The Challenges of Cybersecurity

According to the annual report by CERT-CCN (the Spanish National Cryptologic Centre’s Computer Emergency Response Team) on cyberthreats in 2015 and trends for 2016, the volume and sophistication of threats has been increasing exponentially over recent years, turning the mission of protecting clients' digital footprint into an extremely complex task. This fact, along with the revolution that is underway in companies’ IT models, propelled by their Digital Transformation processes (channels, new businesses and relationship with customers, principally), means that the traditional approach of organisations to cybersecurity does not cover the real needs for protection of their businesses.

From this point of view, it has become necessary to explore new cybersecurity approaches and models that respond to real needs.

There is no Digital Transformation without cybersecurity

The main challenges faced by companies in terms of protecting themselves are also related to the evolution and trends in business: the so called Digital Transformation. At present, 4 basic currents have been identified:

• Cloud computing, and the DevOps philosophy: This is mostly characterized by the growing use of cloud services, by the use which employees and collaborators make of these, as well as by the agility which these users demand in terms of the IT response to meeting their cybersecurity requirements (resilience and risk reduction) without this acting as a brake on the business's time to market. Closely related with the cloud, the As A Service model also provides a great challenge in terms of the impact that noncompliance with security SLA by the services supplier can have. In many cases, this is so great that it cannot be compensated by economic penalizations, such as in the case of recent information leaks (Sony, Target, Panama Papers, Cablegate/wikileaks, etc)
• Internet of things and Industrial cybersecurity (OT). Devices connected to the internet are one of the pillars of the Digital Transformation for companies' business processes and for the products that they commercialise since this connection allows firms to obtain valuable information to assist in decision making on optimisation, opportunities, etc. This new paradigm proposes new vectors of attack which must be protected, and which, depending on the criticality of the elements concerned, can be of extreme importance. The problems in these environments are not within the scope of “traditional” cybersecurity companies (pure players) since it is not enough to have knowledge only of cybersecurity measures, but rather, the industrial functionality of the device and its technical functioning must also be understood. In general, companies in the sector are not prepared to face this enormous challenge.
• The Omnichannel approach and adoption of the mobile as a main channel. The challenges in this aspect are related to guaranteeing and, especially, facilitating a digital identity that contributes to an improved customer experience, which must be simple (e.g., biometrics) and valid for all channels and services. At the same time, it is also necessary to guarantee the security of the devices themselves, in this case, mobile devices - whose rise in vulnerability and incidents we are just seeing the start of.
• Big Data. Today all the data from the business ends up in the data lake, abandoning traditional data base environments even though this is performed with only basic cybersecurity measures. The Big Data paradigm presents massive opportunities in cybersecurity given that the operation of enormous series of historical data of data captured makes it possible to infer and anticipate incidents with increasingly greater accuracy. But it also creates major challenges related to the protection of stored data and limiting access by users and administrators as well as data tokenization (anonymization) in order to avoid inappropriate handling from the point of view of privacy, while maintaining its statistical usefulness for the business.

What are the objectives? Prevention and, above all at present, resilience

Traditionally, preventive security has been approached from the point of view of minimising the risks that threats will be materialised. However, the experience of the last few years shows that these measures are becoming steadily less effective and that there is a need to "coexist with the enemy" (the emergence of threats will be unavoidable) and therefore there is a need to deploy measures which ensure: firstly, that organisations will be aware of such incidents as soon as possible, and secondly, that the business is ready to resist and maintain its activity with complete normality in spite of the attack.

What we are facing

For 2016, CNN-CERS forecasts that once more there will be an increase in the capacity of attackers to slip through security systems and avoid being detected. Both the profile of cybercriminals and the nature of their attacks have amounted to an exponential increase in the sophistication of the challenges, with enormous technological expertise employed with increasingly effective use of social network engineering. All of this translates into constant growth in the level of risk that these fraudulent activities create.

The security threats that are most important from the point of view of the difficulty of detection and of the seriousness of the incidents caused are:

• Advanced Persistent Threats (APT): Attacks mounted over the long term based on software and continuous discrete human intervention which progressively penetrate company IT systems, negotiating the security perimeters without being detected and gaining access to the organisations' most confidential information. When detected it is usually too late.
• Ransomware. Tactic used by criminal organisations that block devices and information for a ransom by means of infecting with malicious code (and social engineering as the method of infection).
• Advanced phishing, which uses social engineering techniques to create customized attacks normally aimed at the C levels of companies.

Do regulations and legislation provide enough support?

A final point to take into account with respect to cybersecurity trends are changes in legislation, in particular, new directives and regulations at European level. On the one hand, the new regime for data protection aims to allow individuals to control their own personal data and ensure high standards of protection, adapted to the digital environment, throughout the EU. Also included are new minimum rules one the the use of data for judicial and police use.

On the other hand, the NIS Directive (due to come into force in August 2016) on network and information security sets down security requirements for the operators of essential services (in critical sectors such as energy, transport, health and finance) and digital service providers (on line markets, search engines and services in the cloud). As well, each country in the EU is required to designate one or more national authorities and draft a strategy to face cyberthreats. The question that we could ask with regard to this is to what extent a “regional” legislation which is not harmonised internationally is capable of providing guarantees in the digital sphere and on the other hand, if the judicial sphere will be capable of moving at the same pace as the technological paradigms. If it can't, what regulatory and legislative model should be used?.

Minsait's value proposition

Minsait has developed a value proposition to face these challenges by means of a set of solutions aimed at meeting our clients' needs.

360º Cybersecurity presents a set of SOC protection services and infrastructures which company IT departments need to cover these threats. With the Digital Identity solutions, Minsait covers the digital identity needs of industry 4.0, combining biometric technology, document verification and public key infrastructure.