Today’s trending topics. All in one place.

May 2017

Cybersecurity: Safeguarding your Data, Assets and Reputation

Welcome to our next edition of BTB, where we focus on securing your data assets, your physical network, your integration with external elements and the cloud, and ultimately, protecting your reputation.


Asking the Right Questions about Cybersecurity

Jane, Chief Information Security Officer

Take stock of your threat profile and match that with your security platforms, technology, and users. Chances are, you will see danger warnings. We offer four questions as a good starting point for any CISO or IT leader to develop a new strategy.

How can I know if my business is resilient enough? Is my organization compliant with security regulations and corporate policy? Is it possible to combine digital transformation with acceptable risks?

These are just some of the questions that any organization’s security team has to deal with on a regular basis. Here, we bring you firsthand insights from Jane, a recently appointed Chief Information Security Officer (CISO).

One of our competitors recently suffered a major data breach. This―and the emergence of new market players―prompted me to consider what cybersecurity strategy would best protect our own digital assets.

My starting point was our business needs. What security should we have in place to ensure the company’s growth and competitiveness going forward―especially at the level at which we combined digital transformation with acceptable risks? And how could I ensure that our security plans received the attention required from decision-makers and other stakeholders to ensure a top-down buy-in to the whole subject of cybersecurity?

It was a strategically important challenge. I needed to ask the right questions to allow me to build an appropriate cybersecurity strategy for our organization―one that would ensure regulatory compliance and business resilience. These questions had two focus areas: how to achieve our cybersecurity objectives and how to align those objectives with the business.


A critical starting point to protecting your digital assets

Here’s what I came up with―and I believe these four questions would be a good starting point for any CISO or IT leader developing their security strategy:

• How do we transform our traditional security model so that there is a focus on data, people, and risks?
• What should we focus our investment on now, given that security operations no longer rely solely on IT protection?
• How can we embed the new cybersecurity vision as part of the wider business transformation journey and deliver significant changes in the security function?
• How can we avoid making employees the weak link and move towards a more people-centric approach to security?

I was asking the right questions; now, I needed to put into place my strategic security plan. While evaluating proposals, my recommendation is to look at vendors who can manage both strategy and implementation with a vendor-agnostic approach. That way, one is not pressured into buying any particular technology or tied into an expensive license deal.

Based on a clear, shared vision of our maturity and practices, the vendor helped implement our cybersecurity transformation program in just a few weeks. I now feel confident that we have the cybersecurity we need to take our business forward―securely.

Share this article

The Cybersecurity Marketplace: How to avoid buying a Lemon

Arnauld Mascret, Global Head of Threat Hunting Services, Capgemini

With more cybersecurity scrutiny, there are many new vendors vying for your business. But a provider’s “secure enough” approach is not the same as “security by design.” Information balance, or symmetry, is just as important as strategy.

As consumers, we have access to lots of information, such as user reviews, comparison sites, and Internet forums. We use these to make informed decisions about products before we purchase; it’s how we avoid buying bad products. But can we say the same when it comes to cybersecurity?

Cybersecurity is a fast-changing field, and the buying process is often seen as more efficient if people don’t understand how a particular security product or service works. In short, the vendor applies his or her own level of security on the principle that this makes the product “secure enough,” rather than working on “security by design.”  But if customers don’t have information about competing products when they buy a cybersecurity solution, there is risk for the market itself, known as informational asymmetry.

Information is power

The idea of informational asymmetry, or imbalance, was originally introduced in 1970 by renowned economist George Akerlof. In his paper titled, “A Market for Lemons” he states that, “If buyers are not able to differentiate between high and low quality products, the overall quality of products available in the marketplace goes down

As long as customers can’t tell the difference between good and bad products, companies will not be willing to invest more to deliver high-quality products.

Worse still, some unfortunate customers end up with lemons—a term made popular by post-war Volkswagen ad campaigns to describe poor quality cars. Akerlof borrowed the “lemons” analogy to describe products found to be ineffective only after they had been purchased.

So, how does this relate to cybersecurity? Well, the question is whether the cybersecurity market is symmetrical enough to ensure that the quality of products improves over time. If solution providers don’t give enough information about the capabilities and efficiencies of their product, this creates an imbalance and two perspectives:

- On one hand, an information imbalance between two parties often means customers are making buying choices without having full knowledge of the effectiveness of the product.

- On the other hand, informational symmetry means customers can avoid bad products and choose providers that offer the right level of quality at the most favorable price.

Barriers to symmetry

So why aren’t service providers giving businesses more information? The problem is more about balance and how providers can protect their intellectual property (IP), while still allowing customers to sample and understand what their product does.

For a long time, the priority has been more about protecting the IP and keeping the solution out of the hands of the competition. Even when customers have already bought the product, it isn’t always easy to obtain all the information. License agreements themselves present a barrier to symmetry. Many people will remember the discussions about whether it should be legal for enterprises to study a product once it’s been bought in order to fully understand both its capabilities and its flaws.

And all this information doesn’t help new buyers if it can’t be shared. This is a long-standing issue. So, what do we do when we want to gather information about cybersecurity products and avoid buying a lemon?

Moving towards symmetry

- Third parties are making efforts to provide information to potential buyers. The Gartner Magic Quadrant (MQ), for instance, focuses on particular features as well as market positioning.
- A very different approach is the Common Criteria: an international standard assuring users that the solution they receive has been rigorously assessed as per the functional capability for which they have specified a need.  More significant is the fact that this also looks at the security of the product itself. Ultimately, this allows businesses to evaluate whether the products meet both the claims of the provider and their individual needs.
- Sometimes, the insight needed to inform decisions comes from an individual initiative designed to identify a specific security gap. We can see this in the Open Crypto Audit Project that was created with the objective of auditing TrueCrypt.
- At a government level, agencies such as ANSSI (National Cybersecurity Agency of France) have been proactive in providing visibility both on the capabilities of security products and on services providers with regards to security audit, threat detection, and incident response.

Over the past few years, we have seen an improvement in the level of information that is available. However, this raises new challenges of interpreting and understanding the security implications.

Avoiding a sour taste in the mouth

Every new security product opens up a new attack surface, even if the product brings a new feature and improves overall security. Therefore, understanding its impact on the security of the information system becomes even more significant.

While a common criteria certification is a good thing, we must not forget that the evaluation has been done for a specific use and product configuration as defined in a security target document. It is important to understand how changes in the target architecture or configuration may affect the efficacy of the product, or its security. This is also true for products with the CSPN certification developed by ANSSI. Sometimes, during the time when there is no certification, some form of audit will have been undertaken. It is always a good idea to understand how the audit has been carried out, what was covered, and how the problems discovered were handled.

It is, of course, true that a security solution installed on a computer can bring new vulnerabilities, but at least all the work done to improve the security of the master still applies. That’s why a pre-installed security solution can be annoying, since it is harder to know how secure it is.

Here are a few questions you may want to ask before buying a solution:

- Is the architecture secure by design?

- Is it harder to exploit vulnerabilities?

- How are new vulnerabilities (in proprietary code or in open source code) handled?

And for applications (pre-installed software on dedicated hardware), some additional questions might be:

- Is it possible to monitor new behavior through the system logs?

- Is it possible to carry out forensic analysis on the product, and how?

Final thoughts

It is clear that there is an improvement in the level of information available to businesses relating to cybersecurity products. And I think that overall, the IT industry is taking steps to increase informational symmetry.

However, I still meet decision makers who wonder how to choose an effective security solution and, more importantly, how to verify if it is working as intended once it has been installed.

Further, I am afraid that with the increase in machine learning algorithms in many security solutions, the assessment and comparison of these solutions will become much harder both for customers and even third parties. There is a lot of work to be done in this field if we want to maintain symmetry in information.

Share this article

The Digital Bank Vault: Can it withstand the modern safe cracker?

Michael Feith, Digital Transformation Lead, Capgemini

In the past, the bank vault was a sign of physical security and trust for customers. But today, when data is the new currency, we are in the midst of an arms race between banks and cybercriminals. How is your bank protecting your assets and data?

When Giovanni di Medici founded his bank in 1397, he wasn’t counting on the revolution that the Dutch would bring to the banking industry called “fractional-reserve banking.” When the postal savings system was introduced over 350 years later, no one foresaw the development of payment technology based on telephones and later based on the internet. In the early networking days when banks developed their IT infrastructure, cybersecurity was not the first thing on their minds. The Digital Transformation will occur, often when you’re not ready for it, and with the rise of directives such as GDPR and PSD2, the pressure on the modern day CIO to keep up will increase.

In November of 2015, the European Council passed the PSD2 directive. The purpose of this directive was to increase pan-European competition for payment services and to standardize consumer protection as well as the rights and obligations for payment providers and users. In simple terms, it allowed third parties to access data from your bank in order to complete financial transactions. Our global survey on data privacy and cybersecurity found that only 29% of banks and insurers have sound security measures complementing strong data privacy policies. With more data being exposed in the next two years as companies implement solutions for PSD2, a hacker’s dream is coming true.

In the past, people would have been worried about their diamond necklace or that life insurance policy in their safety deposit boxes. With the increase of bank robberies in the 19th century, people became more worried about withdrawing their money after a robbery. For most customers, safety meant a bank having a strong vault.

But how many of us today worry about whether our money is safe in the vault of our bank? The race between banks and bank robbers ensured that banks who didn’t see vault security as a key point of trust with their clients were weeded out over the years as customers moved to banks offering increased safety. With data becoming the new currency, should customers not expect their banks to safeguard it as securely as currency, for instance, through a digital bank vault?

In the end, a customer’s trust has always been the main competitive advantage for banks. It is actually the basis of the entire system. This was proven in 1928 and again in 2008. While having some meat on the bones proved to be helpful to survive a crisis, the collapse of Lehman Brothers in 2008 proved that even after having been in business for 150 years, when customers lose all trust in you, a mass exodus of those same customers is a realistic possibility.

We are in the midst of an arms race between banks and cybercriminals, one where the criminals are about to invest in a diamond-tipped drill bit to break into the safe. Therefore, you have to ask yourself: how strong is your financial service provider’s vault in safeguarding your data?

Share this article

Cybersecurity: Why entire organizations need to be educated

Mike Turner, Global Cybersecurity Business Leader, Capgemini

Most companies apply technology to cyber threats as hackers up their game. But even with great technology and a robust strategy, employees are the key security vulnerability for any business. Educating the entire organization is therefore paramount.

Today, company and customer data is more important than ever before. According to IDC, 85 percent of consumers in Western Europe will defect from a business within the next 18 months because their personally identifiable information has been compromised in a security breach. Additionally, the General Data Protection Regulation (GDPR) will come into effect in 2018, mandating that all organizations holding data on European citizens, regardless of where the company is based, must keep their systems secure or risk incurring a fine of up to 4% of global turnover—a huge penalty for a business of any size.

For businesses, the incentive to stay secure is paramount. So, too, are the sums poured into technology that is designed to keep data safe and secure. Yet the regularity with which we read of successful cyber-attacks reveals the scale of the challenge. Hackers are changing their tactics faster than most businesses can update their defenses. Connected infrastructure in industries as diverse as automotive, financial services, and retail means an unprecedented number of potentially vulnerable points of attack. Cyber defense skills are in acutely short supply. Money is often invested in line with strategies that are misguided.

And yet, the greatest threat to an organization is its own people. Even if a company has appropriate technology and a robust strategy, employees represent the most significant security vulnerability for any business.

A good analogy is the way you protect your home from a fire. An alarm protects you by alerting you to a blaze. However, the presence of the alarm doesn’t mean you should leave the oven on all night, or leave your stovetop unattended for hours. The alarm gives you a good layer of protection but ultimately, it’s your responsibility to take the appropriate steps to avoid burning down the house. The example mirrors a common approach to cybersecurity. You cannot rely solely on a final warning system or layer of technological protection to keep your business safe.

But educating an entire organization on both the need and the way to be vigilant is complex. Securing personal online identities already overwhelms many employees. Individuals in the UK need to remember an average of 22 separate passwords to secure their identity online—a constant juggling act that has resulted in a serious case of cybersecurity fatigue. So what can organizations do to breathe new life into this tired issue?

As a starting point, businesses should look for inspiration on how they address security and authentication with their customers. There’s a growing understanding that success hinges on balancing security and user experience, and organizations are taking steps to simplify authentication processes for users. If your customers need a solution that simplifies security, why shouldn’t the same level of attention be paid to your employee experience?

Security leaders should strive to instill the same values that define the customer experience at an organizational level. By untangling the authentication process and making it more straightforward, business leaders can boost employee engagement with cybersecurity processes and begin to combat cybersecurity fatigue.

The principles of this employee experience can be found in a study from the US National Institute of Standards Technology (NIST), which uncovered an overwhelming amount of cybersecurity fatigue among North American workers. The report suggested businesses split their approach into three steps: limit the number of security decisions users need to make, make it simple for users to choose the right security action, and design for consistent decision-making whenever possible.

One authentication method companies can roll-out that addresses all three of these points is a tool that provides each employee with a single digital user identity—one connected username and login method for every platform. For example, the business could introduce a single sign-on system that works in conjunction with a second, factor authentication method that is unique to them—such as their work or personal phone—that generates a unique sign-on key each time they need to log on.

By investing in methods that make it simpler for employees to prevent potential threats from the outset, alongside a strong layer of digital defense, security leaders will build a more complete level of protection—something that will be required if the arrival of GDPR is not going to lead to an emergency fire drill for them.

Share this article

Cybersecurity and AI

Andy Powell, VP and Head of Cybersecurity, Capgemini UK

With the increase in large-scale security breaches, businesses need to act now to tighten up cyber defenses. Over the next year, we’ll see a rise in AI systems that are adopted to bolster an organization’s defenses.

As AI meets cybersecurity, organizations and hackers will be forced to compete for the upper hand. The use of Artificial Intelligence (AI) has found its place in the infrastructure of business and government with increasing prominence in recent years. As the application of AI in cybersecurity becomes more apparent, we are starting to see businesses and hackers go head-to-head. Hackers are able to develop more sophisticated threats, and businesses are using the technology for prevention and remedy.

Businesses must tighten their defenses

With the increase in large-scale security breaches over recent years, businesses need to act now to tighten up cyber defenses. Over the next year, we’ll see a rise in AI systems that are adopted to bolster an organization’s defenses, performing tasks that include continually rewriting encryption keys to prevent them from being unlocked by hackers.

These more practical uses for AI allow organizations to anticipate issues before they arise. This is done through threat analysis, detection, and modeling. A human who manually checks systems for signs of outside breaches could take several weeks, whereas the use of AI adds an extra layer of protection and allows organizations to react much quicker to any intrusion.

Hackers must find new tactics

The high level of vulnerabilities in both software and online applications will substantially diminish as businesses minimize the gaps within their organization’s defenses. Unfortunately and predictably, this will force hackers to up their game, using AI technology to launch more sophisticated attacks. An example of this can be seen in phishing emails, which use data from the target to replicate human mannerisms and content. This will make it harder for businesses and individuals to recognize when they’re being hacked.

AI and insider threats

Insider threats have always been a cause for concern, but AI can now help to detect an anomaly from normal employee behavior and breaches in corporate policy. This technology could be used to discover employees who are accessing certain company information without authorization and evidence of them transferring this information outside of organization walls. Exact sentiment will be difficult to detect from AI technology alone, and it will be indispensible to understand privacy laws if organizations are to avoid breaches in employee law themselves.

Future-proofing the industry

Although the risk of cyber attacks is increasing, there is much to be said for simple cyber hygiene as a primary defense against many threats. But as the nature and complexity of AI grows, businesses should consider how to incorporate new technology into their cybersecurity strategies.

A combined effort is needed. Investment in preventative AI is promising, but the government must continue to back the education of future technology professionals. A recent report by the Centre for Cyber Safety and Education revealed that a widening gap is emerging, with a shortfall of 1.8 million cybersecurity professionals expected by 2022. In a society whose future is bound with technology, change is needed to avoid having technology without professionals that know how to use it.

Share this article
Share this edition

Meet the Authors