Jonas Dellenvall, CTO at Advenica, shares his view on the security year ahead of us. Technological development is evolving in an incredibly fast pace with the increase of AI, machine learning and quantum technology.
Let’s start by looking back on 2018, how’s the year been? The NIS directive? GDPR? What were the effects? Did it turn out the way we expected?
2018 was the year when information security really landed on the management’s agenda. Instead of being something handled by the IT department, it became a strategic decision both in terms of revenue as an enabler for business, and in terms of costs/risks in order to avoid fines as a result of GDPR violation or a damaged reputation.
One of the biggest effects of GDPR is that many have made serious changes to their processes. Many countries are improving their cyber readiness by implementing the NIS directive, or by changing their national security regulations.
So, what’s going to happen in the cyberworld during 2019?
The threats keep on evolving which means more states are becoming more competent with an increased ability and capacity. There are no signs that there will be any drastic changes of this trend, but rather a continuous growth. I would think that 2019 will become the year when we start to take a serious look at how we should approach the situation. Are we going to accept the risks – or are we going to do something about it – even if it means having to refrain from some of the benefits of digitalisation?
As a consequence of increasing threats, we now have to assume that one or more attackers will succeed – therefore it’s important to use solutions that will protect against threats even when they aren’t known yet. Building several layers of protection (defense in depth) with physical segmentation is one way of making it harder for attackers to succeed, no matter their capability.
What would you say is the most challenging cybersecurity issue in 2019?
Making sure that critical infrastructure is robust, in the sense that it can’t easily be brought down from a distance. The process will take several years, but it will definitely get started in 2019.
The current state of the world means that the priority of civil and military defence will continue.
Cybercrime is constantly increasing. What needs to be done in order to break the trend?
The reason that crime is increasing is that it pays off – it’s as simple as that. For criminals, the chances of getting caught – and the consequences if you do so – are less palpable than the outcome of a successful attack. For a business operator it can cost more to fix the security flaws than to handle the losses. The most important player to change the situation is therefore from the political side – by changing the incentives for both criminals and business the tide can turn. The risk of being a criminal needs to increase – and at the same time change the incentives for business operators to actually enhance their security.
As a business operator or subcontractor, you have a responsibility to choose a robust solution – even if an unsecure solution could be more profitable short term. Choosing an unsecure solution will benefit criminals, which in the long term is costly for all of us.
Which methods can be used in order to increase your preparedness for IT related cybercrimes?
There is not much new in that area. Make sure to have up and running routines for backups and security updates. By continuous security and consequence analysis, you can protect the right assets in the right way.
Cybersecurity is not a checklist or a state – it’s a process. By continuous and conscious work, it’s possible to achieve the right level of protection.
List your top three advice for an information security manager to think about in 2019
- Don’t risk it – make reoccurring security and consequence analysis in order to know what’s worth protecting and why. That is the only way to avoid both unnecessary risks and unnecessary costs.
- Assume that all protection can fail and design architecture accordingly. Use defense in depth and physical segmentation when needed.
- Do not allow yourself to be in the cyber criminality revenue chain. We are all part of the solution to create a world that is more secure.
