Cybersecurity is coming up against increasingly complex challenges. It now has to deal with the risks brought on by the huge increase in remote work that came about as a result of the COVID-19 pandemic, a highly changeable geopolitical environment, and more and more sophisticated cyberattacks. Adolfo Hernández, deputy director and co-founder of THIBER, the Cybersecurity Think Tank, offers a series of strategies and guidelines to deal with these challenges.
In your experience in managing technology and cybersecurity risks in several sectors, and as co-founder of the cybersecurity Think Tank THIBER, what are the main challenges that we in the cybersecurity sector have to deal with?_
A.H: In my opinion, sophistication and professionalization. These are two attributes that define the current cyberattack landscape. What’s more, the attack surface has increased significantly because of our hyperconnected digital ecosystem, and the confinement caused by COVID-19 has meant a huge rise the use of digital channels for remote work. All of this means that digital risks are one of the main concerns for society and businesses. This is also reflected in the World Economic Forum’s latest report.
We’re witnessing attacks that play with gray areas, using proxies, facilitating nation state propaganda against a range of targets that will doubtless take advantage of the turbulent political and social agenda. And they have plenty to choose from: The coronavirus pandemic, the elections in the USA, Brexit, and nationalist and populist movements in Europe.
The rapprochement between the cybercrime industry and state actors is another great challenge. The fact that there is significant crossover between these two worlds means that, in this new decade, we’re all potential victims. What’s more, with the restrictive economic outlook brought on by the pandemic, many companies and state agencies will have to deal with cyberthreats with a considerably reduced budget. This is why it’s time to reinvent.
Speaking more specifically, we’ve seen that financial institutions are an increasingly frequent target for cyberattacks. Do you think banks and financial companies require a more specific, in-depth cybersecurity approach than other sectors? If so, what general strategy and measures do you recommend?_
A.H: The vast majority of incidents that these entities experience are financially motivated, and are usually a variant of cybercrime, often ending in digital fraud. Perhaps an inherent problem in cyberattacks in the banking sector are the incidents that occur on assets that, while they are relevant to financial institutions, are not protected by the institutions themselves: user devices. These are devices that people use to interact with their banks (PCs, laptops, cellphones), connecting to banking portals or online banking apps, carrying out transactions and other operations. With the proliferation of banking malware, protecting both endpoints and user devices, as well as the bank’s own interfaces (banking APIs, apps, and online banking) is now particularly important.
Beyond specialists such as CISOs and the IT department, what role do you think employees should play in their organization’s security?_
A.H: They are one of the big security problems, but they are also one of the cheapest, most effective countermeasures. With the right training and a cyber hygiene culture, they can be a key part of the DETECT and PROTECT strategy.
Continuing along this same line, how important do you think awareness of cybersecurity risks is?_
A.H: With every company following their own particular path to digitization, this is a key element in any self-respecting cyber strategy. Additionally, in a scenario where, because of COVID-19, remote work and most contact with clients is done through digital channels, becoming aware of cybersecurity risks has become more important than ever. In short, the road to digitization involves managing the risks associated with this increased exposure.
In that sense, do you think more proactive cybersecurity strategies such as threat hunting are useful?
A.H: Of course. That way we can move away from merely reacting and focus on containing and responding to cyberthreats. We can thus fully engage in a proactive, prospective approach, where we can bring together both worlds, blurring the line between how we react to a potential threat or a real incident.
Given that not all companies have the same level of maturity, threat hunting isn’t a “one size fits all” kind of solution: it largely depends on the visibility of different environments (network, endpoint, server), as well as corporate strategy. Once a company decides to deploy this kind of process, it makes sense to start with threat hunting based on indicators of compromise (IoC). Then, once they have more experience, they can start to carry out threat hunting based on anomalies (Machine learning) and hypotheses (TTPs).