Elastisys recently brought together top cybersecurity experts in Norrland (Northern Sweden), including those in charge of critical societal services, suppliers to these services, and other industry professionals, for an insightful discussion. The meeting focused on current events, emerging trends, and evolving cybersecurity needs. What are the threats we're dealing with? What's happening right now? What do organizations need to do? And how can we respond? In this blog post, we've summarized the key takeaways from these discussions.
Increased and Evolving Threat Landscape
There is no denying that we are witnessing growing cybercrime and an increased cybersecurity threat landscape. In response to this, we also see increased requirements, including the upcoming EU directive NIS2, which goes into effect this October.
Cybercrime is increasing, unfortunately, as a direct result of increased digitization combined with insufficient investments in cybersecurity. Our digital systems hold valuable data, making them attractive targets for criminals. We've seen major ransomware attacks lately, and cybercrime is becoming more commercially oriented, with more and more sophisticated attacks openly offered on marketplaces for criminals.
Another reason for the increasing threat landscape is the worsening security-political situation due to conflicts in various regions of Europe. This has led to numerous attacks targeting Swedish societal functions, not driven by financial motives but rather aimed at causing disruption and fear, damaging trust in our authorities. A concrete example discussed during the evening was an attack that made an IT system managing school transportation inaccessible, which was probably aimed to spread uncertainty in society rather than for economic gain.
AI, especially generative AI, is undoubtedly a hot topic that has become increasingly relevant in the past year. From a cybersecurity perspective, experts agree that so far, these tools have mainly favored attackers. AI has been widely used by cybercriminals both to generate various types of malicious code and exploits but also for spear-phishing which is a technique used to trick people into revealing sensitive information. This includes making convincing fake emails and even deep fake videos, which are videos that use AI to make someone appear to say or do something they didn't actually do. It remains to be seen how this technology can be successfully used to also enhance cybersecurity.
However, it's not just about an increase in the number of attacks; they're also getting more serious and affecting more parts of our live.
NIS2 - Directive for Enhanced Cybersecurity
The EU NIS2 directive was a central topic in many of the discussions that took place during the evening. NIS2 aims to address the gap between societal needs and the often overlooked issue of information security. This directive is an improvement over the previous NIS directive, retroactively referred to as "NIS1", which had a similar goal.
From a helicopter perspective, the NIS2 directive aims to achieve two primary goals:
- Close the budget gap, i.e., underinvestment in security.
- Close the intelligence gap, i.e., no single organization being aware of the current security risk landscape and the most effective mitigations.
Overall, these efforts are viewed positively and are expected to improve cybersecurity and benefit society as a whole. For those seeking further insight into the directive and its implications, Elastisys’ DPO, Cristian Klein, has written the blog "All you need to know about NIS2".
How Can Companies Act?
There's no denying that action is needed, and these issues must be addressed across all aspects of an organization. Throughout the evening, we categorized our discussions on how to proceed into three different areas: management, commercial, and technical levels. It became clear that each of these components is equally vital from an organizational perspective.
Management Level
The experts shared a common sentiment: recent events have finally put cybersecurity on management's radar. But it's usually after something goes wrong that attention is drawn. There's a general consensus that action is needed, but figuring out exactly what to do isn't straightforward.
Current activities among the participants include reviewing action plans, practicing disaster scenarios, and improving communication, both internally and externally. This involves engaging with stakeholders like customers, partners, and the media. It's also important to review agreements with sub-suppliers to understand who's responsible for information security.
Commercial Level
When discussing commercial aspects, we focused on the increased need for cybersecurity and resilience—basically, the ability to recover from an attack.
It's clear that justifying costs before an incident occurs is tough. One reason for this is simply not knowing enough about the risks and necessary protective measures. Essentially, security measures are like insurance: we're glad to have them if something happens, but we'd rather not need them at all. So, how should organizations handle this from a commercial standpoint?
For companies offering digital services, several interesting security aspects were discussed from a customer perspective. This included how to justify the costs of securing systems for customers and dealing with those who opt for a cheaper, less secure version of the service due to cost concerns. Many face a dilemma similar to choosing insurance: it's good to have but tough to figure out the right level of protection when cybersecurity risks are hard to estimate.
Furthermore, discussions touched upon the idea of service providers imposing security-related demands on customers. Establishing clear guidelines of responsibility for security between supplier and customer is essential, especially when delivering more complex services. However, due to the serious situation today, it's evident that customers are increasingly demanding cybersecurity and resilience.
Some of the participants also pointed out the challenges of budgeting for security internally. This is because costs and activities related to cybersecurity often go beyond the IT department and become more of a management issue than just an IT or security problem.
Technical Level
In the developer community, there's a common belief that focusing on security is time-consuming, and there aren't enough incentives to prioritize it. Building a career centered on writing secure code is challenging, despite the significant responsibility it entails. Security work often feels underappreciated, as it's a complex and challenging field to assess in advance. While it's hard to be certain if a system is secure, security breaches and incidents quickly reveal when it's not.
Additionally, many organizations lack competence development, awareness, and adequate training. Most successful cyber attacks begin by deceiving an employee, like getting them to click on a malicious link in an email. This highlights the vulnerability present within organizations. So, what technical steps can we take to enhance cybersecurity in response?
Several technical aspects and protective measures were discussed. For instance, penetration testing can pinpoint weaknesses in a system while also fostering a sense of ownership among engineering teams. We also discussed techniques like vulnerability scanning to identify vulnerable versions of source code in system development and operation, as well as employing application firewalls, safeguards against overload attacks, network segmentation, and analyzing complex software dependencies.
Two initial steps include minimizing the risk of human error-driven attacks and enhancing incident recovery capabilities. Numerous tools are designed specifically for these purposes. For instance, regular employee testing with simulated phishing attacks, coupled with gamification, can boost employee engagement and motivation in this type of training.
While this has been recognized for many years, it's often overlooked in practice. Backups are indispensable, and it's essential that they remain accessible after attacks, preferably by storing them in a write-protected format to ensure availability even after data encryption by ransomware. However, access to backups is only beneficial if coupled with the ability to restore from them. Restoring from backups is a perishable skill that requires regular practice, especially in increasingly complex scenarios where the entire system state needs restoration.
Conclusion
Despite the serious increase in cybersecurity threats, it should be seen as an opportunity for improvement, change, and heightened awareness. Now more than ever, organizations should invest in stronger cybersecurity measures. With greater awareness, implementing additional security measures like two-factor authentication for safer logins becomes easier.
But in companies where awareness is lacking, these measures may face resistance and be seen as a burden, slowing down the digital work environment and innovation. That's why it's important for those addressing these issues to ensure everyone in the organization understands why the implementation is vital. Cybersecurity isn't just about ticking a box—it's an ongoing effort that needs continuous attention.
Lastly, cybersecurity experts stress the significance of industry collaboration, such as through networking events like we had that evening. Sharing knowledge and enhancing collaboration in all forms are crucial for those involved in cybersecurity. While there's already considerable cooperation among willing participants, it's now imperative for all of us who aim to safeguard information assets to collaborate more effectively. This will help bridge the knowledge and resource gaps, particularly in smaller organizations. With that said, we look forward to hosting more of these knowledge-sharing events in the future.
