19th annual e-Crime & Cybersecurity Congress
2nd & 3rd March 2021 • Online
New security models for a new era: government, business, work and play have changed, so must security
We are at a decisive moment. The era in which most of us have spent our adult lives, an era of globalisation, is coming to an end.
It is not being ended by COVID-19: its central assumptions have been fraying for the past decade. But overwhelming technological change, and its acceleration by the pandemic, has hastened the end. The workplace, shopping, banking, personal communications, dating, politics - there's no part of our lives, personal or professional, that is not being upended by the virtual world.
These disruptions that we're seeing presage at least a temporary Age of Disorder, in which old certainties crumble and new ones take their place. And nowhere are the effects of this more obvious than in cybersecurity.
Out of the comfort zone, into the fire
Even pre-pandemic, more than two billion of us are spending over 25% of our online time on social networks. Phishing attacks and scams on these platforms are on the rise, and the platforms themselves offer only minimal controls to prevent the further propagation of account takeover - and this activity is invisible to the enterprise.
Post-COVID, with remote working common, this is an enormous problem.
The broad adoption of collaboration, chat and social channels - such as Skype, Zoom, WhatsApp and LinkedIn - as critical work tools has increased the attack surface and weakened controls. These channels are rapidly outpacing email as the communications tool of choice, and they are even less secure than email, which is itself still the key vector for social engineering and credential theft.
Most security teams have no existing tools in their arsenal to extend their visibility into this realm, particularly when these accounts are personal rather than company-owned - and attempts to do so raise questions about privacy and surveillance.
And governments and businesses are finally having to walk the walk on digitalisation.
When a pizza company takes all its orders via app, DDoS attacks become its top threat. When schools teach lessons online, but local authorities are quibbling over the additional costs of an E5 license for O365, children are put at risk. When the national power grid can't get budget to secure NT/4 boxes in physically insecure sub-stations, CNI is vulnerable. When hospitals can't treat patients because of ransomware, people die.
Digitalisation and the IoT are concrete developments with real impacts - and security needs to respond.
Will BigTech help to secure the citizen?
In the public sector, accountability to the public and to corporations will force governments to do a better job. Cyberspace is not a target in itself - it's a medium. And that medium connects, in every direction, to the machinery of civilisation itself.
That machinery is critical national infrastructure. It's the medium through which populations access information, goods and services; it's the basis upon which businesses now operate in a digital world; with the Internet of Things, it's a parallel world that lacks almost all the safeguards we expect the state to provide in the 'real' world.
Cyberspace needs the investment in laws, police and paramedics that the physical world has. Citizens and businesses demand a better service.
In the private sector, boards are being held to account for cybersecurity by key stakeholders and the regulators. They will in turn make others accountable to them. But who? Is this the moment the CISO rises in prominence, or will the real responsibility fall to others?
Ultimately, the answer depends on who can give boards answers to business problems, not just IT problems.
Will risk managers, business units and CISOs - and the insurance industry - be able to give them an idea of potential losses and predictive data on breaches and their impact? How will CISOs satisfy senior management's needs for evidence of cybersecurity? Who will present this to investors and regulators?
The e-Crime & Cybersecurity Congress will take place online and will look at how the fabric of cybersecurity regulation, governance and enforcement must change, as well as the latest technologies, strategies and architectures that can keep society and business safe. As digitalisation goes critical, is this finally the moment at which traditional cybersecurity management has to change?