Cybersecurity, Emerging Issues in Security

Cybersecurity Best Practice Is for Life, Not Just for October

The arrival of Cybersecurity Awareness Month every October prompts discussion of best practice, and briefly raises the profile of security professionals. However, major attacks on organizations such as SolarWinds and Kaseya, and breaches of financial giants such as Morgan Stanley (caught up in the security problems of file-sharing company Accellion), should serve as a reminder that businesses must promote cybersecurity awareness every day, not just in October. Hackers work all year-round, and their attacks are becoming more frequent and more sophisticated with each day.

Rethinking Cybersecurity in the Digital Transformation Era

The advance of digital transformation has made it imperative for businesses to constantly reassess and revise their cybersecurity. This was accelerated by the pandemic, with the increase in remote working and the need to digitally exchange important documents and information. The upsurge in online ordering, home deliveries, and remote education all required rapid reviews of systems and technology to boost business resilience.

There is a danger that this more rapid digital transformation may outrun cybersecurity, exposing tempting vulnerabilities to hackers. The digitalization of supply chains, the Internet of Things, and mass cloud adoption all introduce new attack surfaces. Only with cybersecurity transformation at the forefront of their planning can organizations ensure successful adoption of the latest technologies while reducing exposure to cyberattacks.

In such a time of change, businesses cannot rely on annually drafted or amended cybersecurity plans and hope they will offer watertight protection. As organizations’ IT infrastructures become more distributed and complex, businesses find themselves exchanging large volumes of data across extended security perimeters.

The growth of hybrid cloud means IT infrastructure and data is more fragmented than ever, with applications scattered across on-premises and cloud environments. IDC estimates that over 90% of enterprises will rely on a mix of on-premises/dedicated private clouds, multiple public clouds, and legacy platforms by 2022. Cybersecurity strategies must, therefore, continuously evolve to secure new entry points and properly configure systems for optimal protection.

Securing Complex Cloud Environments

The problem is hybrid and distributed infrastructures make cybersecurity and, in particular, encryption and management of the keys they use to protect data or sign code much harder. Many enterprises have relied on traditional practices in an attempt to manage their growing number of encryption keys, employing hardware security modules (HSMs), manual inventories, and native encryption services from the cloud vendors, but this has seldom been easy and is certainly sub-optimal. Simpler, and more effective, solutions are available, yet many enterprises are not aware or know how to implement them.

Closing the Knowledge Gap at Enterprise-Level

Too often the promotion of cybersecurity best practice is focused on employee education and awareness, but there is a growing education gap in knowledge in the upper echelons. Alarmingly, a study found 71% of C-suite members admit to gaps in their knowledge when it comes to some of the main cyber threats facing businesses today, with the most common being malware.

This pervasive lack of understanding makes it important that cyber-awareness is raised across every department and every level—and not just in October. After all, if cybersecurity is not understood in the boardroom, how can C-suite members keep assets and data secure as the business transforms? The answer is simple: They can’t.

While cybersecurity awareness events are great at raising the profile of best practice, enterprises should use such events as a forum to start discussions and encourage knowledge-acquisition, covering the latest threats and technologies that are impacting businesses. Organizations must place greater emphasis on continual security transformation, challenging existing ways of thinking and making cybersecurity improvements part of business-as-usual.

Greater Awareness of Advances in Security Technology Is Required

For example, one of the cybersecurity areas that is still poorly understood is the role of secure multiparty computation (MPC). Yet, for many organizations it could be vital to successfully transforming digital security and defending against rising threats, such as supply chain attacks.

MPC is a cryptographic protocol that enables the use of keys without ever having them in a single place. MPC splits a secret key into two or more pieces and places them on different servers and devices. As all the pieces are required to obtain any vital information about the key, but are ultimately not assembled, cybercriminals have to go through the process of breaching all the servers and devices in order to gain a foothold. Strong separation between these devices— for example, different administrator credentials and environments—provides a high level of key protection. It’s worth noting here that the supply chain attack on Morgan Stanley revealed earlier this year involved the theft of a decryption key, which would be virtually impossible with MPC.

With MPC, organizations using multi-cloud and hybrid cloud infrastructures can also overcome their most common concerns around the lack of visibility and poor security, and instead benefit from absolute clarity and good surveillance. Organizations relying on traditional key security and management, by contrast, cannot manage their keys across disparate environments easily, compromising their security. Each cloud deployment requires a different key to match the encryption system used by the provider. Every app therefore needs its own encryption, its own protection from malware, and its own authentication. These traditional keys have dependencies on the applications they are looking to authenticate, each having been written to specific cloud requirements.

The upshot of all this is that CISOs using traditional security lack any real oversight of their keys, who is using them and for what purpose, or how requirements are changing. If criminals or malicious insiders copy, destroy, or ransom data, they are only likely to know when the damage is done. MPC in a single platform will remove these problems.

Fostering a Culture of Continuous Improvement

Security technology seldom stands still and involves far more than a single technology such as MPC. But ignorance is no defense. Every security department has to be prepared to update and improve constantly. All enterprises need to implement a strong security strategy that includes code-signing, lock-down of the cryptographic keys used for authentication, and elimination of single points of failure related to key management and prevention of misuse.

At the same time, as landscapes change, a greater emphasis should be placed on organization-wide education, from the top to the bottom, throughout the year to protect complex systems from criminality and human error.

Digital transformation should go hand-in-hand with cybersecurity, and the month of October is certainly a good opportunity for businesses to review their cybersecurity strategies. However, cyber-awareness and resilience should be daily concerns as organizations seek maximum protection against ever-evolving threats.

Professor Yehuda Lindell is the CEO and co-founder of Unbound Security. Yehuda is also a professor of Computer Science at Bar-Ilan University in Israel and a cryptographer with expertise in secure multiparty computation (MPC) that forms the technological core of Unbound’s solutions. He has published over 100 scientific articles and authored one of the most widely used textbooks on modern cryptography. Yehuda served as the Chief Scientist of Unbound from its inception until February 2019, when he took over the role as CEO.