedly on behalf of the World Health Organization (WHO), tricking people into clicking on a link that would ostensibly provide recommendations on combating coronavirus or list statistics for a particular region.
The next situation that created a stir among criminals was the transition of employees to remote work. This is where incidents with organizations that did not prepare virtual private network (VPN) servers for possible attacks rained down. Corporate denial-of-service (DoS) attacks became commonplace. The attackers used corporate emails to send purportedly updated workplace policies concerning COVID-19 to remote employees.
For organizations, these risks can cost $3.9 million to cope with blackmail, $20 million in GDPR fines, financial losses due to downtime and loss of reputation. That is why organizations should rethink their “cyber defense after incident” approach and move toward an embedded solution: Security by Design.
See also: Time to Focus on Cyber Resilience
Security by Design: What defines this approach to cyber resilience?
Security by Design refers to how organizations think about cybersecurity at the start of a project. Developers design an application so as to reduce the number of vulnerabilities that can compromise the company's security.
The security lifecycle is the same as the software development life cycle (SDLC) of a product: it starts with an idea and ends with delivery and support. During software creation, specialists constantly monitor possible cybersecurity risks and eliminate them.
Security by Design includes the following processes and practices:
Checkpoints are temporary points in the software life cycle. At each point, the security of the system is assessed, and the decision is made to continue or terminate the project.
These are the procedures that keep a system secure. For example, the same technical tasks that test the stability of the system are performed alongside software development.
A plan defines the steps that need to be taken when creating software to achieve the goal of Security by Design.
With the Security by Design approach, developers implement security early in the SDLC. System or application security is planned as part of the architecture from the start.
Security specifications are encoded in templates and ensure that the desired configuration is present. At the same time, if the infrastructure changes, it is not necessary to do an audit. An in-depth security assessment is also not required if infrastructure patterns change significantly. With Security by Design, there is less repetitive work to be done and more attention to real problems is paid.
Principles of Security by Design
For Security by Design to function, you need to keep to its three principles.
Principle 1. Minimum attack surface area.
An attack surface includes all external points of entry and communication of the system. The attack surface can be associated with:
- software (OS, libraries, read/write access);
- a network (open ports, active IP address, network flows, protocols);
- a human (phishing, social engineering).
A defense system with a wide attack surface is more vulnerable to cyber threats because it is more difficult to set up. When all entry points are defined, it is worth involving proven monitoring and protection tools. A very complex and vulnerable security system should be constantly assessed for reliability.
To reduce the attack surface, it's important to strengthen defense and close underused services and ports. This will limit the likelihood of remote interaction with this system.
Principle 2: Least privilege.
The administrator should only have access to certain administrative zones. Tasks, roles and rights should be distributed among employees who interact with a corporate network. When the environment is partitioned, it is more difficult to compromise it. Even if an attack occurs, it will have limited consequences.
Principle 3. Defense in depth.
Defense in depth means that a combination of security methods or tools is used to prevent hacks. To set up such a defense, you should take the following steps:
- set security goals
- create a system architecture to define control and evaluation points
- develop a defense policy
- regularly monitor the protection against attacks
Infographic 3: https://blogs.sap.com/wp-content/uploads/2021/11/2sec.jpg
See also: Raising the Bar on Data Privacy
Why is Security by Design important for companies?
Security by Design is important for the following reasons:
Security is harder to implement in an evolving system
Moreover, it may take time and additional funds to correct the problems that have arisen in the reliability of a system. In a competitive environment where time to market can make or break a business, leaders are looking to accelerate product development. Therefore, the development and testing of cybersecurity are often ignored, because they consider it unnecessary work.
But such a rush will result in security problems and even greater costs in the future. Experts say that addressing protection issues at an early stage costs one one-hundredth as much as at a later stage. Companies that provide cybersecurity resilience services can help you avoid this waste.
Popular IoT devices are not always reliable
Users are buying IoT devices for their homes more often and trust them with personal information. But this trust is not always proven efficient.
Hackers exploit consumer devices' weak security and 24/7 connectivity (toasters, washing machines or webcams). Even though IoT devices have limited power and memory, they can be gathered in botnets into a huge army of robots. Compromised devices are used to hack into equipment on the same network, steal personal data or perform other illegal activities.
The number of cyberattacks is growing
There are at least 20 types of cyber attacks in the world, and this list is regularly updated with new advanced types. Approximately 300,000 items of malware are generated daily by cybercriminals, and a hacker attack occurs every 39 seconds. Moreover, both small and large organizations suffer from such incidents.
This statistic suggests that Security by Design will soon be no longer a recommendation but a vital part of the cybersecurity resilience of companies of all levels and sizes.
The pandemic has forced businesses to go online and embrace digital business practices. As business models become dependent on technology, companies should pay more attention to cybersecurity and increase investment in tools for reducing cyber risks.
One-size-fits-all cybersecurity solutions are rarely appropriate for specific organizations with different IT infrastructures. Therefore, it will be better to have a reliable cyber security partner – an IT company that will conduct cyber resilience assessment and create a custom solution to protect company assets.