TBtech May Edition

Protection is vital.

FOCUSING ON THE ADVANCES IN CYBERSECURITY.

tbtech publication

£9.99

tbtech.co

STORIES INSPIRED BY MODERN LIVING.

MAY 2023

DELIVERING EV CHARGING INFRASTRUCTURE TO MEET 2030 NEEDS.

Those responsible for the deployment of EV infrastructure need to understand their user’s needs, which should inform long-term roll-outs, and design procurement processes that incentivise charging point providers to deliver quality long-term deployments.

let’s connect connectedkerb.com

The era of software-defined everything is pushing the pace of innovation and transforming market segments ranging from aerospace to industrial, defense to medical, and networking to automotive.

Vigor 2865AX

SKU V2865AX-K

DrayTek’s Vigor 2865 series

Multi-WAN Firewall VPN

Login to see deal price

Vigor 2927ax

SKU V2927AX-K

DrayTek Vigor 2927AX WLAN C

Login to see deal price

Vigor 2763ac ADSL or VDSL Router/Firewall

SKU V2763AC-K

DrayTek Vigor 2763 series

VDSL and Ethernet VPN

Login to see deal price

PROVIDES ENTERPRISE CUSTOMERS WITH ONE-STOP CONSTRUCTION WORLDWIDE, INCLUDING INTEGRATED IP TELEPHONY SYSTEM, VC SYSTEMS, OFFICE EQUIPMENT,

ONE-STOP SOLUTIONS FOR IT INFRASTRUCTURE INTEGRATED CABLING, NETWORK, SERVER AND STORAGE, EQUIPMENT, COMPUTER ROOM CONSTRUCTION.

CHINATELECOMGLOBAL.COM

Global team of analysts, at your reach 24/7

Contain threats both on-prem and on the cloud

Incident response teams to mitigate any threats

Real time analytics

Meet your tbtech team.

Joe has vast experience and knowledge accumulated and honed as a New Business Development Manager and Relationship Manager. Responsible for generating new business opportunities, looking after the growth of the company and strategy, sourcing new ventures and managing the company.

Paul stops at nothing to innovate and create value for our customers. His mission is help those we work with to win in their markets. Passionate about delivering customer success and have had the pleasure of supporting many of the world’s leading technology brands for over 15 years.

Matt is Operations Manager at TBTech, he has spent the last 15 years working with multinational IT companies building campaigns, GTM strategies, leading both Sales and Marketing teams to achieve organisational goals. With a love of computer science, history, and psychology he is an advocate for change, operational efficiency and automation. Value across the business for all our customers.

We have been working behind-the-scenes to elevate the readers experience.

ERIN LANAHAN

Erin’s love for advertising and design has led her to Tbtech as a Media Marketing Apprentice. As a new member of the team, she is looking forward to exploring new skills and learning more about the tech sector .

WILLIAM MOORE

William’s passion starts and ends with design, timeless aesthetic and creative solutions. Having worked on numerous creative campaigns ranging from car manufacturers, leading tech companies, property investors as well as local artisans, the goal is to create the ultimate brand experience between the client and the consumer.

growing audience, of thousands

Tackling financial crime with the fusion centre.

“The threat from economic crime continues to grow. Fraud accounted for an estimated 41% of all crime experienced by adults in England and Wales in the year ending September 2022. The National Crime Association assesses it is a realistic possibility that over £100 billion pounds is laundered every year through the UK or through UK corporate structures using High End Money Laundering methods.” When you’re reading this from the UK government’s economic crime plan, there can be no doubt that financial crime is a serious threat to UK businesses. But bringing those numbers down is no mean feat. Even a simple example – say, a transfer of money to a first-time recipient – can prove challenging.

Tackling financial crime with the fusion centre.

While there’s nothing inherently shady about such a process, there are a number of important checks that take place during the process in order to identify a potential red flag. If that new payee has suddenly logged in from a distant IP they’ve never used before, for example, that suspicious activity should be considered.

Such checks require good quality financial and personal data, as well as the benefit of real-time analysis. Fraud and cybersecurity teams require the ability to identify and evaluate key data for every user if they’re going to robustly and effectively protect their customers.

The organisations that can’t conduct this sort of audit have a much higher risk of misidentifying potential threats and are more likely to miss genuine culprits – simply because they can’t interrogate the data they receive comprehensively. And that job gets harder every year, with new financial services and ways of paying introducing new attack surfaces for fraudsters and cybercriminals.

Businesses have tried to fight false positives with quantitative analysis, but this only goes so far as it’s reliant upon the quality and timeliness of data available. If your data and tech stack aren’t up to standard in the first place, it’s unlikely that the insights you derive from quantitative analysis will be enough to tip the balance.

All of this speaks to the scale of the challenge that faces fraud and cybersecurity teams. What makes it even worse is that all too often, those teams aren’t working in tandem.

BLURRED LINES

Modern financial crime often blurs the lines between fraud and cyberattacks. The most common example is phishing, in which a bad actor will try to illegally obtain personal data in order to access someone’s finances. It’s both a cyberattack on an individual, and a fraudulent impersonation of them.

Consequentially, many businesses with distinct cybersecurity and fraud prevention teams are working on different aspects of the same attack. That makes an efficient defence very difficult. Both will be developing disparate datasets, missing some points while duplicating others, with no guarantee that that knowledge can be shared.

Simply put, the structure no longer adequately reflects the threat. If businesses are serious about protecting their customers from cybercrime and fraud, this siloed approach is no longer viable.

A new structure is required. Rather than introduce yet more processes, technologies, and staff to help the two departments interact, businesses are turning to a combination of the two: the fusion centre.

STRENGTHS AND WEAKNESSES

The fusion centre is designed to offer the best of both worlds.

Fraud teams, for example, are designed to tackle structured transactional data, interrogating their business’s own databases for patterns and outliers, and act upon them. If the dataset they’re working from is of good quality, they can excel – but they’re not purpose-built to tackle extremely high volumes of data.

Cybersecurity teams, meanwhile, typically invest heavily in Security Information and Event Management (SIEM) solutions that are intended to wrangle massive, unstructured datasets –and isolating potential red flags within them. They can’t manipulate and broadcast those key points in the same way that a fraud team can, but they contribute hugely to refining and improving a dataset.

There’s a clear synergy here in which the two arms compensate for one another’s weaknesses. Acting in tandem, they can interrogate colossal datasets, isolating the key points. And with those insights available to both fraud and cybersecurity elements, a cohesive response to threats is a far more realistic prospect. The right people, with the right tools, can pull in the same direction.

NO ‘I’ IN TEAM (OR TECH)

Of course, it’s not as simple as just moving two teams into one office. Blending fraud and cybersecurity teams into one entity is a nuanced process. How does one actually go about establishing a fusion centre?

For starters, team structures will undoubtedly require a reshuffle, re-building the roles and responsibilities to reflect a oneteam approach. New areas will require management, while others will become tertiary or entirely redundant. This is a cultural shift as well as a logistical one. With new teams and roles reflecting a subtle change of priorities, every business faces a unique task in helping their staff to excel within a new structure.

Beyond that, the tech stack of both teams will also need a review, with the merger inevitably rendering some solutions irrelevant, or replaceable. In an ideal world, a one-platform approach allows everyone to work from the same frame of reference, introducing new sources of data one by one.

If business can rise to these challenges, the fusion centre can become the shield that protects customers from the looming spectre of financial crime – but only if we commit to re-evaluating the ways we do so.

Combat cyber security threats.

Around 60% of enterprises fold withing six months of being impacted by a cyber attack, according to figures from the National Cybersecurity Alliance. It is not difficult to see why given that the average cost of a data breach globally was $4.35m last year, based on figures from IBM’s 2022 Cost of a Data Breach Report. This represents an increase of nearly 3% from the year before. When there is so much at stake it is vital that businesses take responsibility internally and give far more credence, and crucially, investment, to the challenges presented by compromised data and bad cyber hygiene. Cyber attacks and threats need to be detected much earlier and remediated faster, which requires proper cyber education, investment and training. Indeed, there has never been a more pertinent time to address company strategies and core IT infrastructures.

Combat cyber security threats.

At the core of this is a need for those responsible for dealing with IT and cyber security at enterprises to fully understand that dependence on technology, complexity of operations, and the large number of stakeholders involved makes enterprises particularly vulnerable to cyber attacks.

Consider for example, companies that rely heavily on industrial control systems to manage their critical infrastructure. These systems are often connected to the internet, making them vulnerable to cyber attacks that can disrupt operations or even cause physical damage.

Additionally, many businesses rely on complex supply chains that include different equipment suppliers, software vendors, and third-party contractors. However, the control over the third party products and services is often weak, and the complexity of the systems is often at such a level that no-one has the holistic and detailed view required.

Another all to common issue is that legacy systems are still operational despite no longer being supported by manufacturers and/or having been designed in an era where cyber security wasn’t even considered to be a major issue.

Then of course there is always the challenge presented by insider threats and human error when employees have access to sensitive systems and information. This can lead to the inadvertent introduction of vulnerabilities through phishing attacks, weak passwords, and other security lapses.

With all of these factors in the mix, it is absolutely fundamental that the individuals and teams responsible for cyber internally at enterprises recognise the complexity of their systems and their vulnerabilities. This means hands on training and cyber education has never been more important than it is today in 2023.

Cyber education as a discipline is something that arose out of the need to solve the ever increasing and evolving challenges as societies have become increasingly digitalised. Today, it is practically impossible in a working environment not to come into contact with devices that store data and exchange information with each other.

The demand for skilled professionals who understand how these devices work and their weaknesses has therefore grown exponentially. Unfortunately however, at the same time there is a global shortage of 3.4 million cybersecurity professionals, based on findings from the (ISC)² Cybersecurity Workforce Study.

In order to address this imbalance it is vital to look closely at retraining individuals and providing the right development opportunities for IT and cyber security specialists. The most important thing is to find the right people who are passionate about the work and committed to the industry.

But while it is clear that the evolving landscape of cyber threats means continuous training for cyber professionals is fundamental, how can enterprises go about doing this internally?

Well the key to the success of this is promoting long-term retention and application of knowledge, and one very effective way of doing just this is via exercisebased training, including cyber range training.

Indeed, earlier this year over 30 teams from 11 different countries took part in a special military cyber defence exercise called “Defence Cyber Marvel 2” that was organised by the British Army via a cyber range solution based in Tallinn, Estonia.

Exercises such as this have grown in popularity among organisations and enterprises, particularly given the backdrop of the ongoing military conflict in Ukraine and the rise in attacks on critical national infrastructure.

These types of training methods involve the simulation of real-world scenarios to train cybersecurity professionals and test a company or organisation’s capability to respond to attacks and the strengths and weaknesses of their computer systems and wider operational infrastructure.

One of the benefits of such exercises is that it promotes active learning and long-term retention of knowledge and skills given the hands-on nature and practical application of skills and responses. They also enable immediate feedback, so learnings can be identified and applied quickly in real-time, which will be fundamental in a real-world scenario of a cyber attack.

What’s more, given the demand for skilled cyber professionals, these training exercises also provide a beneficial way from a recruitment standpoint for companies and organisations to test an individual’s skills beyond what is recorded on paper on a CV.

Proprietors of some of the most sophisticated cyber training exercises are increasingly delivering cloud-based cyber security training and operations, which in turn is leading to significant progress in terms of helping to democratise cyber security training.

Utilising training in this format provides a multitude of benefits and ultimately helps businesses evolve to better prepare their infrastructure and empower employees to respond most effectively to the ever increasing variety of cyber attacks.

Enhancing OT security.

In 2023, the manufacturing industry will continue to experience challenges around rising energy costs, labour issues, supply chain delays and disruptions, affecting its ability to maintain adequate levels of production and quality. Despite grim economic predictions, manufacturers must continue to keep pace by adopting new technologies that come with the next phase of the industrial revolution, accelerating innovation, improving efficiency, and increasing customer value. However, while Industry 4.0 has its benefits, from increased automation, process improvements and new levels of efficiencies, it exposes critical operational technology (OT) to security vulnerabilities, presenting new windows of opportunity for cybercriminals.

Enhancing OT security.

LOW VISIBILITY ACROSS MANUFACTURING ENVIRONMENTS

According to a report, 42% of UK manufacturers have been a victim of cybercrime in 2022. With cyberthreats against industrial manufacturing rapidly escalating as more and more connected systems create larger attack surfaces, the manufacturing industry remains one of the most cyber vulnerable sectors.

These cybersecurity issues and lack of system visibility are slowing down the introduction of new technologies, hampering potential productivity gains and holding companies back from growth.

Production security and operational resilience go hand in hand: both are essential for the overall risk management. So how can manufacturers best manage new technology adoptions while ensuring business continuity when they don’t have full visibility into their OT environments?

CHALLENGES POSED BY INDUSTRIAL CONTROL SYSTEMS

The majority of large manufacturing facilities typically have a significant presence of brownfield sites and legacy plants, with a set of outdated Industrial Control System (ICS) assets and new IoT devices – both difficult to secure. Traditional ICS devices usually have long life cycles and are custom-built, stand-alone systems, designed to be reliable, rather than secure. They often run scaled-down versions of operating systems, communicating via proprietary or industrial protocols that lack safety features. In addition, they are often sensitive to changes in network traffic or firmware, making many IT security tools unsafe to use.

Traditionally, ICS security was not as a critical consideration because OT networks were designed to be isolated, running less-known industrial protocols and custom software. Those systems had limited exposure, whereas, today, OT environments have converged and are often no longer air-

gapped from IT networks. At the same time, millions of IoT devices are being added to production networks to reduce costs and provide greater value to customers. Like legacy ICS devices, many IoT devices have lightweight, low-key operating systems that lack common security features. Their firmware is rarely updated, and they are found connected to other systems becoming an easy target for threat actors.

These inherent characteristics of manufacturing systems and facilities make them difficult to protect and require specialized know-how and technology in OT/IoT security and visibility to reduce risks. ICS and OT-specific malware such as Industroyer and Incontroller are evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking ICS and OT systems, resulting in many serious incidents.

THE WAY FORWARD: TO TAKE OVER, DETECT AND RESPOND

Visibility and asset management lay the foundation for network security. As we know, you cannot protect what you cannot see so manufacturers must ensure higher levels of visibility over all connected devices on their networks.

So how can manufacturers see in detail the resources of their OT environment, which devices are actively communicating and what protocols they are using?

One way to improve cyber resilience is by having real-time situational awareness of OT networks, including visibility into assets, connections, communications, protocols, and more. The good news is that companies can automate asset inventory for manufacturing plants, eliminate blind spots, and reveal items that may have been previously overlooked.

Such a solution requires a large depth and breadth of protocol support, including accurate analysis of ICS protocols. In addition, it must support IoT protocols and current profiles of millions of devices for detailed asset identification and anomaly reporting. The goal would be to have maximum and accurate coverage of all OT, IoT and IT assets from all systems, regardless of their generation, vendor or function, possibly with an easily scalable solution to monitor an unlimited number of resources and networks in numerous production facilities.

FURTHER STEPS TO MINIMIZE THE RISKS

The next step, once the company has excellent visibility, is risk reduction. This requires realtime detection of vulnerabilities, threats and anomalies in both decommissioned and active plants. It includes process insights that highlight risks to reliability, such as equipment failure, unusual variables, and changes in network communications. It is also necessary to know how to react to alerts and reports that signal the presence of a problem. A system that prioritizes risk, with actionable intelligence and remediation playbooks, helps to keep every facility safer in an efficient and systematic way. And if problematic network changes need to be analyzed over time or require rapid incident response performance, robust forensics and the availability of effective query tools accelerate repair. For manufacturers, this translates into maximized uptime, consistent product quality and production volumes.

The inherent characteristics of manufacturing facilities make them vulnerable to cyber-attacks. As traditional ICS security measures become insufficient in the era of converged OT environments and added IoT devices, specialised knowledge and technology in OT/IoT security and visibility are necessary to mitigate risks.

The good news is that manufacturing companies are aware of the threat and have started putting their cybersecurity first. In fact, cyber security is already an urgent priority for 63% of UK manufacturers, with almost half (43%) investing in security, firewalls and anti-virus precautions.

It is crucial for manufacturing companies to make the key next step and prioritise the visibility of their OT environment, investing in effective security solutions to protect their assets, employees, and customers.

Third-party vendor cyber threats.

For decades, cybersecurity has operated on a simple premise: Detect threats and remove them. But with cybercrime evolving at a frenetic pace, successfully tracking and blocking every type of cyberattack has become impossible. It is not enough to simply rely on antivirus software to pick out suspicious-looking files - because nowadays even the safest-looking applications can potentially pose the biggest threat. Using an antivirus tool alone is no longer an effective method of safeguarding a workstation because this type of software only targets applications engaging in unusual behavior. But the development of sophisticated attacks means that in reality, it is the most unsuspecting applications that are the most dangerous. The weaponisation of third-party applications has been trending upwards since the SolarWinds Orion Attack and the recent 3CX compromise.

Third-party vendor cyber threats.

That’s where the philosophy of Zero Trust comes in. Rather than trying to separate the good from the bad, the notion of Zero Trust assumes that every application is a threat, therefore applications that are not on the allowed list will not be able to run. However, in the case of a supply chain attack, it is important to take a step further and implement policies to limit how applications interact, thus preventing malicious activity from these trusted applications.

Here’s how you can safeguard your IT environment from threat actors...

THE PRINCIPLES OF ZERO TRUST AND ITS ROLE IN MODERN SECURITY

The truth is that every type of firm is vulnerable to cyber attackswith high-profile members of the education and healthcare sectors both being targeted, which we saw with the Munster Technology University attack earlier this year. One of the most alarming examples was the case of Capita, a provider of business process services, which suffered a breach that locked staff out of the system and left businesses such as the NHS, who work with Capita to enhance customer experience and aid in providing primary care support, in a very vulnerable position.

There are many reasons organizations fall victim to cyber-attacks, and when a firm is working with third-party vendors that require access to systems and private data, the risk factor intensifies.

A Zero Trust solution can play a big part in bringing down an organisation’s risk level. Following the default denial principle, permission will only be granted to users and applications explicitly allowed by the IT administrator. By controlling what permitted users and applications can do and access, in the event of a successful attack, the threat will be stopped in its tracks as the IT admin has created policies to give each user and application just enough access to function and nothing more.

THE ELEMENTS OF ZERO TRUST AND HOW IT WORKS

A Zero Trust approach should be the first line of defense when dealing with sophisticated attacks. Only with the necessary ‘least privilege’ controls in place can you prepare for unknown threats.

Another Zero Trust technique used in the fight against threat actors is application containment by way of Ringfencing and Network Control. Ringfencing controls what applications can do when they’re running, reducing the likelihood of an exploit being successful, or an attacker weaponizing legitimate tools such as PowerShell.

Network Control allows users to have control over the devices accessing their network from any location. A Zero Trust solution offers a range of options to allow organizations to adapt their measures to suit their business and protect their data and limit the access of third-party vendors

THE FUTUR OF ZERO TRUST

With governments across the UK and Europe enlisting Zero Trust as a core part of their Cyber Security Credentials for organizations and the Digital Operations Resilience Act (D.O.R.A), Zero Trust solutions are starting to headline in protective measures against cyber attacks.

A Zero Trust approach is becoming the frontrunner in cybersecurity solutions, helping to tackle the unique challenges we face in the modern world, including those that come from increased remote working environments.

Today’s operational methods have created new opportunities for cybercriminals to find their way into networks, exploiting the fact that more and more functions of a business have become stretched and outsourced into employees’ homes. This is why it’s more important than ever for businesses to understand the weaknesses within their systems and work to build a security strategy that mitigates those risks.

This all starts with Zero Trust.

The era of disruptive tech.

In an era of rapid technological advancements, businesses are facing unprecedented challenges. As the world moves towards the integration of IoT (Internet of Things) and OT (operational technology) or the rise of AI (artificial intelligence), it becomes clear that these disruptive technologies hold the key to the next industrial revolution. However, with their immense potential comes the urgent need for businesses to adapt and tackle the complex issues of keeping pace and addressing cybersecurity threats.

The era of disruptive tech.

To understand the magnitude of the disruption, we must first explore the key technologies driving this change. From the integration of IoT and OT to the transformative power of AI, Smart Cities, and Cloud computing, these technologies have become deeply embedded within the critical infrastructure of the global economy. As a result, they cannot be simply turned off or ignored; instead, businesses must grapple with their impact and find ways to harness their potential. As these disruptive technologies proliferate, the issue of cybersecurity looms large. The interconnected nature of the digital landscape raises concerns at both international and national levels. As a result, governments and organisations must collaborate to address the sophisticated threats posed by cyber criminals and statesponsored attacks, safeguarding critical infrastructure and ensuring data privacy on a global scale.

Beyond the broader security landscape, individual businesses face unique security challenges. For example, rapidly implementing new technologies without due consideration of data privacy can expose them to significant risks. Moreover, reliance on third-party technologies to keep up with the pace of innovation can introduce vulnerabilities, such as backdoors in the supply chain. As a result, businesses must prioritise security measures to protect their data, infrastructure, and reputation in an increasingly interconnected and vulnerable digital world.

The disruptive nature of these technologies raises concerns about the potential redundancy of specific business models and job roles. However, history provides valuable lessons from previous industrial revolutions, where new technologies displaced traditional practices and professions.

Understanding these historical examples can help us navigate the current disruption and identify opportunities for innovation and growth. While disruptive technologies present challenges, they also offer immense opportunities for those willing to innovate. Historical examples show businesses that flourished amidst previous digital revolutions by adapting their strategies and embracing change, such as Netflix vs Blockbuster, iPod vs Walkman, and BlackBerry vs iPhone. The same will hold true for the current disruption. Companies that proactively seek innovative solutions, reimagine their business models, and invest in upskilling their workforce will position themselves for success.

To survive in this ever-changing landscape, businesses must strike a delicate balance between moving too fast and too slow. Take the story of the frog in a saucepan, for example. A frog is placed in a saucepan of cold water, which is slowly heated, so the frog adapts its body temperature to the changing heat and gradually goes to sleep. In fact, it goes to sleep at 40 ᵒC, unaware that at 100 ᵒC, it boils alive. However, if the frog is placed in already boiling water, it immediately jumps out to safety.

This is a helpful metaphor to illustrate that, although humans think they are very clever at adapting to the changing world, they don’t necessarily recognise the need to jump out of that world and take charge of it, not just adapt to it. There is a risk of being blissfully unaware that the world is changing so dramatically that there is a danger of boiling alive whilst asleep. Learning from history, we can draw upon examples of companies that failed due to hasty decisions without thoughtful consideration (such as Xerox, who invented the PC but disregarded it completely), contrasting them with companies that thrived by adopting a more measured approach. By finding the ‘Goldilocks zone’ of innovation, businesses can navigate challenges, seize opportunities, and ensure longterm success.

The new age of disruptive tech presents both unprecedented challenges and remarkable possibilities for businesses. By acknowledging the rapid pace of technological change and embracing innovation whilst embedding cyber security resilience from the outset, companies can not only survive but thrive amidst this transformative era. Just as history has shown us, those who adapt and navigate these disruptions with purpose and foresight will emerge as the leaders of tomorrow.

Overcome cloud-native security challenges.

In today’s fast-paced business world, companies are all vying to be the pack’s leader. While aiming to achieve this, such leaders set benchmarks for speed, innovation and growth, but many don’t have the strategy to make them a reality. This is where a cloud-native approach comes in. A cloud-native approach can act as the backbone of a digital transformation strategy, enabling businesses to build and transform application portfolios that keep up with market demands. Increasingly, organisations are recognising the advantages of cloud-native and are transitioning to a cloud, hybrid cloud or multi-cloud environment. So much so that it’s estimated the cloud-native applications market will be worth $5.9 billion by the end of this year and will reach $17 billion by 2028.

Overcome cloud-native security challenges, start with the basic.

For businesses yet to make the move, it’s important they become aware of the common challenges of cloud-native security and how they can overcome them. When a business embarks on its cloudnative journey, many teams are met with new hurdles, none more so that the security team. From updated corporate policies to budget constraints, there’s a lot to contend with. However, the most prominent we see is the increased risk of attack. In fact, 75% of companies say that cloud computing is the single greatest expansion of the enterprise attack surface in the last 20 years.

When it comes to tackling these common issues, businesses need to integrate security into the four layers of their security infrastructure - commonly called the four Cs of cloud-native security. Once these layers have been correctly configured, then businesses can look to get ahead of the issues that could potentially occur, allowing them to continue to innovate and grow, driven by cloud-native.

START WITH THE BASICS: THE FOUR CS OF CLOUD-NATIVE SECURITY

Cloud, Clusters, Containers, and Code. Together, they create a security strategy that protects cloud resources with a layered, defence in-depth approach.

When it comes to the cloud layer, cloud service providers are responsible for securing the infrastructure that supports the cloud environment. It’s down to the company to configure the cloud services, including the login credentials and automation settings, to ensure the service remains secure. Typical security issues affecting the cloud layer include misconfigurations and automated attacks. Attackers can exploit misconfigurations resulting from error or neglect, such as unchanged default settings or weak access protection.

The cluster layer consists of Kubernetes components which also need to be protected. Each cluster contains multiple pods which freely communicate with each other, meaning if an attacker has access to one pod, they can easily infiltrate connected pods. Designing strong cluster networking policies can restrict traffic and strengthen security protocols.

The next layer is container, consisting of container images which may possess vulnerabilities that can be scanned for.

Organisations commonly overlook issues such as image security, the use of external libraries or registries - which can themselves be insecure - and weak privacy configurations. It is important to keep containers regularly updated to minimise exposure to vulnerabilities.

The last layer of the four C’s is code. Securing this layer provides the highest level of security control. Typical security issues here involve insufficient risk assessments and vulnerabilities in thirdparty software dependencies. Businesses can use a static code analysis (SCA) tool to identify insecure code and ensure safe coding practices are quickly implemented.

Traditional IT security relies on seeing and monitoring the entire attack surface to detect vulnerabilities and address security risks. However, since a cloudnative infrastructure is always evolving, it’s difficult to have complete visibility and maintain secure environments. IT teams must introduce security into the development lifecycle from the beginning - this is the strongest tactic a company can adopt to prevent attacks across each layer of the four Cs.

ADDRESS THE MOST COMMON ISSUES

When it comes to implementing cloud-native security measures, organisations can face difficulties. This can be for a number of reasons, but an inability to enforce consistent policies - often due to not having the correct infrastructure in place - is one of the most common. Cloud-native environments consist of a variety of tools from numerous vendors, making it difficult to centralise security policies and apply them consistently. IT teams need to look for tools that consolidate the entire cloud infrastructure into one easy-to-manage platform, rather than trying to harness disparate tools to gain the visibility needed to ensure effective cloud security management.

A diverse landscape requires a diverse approach to defence, and data is central to enabling businesses to advance how they protect themselves. Organisations migrating to the cloud must understand the importance of data analysis, intrusion detection and threat intelligence to protect

sensitive data - especially when there is so much data to analyse. Cloud intelligence tools can analyse events within the cloud environment and provide account activity insights through machine learning and threat research. The accumulation and interpretation of data collected during daily cloud operations prior to an incident play a critical role in proactively securing a cloud-native infrastructure.

Dealing with misconfiguration is incredibly important in cloudnative environments. Mistakes by users are the ‘open door’ which can allow cybercriminals in. For security practitioners, this means that they should opt for security tools that scan for misconfigurations automatically, otherwise, they can face data loss, system subversion and other threats. Hardening systems by the use of automated tooling is essential - particularly when Kubernetes meet host operating systems, as it leaves two different levels where misconfiguration could potentially create problems. Automated security tools such as Kubescape can handle

everything from scanning for misconfigurations or software vulnerabilities. For organisations hoping to comply with strict security standards such as ISO 27001, it can also help security practitioners to identify potential compliance in issues.

EMBED SECURITY IN FROM THE GET-GO

When it comes to a cloudnative approach, the benefits a business can see far outweigh the challenges that come with security. However, this will only remain true if a business takes a proactive approach to its security strategy from the start, baking it into every layer of the four Cs. By centralising security policies, implementing automated tooling and diversifying its approach to data, a company can continue to reap the rewards of cloud-native, while navigating the growing threat landscape with ease

How to turn cyber security into a business enabler.

Do you know how to turn security into a business enabler? This is a challenge I’ve faced consistently throughout my career. As I’ve had plenty of conversations with other CISOs recently, I’ve found that it’s ultimately one of the key challenges for them as well. If you’re a security leader, you might be familiar with the scenario where you identify the most pressing security risks for your business, present those risks and a remediation plan at your board meeting, and then leave that meeting feeling great because the board has approved your plan and said, “You have our full support, security is very important to us.” But then, almost nothing happens. The quick fixes are implemented, but the more challenging, long-term actions aren’t getting done. So, why is your risk remediation plan getting ignored — even after you gained approval and backup from executives? And how can you overcome this dilemma?

How to turn cyber security into a business enabler.

THE CULPRIT: COMPETING PRIORITIES

Your plan is likely being neglected because your company (like virtually all organizations) usually has competing priorities. You looked at costs, you looked at the acceptable risk, but you forgot to consider the speed of the business.

Every measure you take has a cost attached to it, but also an impact on the speed of the business. Let’s say you have a digital product that is delivering value to your organization (e.g., the revenue, the growth).

If it’s a digital product, the engineering organization is usually delivering that value with new features and new functionalities. As soon as you put a technical measure in place to remediate risks, it may slow down the engineering. If it does, that will have an impact on the business.

Let’s say you go to the board and tell them you want to remediate a risk, and then they decide that the remediation you propose comes with an acceptable cost. Then, 30 minutes later, the CTO enters the room and asks for support as the development needs to speed up because they have to be better and faster than their competition in the market.

This results in competing priorities where you—the security leader— often won’t win over the business.

BUILDING ALLIANCES IS KEY

The key challenge (or the opportunity) as a CISO is taking that impact on speed into account in your risk management. To do that, you have to build alliances — not just with the CFO to look at the costs, but also with the CTO.

If the CTO (or someone in a similar position like the VP of engineering or CPO) is delivering new functionalities every 15 minutes via the CI/CD pipeline, and you come to an agreement that a slow down of two minutes is acceptable, then you’ve got your alliance and window of opportunity for security. It’s up to you to find the best measures that fit into these accepted two minutes.

HOW CAN YOU AVOID IMPACTING SPEED AND COST?

Now, the magic comes in working with your CTO to determine how your remediation plan could have less impact on the CI/CD pipeline while also accomplishing your security goals.

For example, you could consider prioritizing measures that have less impact on the speed, or different measures that can be better integrated in your CI/CD pipeline, which are better understood by your developers and cause less friction for them because they don’t have to jump from tool to tool. Small adjustments like these can be game changers because they can help limit risks while also not affecting the speed of the business.

To limit costs, you need to consider a few things as well. Do you want to have many point solution tools or cover your needs with less tools? Can you decentralize your security organization? This might help you overcome a talent shortage, and you might not need to hire additional employees.

Do you need the security operations center (SOC) or can you externalize it? From a CISO’s perspective, you should spend more time finding ways to reduce costs and avoid slowing the business than focusing on the real risk, because once you have identified and measured the risk, your priority should be to find the measures that are best suited for your company.

That’s how you become a business enabler: You implement the security measures that fit best for your business. There is a way to do more security with less costs or more security with less impact on the speed.

WHAT’S MOST IMPORTANT TO YOUR BUSINESS?

You need to understand what’s important to your company. For me, speed is more essential than cost. Very often, let’s say if you are in a scale-up company that has a series B funding: It’s usually not costs that are a driving priority—it’s your product. So that’s a scenario where you might want to prioritize speed. In many public and large companies it’s more a cost and reputation driven approach, so there you might look first at cost and also the reputation impact that a potential security incident might have.

Regardless, you need to always look at both dimensions. You will have a successful plan that will be implemented after you leave your board meeting, if you have built the alliance upfront with the CTO and the CFO.

Holistic API security.

The challenges that the global business community has faced in the last few years have been unprecedented. A pandemic, inflation, an energy crisis, war, an economic downturn, and fragmented and delayed supply chains have all created issues for organizations and have left no industry, market, or region untouched. Yet, despite these issues, our digital ecosystems and footprint grow ever bigger and increasingly complex. The global digital transformation market was worth $731.13 billion in 2022, and it is now expected to grow at a CAGR of 26.7% by 2030, driven in the main by businesses trying to gain a competitive advantage. However, it is the size and intricacy of our digital world that makes cyber risks and threats both more present and more potent.

Holistic API security.

With more digital transformation initiatives and more third-party providers involved in the supply and distribution of digital goods and services, this creates more opportunities for cybercriminals to target our infrastructure. That’s because these initiatives increase complexity – with more connection points, more third parties, and lengthier digital supply chains.

This, in turn, increases the need for more APIs and API integration –creating increased risks and attack vectors. The reality is that APIs are the connective tissue for the digital world, but the explosion in API use has created new and rapidly growing threats to organizations across the globe.

LESS TECH TALENT, MORE AI AND AUTOMATED CODE GENERATION

Furthermore, there is a growing shortage of talent with sufficient know-how to properly manage and build infrastructure. 71% of CEOs anticipated that the skills and labor shortage would be 2022’s biggest disruption, and this skills gap, more specifically, is expected to cost businesses trillions of dollars by the end of the decade. This is prompting organizations to look at how or what they can automate to fill that gap. Automation, fueled by AI and spearheaded by digital giants and their text generation software such as ChatGPT and Google Bard, are all very much in vogue as a result. The ability of these tools to generate working code will increasingly become the backbone of many digital services and products, especially with fewer tech experts and ever more lines of code to program (of growing complexity).

Such tools are easily accessible, and the potential productivity boost is enormous, but unfortunately, the benefits also come with some major drawbacks. It is undeniable that these tools have the ability to make development easier and faster. However, in terms of generating secure code, the jury is still out. AI tools use a breadth of existing knowledge, but they lack human creativity and initiative, and this means vulnerabilities can creep into code. And unfortunately, it only takes one vulnerability for an attacker to gain access to critical information via an API.

Additionally, this also increases the potential for, and likelihood of the use of, automated code generation tools such as Github Copilot and Copilot X. Certainly, these tools have the potential to make life easier for a stressed and in-demand developer - but a team of researchers associated with Stanford University also found it makes security vulnerabilities and flaws in the apps they develop much more likely.

SHIFTING GLOBAL REGULATIONS ARE INCREASING COMPLEXITY

To make matters increasingly difficult, the laws of various lands are rapidly changing – and not in any synchronized manner. This means that any international company and its lengthy supply chain must abide by new, changing, and disjointed rules.

The US National Cyber Strategy, the EU Cyber Defence Policy, and Cyber Resilience Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the PSD3 Consultations on Open Banking, begin to show the amount of legislation on these wide-reaching topics and there are plenty more in the works. Some of these are guidelines, some are laws, some are comprehensive, and some are less so. This makes it even harder to stay ahead.

All of the issues outlined above are creating a perfect storm and doing business across such a complex matrix of policy, regulation, and security is not only creating huge inefficiencies but also attack vectors and vulnerabilities at a time when organizations are ever watchful over risks and costs, owing to the economic climate.

HOW COMPREHENSIVE API SECURITY FILLS THE GAPS

In such a vulnerable, uncertain, and heavily regulated environment, there is now a critical requirement for proper API security that can discover, monitor, and predict vulnerabilities while fixing them before they spread through a network. This comprehensive and dedicated API security needs to “shift left” and start life from the beginning of the software development lifecycle but “lean right” – emphasizing active and real-time protection.

Ultimately, the goal should be to establish comprehensive and efficient API security policies which are proactively managed over time. The use of advanced AI and ML processes to uncover new threats before they impact the network is also essential. As is continuous and active testing to ensure that the business has the real-time capabilities in place to identify new attack vectors and remediate vulnerabilities as they unfold. As with all new platforms and tools, an API security provider must be more than simply a vendor. They need to be viewed as a trusted partner to help ensure that API security policies and tools stay ahead of the ever-shifting landscape while also improving the speed at which customers can expand their businesses in this highly competitive environment.

As we look to a future of increasingly rapid software development incorporating automated code generation, now more than ever, companies will need comprehensive, flexible API security tools such as discovery, posture management, runtime protection, and pre-production and deployment. This will enable them to actively test, predict, and defend against vulnerabilities and meet the demands of an increasingly unpredictable world.

Uplevelling cybersecurity strategies.

Organisations are continuing to face security challenges associated with hybrid work, and that’s not going away anytime soon. Recent Citrix research found 74% of global security decision makers believe information security procedures, systems and controls have become more complex due to widespread home working, while 73% of respondents believe information security teams must tolerate a higher level of acceptable risk in a hybrid, work-from-anywhere environment. Organisations need technology that can keep up with the increasing security threats and challenges that come with employees connecting from various locations. In today’s world, employees need to be able to access whatever they need to do their work, wherever they may be located – yet this is problematic when considering that web application weaknesses, misconfiguration mistakes, vulnerable software and – in some cases – poor internal policies are all likely to increase the incidence of phishing, malware and ransomware attacks in the next 12 months. Let’s examine some ways in which organisations can uplevel their cybersecurity strategies to avoid the various consequences associated with the hacks and vulnerabilities that befall so many.

Uplevelling cybersecurity strategies.

APPLICATION DELIVERY

Companies need to provide their employees with seamless and secure access to the many applications they need to effectively and efficiently complete their tasks. Utilising a hybrid, multicloud deployment for centralised application delivery is guaranteed to improve employee experience while reducing complexity by providing everything they need all in one platform. A single, unified platform also allows organisations to manage security policy more easily through a single view across all clouds, which aids in the mitigation of threats and vulnerabilities.

In using this approach, IT teams can rest easy knowing they will maintain visibility of all activity, granting them the means to find and troubleshoot any issues in a timely manner. In 2023, organisations should be placing a large focus on working with vendors who can provide visibility and insights into what’s working, and what’s not, so they can make the best decision around application delivery.

ZERO TRUST

As the workforce continues to embrace hybrid work, it’s essential for security solutions to adapt to the new obstacles that hybrid work bring. Many organisations still use legacy systems such as VPN, but the fact is that many of these systems simply can’t keep up with the increasing need for extra security and leave gaps of exposure that leave organisations at risk. When thinking of how to provide the most secure access to your hybrid workers, the key is not switching from one solution to another overnight – but maintaining a balance between legacy and new technology.

Recently, cloud-delivered ZTNA (zero trust network access) has emerged as a top solution for securing remote work, and a big reason for the rise in popularity stems from its ability to provide secure access to an organisation’s infrastructure and resources without connecting devices to a shared network, and providing continuous monitoring to constantly work against threats. In fact, by 2025 zero

trust network access is expected to replace all VPN as the top security framework for businesses to use when protecting their organisation. However, even as the optimal strategy, choosing the right implementation of ZTNA is important. Businesses must decide whether they would prefer to deploy ZTNA as a service or host the software themselves, either on premises or in a public cloud.

Currently ZTNA SaaS offerings are very popular and widely adopted given that this method is faster and easier to deploy, less cumbersome to manage and more readily scalable than selfmanaged offerings. Conversely, self-hosted zero trust networking requires deploying controller appliances either on premises or in a public cloud but despite a more arduous deployment and management requirement, customer-deployed and controlled trust brokers may offer greater control.

DATA PRIVACY

With ongoing challenges in spaces such as digital collaboration, robust cybersecurity strategies will be important for organisations looking to provide a seamless and secure access experience for its users. However, as organisations begin shifting their cybersecurity priorities to address the many needs and challenges that come with hybrid work, it’s imperative that data privacy laws are kept in mind. Ensuring your security teams have total visibility of all company data and where it moves is key –without adequate cybersecurity solutions you aren’t able to control or view all the data flowing in and out of your organisation, leaving you vulnerable to many threats including data breaches, which could lead to compliance penalties due to the General Data Protection Regulations.

In 2023 and beyond, organisations will need to work hard to ensure they have the strongest security possible to both limit the possibility of an attack and minimise the damage if one does occur - while guaranteeing they are following the latest data privacy laws.

An effective AI integration strategy.

As Artificial Intelligence enters the mainstream with products such as ChatGPT streamlining tasks in many industries, we are on the precipice of a fundamental technological evolution that business leaders must stay ahead of. However, are vital considerations being overlooked as companies race to adopt AI into their digital transformation strategies? Many businesses are still in the early stages of their digital transformation journey. A key factor to consider before AI adoption is whether the optimal operational foundations are in place to support the addition of more complex technology. With the mindset that AI is the sole solution to existing problems, business leaders may try to run before they can walk.

An effective AI integration strategy.

LEGACY TECHNOLOGY IN THE MODERN WORKPLACE

Despite the recent acceleration in technological advancements, there is a significant gap in sophistication between these new offerings and legacy systems that many employees are contending with daily. Data is still siloed within non-interactive platforms. Spreadsheets must be painstakingly updated manually at a pace that no longer fits the rapid change the current business environment requires. Interactivity and accessibility are lacking between different teams and departments -meaning that consolidating information to provide a wide-lens view for leaders and stakeholders must still be manually compiled. While there have been advances in digital transformation, many instruments and solutions are still largely inappropriate or not adapted to the tasks they have to perform. The ultimate goal is to introduce digital technologies in a way that helps rather than hinders employees. Software development for enterprise technology should learn

from consumer technology regarding usability. Employees experiencing intuitive user interfaces from their tablets or smartphone are frustrated further by navigating clunky systems that do not enhance workplace productivity.

LAYING THE FOUNDATIONS FOR AI INTEGRATION

Good technology can be gamechanging for business operations. While tools and technologies such as ChatGPT provide advantages in speeding up specific tasks, it is vital to be cognizant that this is one piece of the puzzle regarding increasing efficiency across an organisation. The current business landscape presents various challenges many industries are contending with. These include supply chain disruptions, the fluctuating economic climate, the skills gap,adjusting to hybrid work structures, and the pressure to incorporate digital transformation and stay ahead of the curve. With better operational management that improves planning, scheduling and performance

analysis, companies may stay afloat and successfully execute on a digital transformation strategy. With this existing framework, sophisticated technology may increase management complexity. One prevalent error organisations make is the assumption that possessing superior data and algorithms is sufficient for intelligent decision-making. However, the truth is that AI will have minimal impact if not integrated into a comprehensive strategy of process transformation. Achieving this entails deploying platforms that can dynamically combine existing systems and utilise them to improve decision-making processes. By adopting such an approach, companies can pave the way for new technologies, increasing their success.

UTILISING HUMAN AND ARTIFICIAL INTELLIGENCE

The emergence of AI and ChatGPT has significantly impacted businesses’ ability to think quickly and execute strategies. However, it’s essential to recognise AI as a helpful tool rather than a comprehensive solution for decision-making. Although AI can provide more data, evidence, and options, ultimately, the final decision rests with the individual using it. It’s also important to note that AI can be a blunt instrument, and human judgement is still necessary. This is exemplified by the hypothetical situation of asking AI how to eliminate global starvation, to which its response might be “eliminate humanity.” Although this may sound like the plot of a science fiction film, it’s a great example to emphasise the continuing need for human intuition and analysis to make optimised decisions. There is much talk about machine teaming in the military sector, where AI-driven machines collaborate with soldiers to make decisions. While AI is a vital part

of this system, judgement is still required at the end of the chain, where experience and human analysis are crucial. To avoid overreliance on generative AI tools such as ChatGPT, business leaders should consider adopting more comprehensive technology systems that incorporate AI-powered data into a context that empowers human decision-making. Striking the right balance between data and human judgement is critical to making informed decisions that facilitate this process.

DIGITAL TRANSFORMATION TO SET EMPLOYEES UP FOR SUCCESS

Organisations that leverage advanced technology can attain significant advantages in terms of operational management, productivity, and efficiency. However, it’s crucial to view AI and ChatGPT as tools rather than comprehensive solutions. Decisionmaking requires striking the right balance between data and human judgement to arrive at informed decisions that

are precise, ethical, and yield scalable outcomes.

A solid digital transformation strategy for business leaders is to introduce digital technologies incrementally to aid employees in adapting and making the most of the new tools and processes. These platforms should be usability-focused, with learning curves that can be completed within a couple of hours instead of long training sessions of days or weeks. They should align with systems employees are already using and allow data to be accessible to any person that needs it swiftly, with any level of tech know-how. Enterprise solutions should offer an array of features that can incorporate AI-powered data into a context that makes sense for decision-makers, leading to enhanced productivity and efficiency. To maintain a competitive edge, companies must focus on getting the basics right and learn to walk before they rely entirely on automation.

Myths about Cyber Security.

Over the past five years I have had the privilege of teaching, implementing, auditing, and consulting with US businesses concerning their cyber security and privacy needs. I have also practiced most areas of business law over the past forty years. My work in cyber security began by teaching the General Data Protection Regulation (GDPR) to Americans. What I learned is that most US companies were not really worried about cyber security and privacy. They felt that these types of regulations only impacted Europeans and health care providers (HIPAA). Times change.

Myths about Cyber Security.

MYTH 1: US COMPANIES DO NOT HAVE TO WORRY ABOUT CYBER SECURITY AND PRIVACY.

This idea is simply wrong on many levels. The concept of privacy has been part of US law for over 100 years. Lawyers Louis Brandeis and Samuel Warren published “The Right to Privacy in the Harvard Law Review in 1890. (“The Right to Privacy”. Harvard Law Review. IV (5): 193–220).

Law review articles can have an outsized impact, but they are not law. Privacy was enshrined in US law by the US Supreme Court in 1965. (Griswold v. Connecticut, 381 U.S. 479 (1965). This case held that the general right to privacy is found in the “penumbras,” or zones, created by the specific guarantees of several amendments in the Bill of Rights, including the First, Third, Fourth, and Ninth Amendment.

While the concept of privacy existed in the US, it was not used generally until the excesses of Big Tech in monetizing personal data became evident in the past few years. This has led to a cascade of new privacy laws beginning with the California Consumer Privacy Act in 2018, to the privacy acts passed in Iowa and Indiana this month. In addition to the present seven laws, we might expect another two soon. There are also new biometric laws like the Illinois Biometric Information Protection Act (BIPA) and laws to protect children.

The reality for US business is that they must protect their customer’s privacy and data. Not only to comply with an ever-increasing series of laws, but to satisfy the preferences of customers.

MYTH 2: TECHNOLOGY ALONE WILL TAKE CARE OF THE PROBLEM OF CYBER SECURITY.

This is simply not going to happen. Humans work on and with technology. You cannot remove humans out of the equation. For example, the numbers vary, but phishing is always implicated in the vast majority of attacks. It is not just phishing. Four out of five attacks involve password cracking. Password cracking is not just about poorly chosen passwords, it is often about phishing and social engineering.

This brings up what is probably the best cyber security defense –good training. You can have the most sophisticated cyber security tools that tech can offer, and they can all be defeated by human error. Some of the most flagrant offenders are top management who fall for carefully crafted spear phishing campaigns.

Artificial Intelligence will undoubtably make things worse as it becomes easier to craft better phishing emails.

MYTH 3: EU FINES ARE BIGGER THAN US FINES OR AWARDS.

When the GDPR came out, everyone was impressed with the GDPR Article 83 tier 2 fines –which allowed for 4% of global gross revenue. This resulted in a large fine against Amazon for $781 million, the largest fine to date under the GDPR. But this number pales compared to the FTC’s $5 billion fine against Facebook. While fines under the GDPR can be large, US plaintiff class action awards easily surpass them.

While most GDPR fines are levied by one of the approximately 42 Data Protection Supervisory Authorities, class action lawsuits in the US can be brought by any of the thousands of plaintiff law firms.

Many of these firms are part of a vast industry involved with product liability lawsuits. They can easily switch to cyber security.

MYTH 4: PRIVACY IS NOT IMPORTANT TO CONSUMERS AND NOT PART OF THE BUSINESS MODEL.

Actually, it is very important. According to a Cisco survey, 94% of firms said their customers would not buy from them if their data was not properly protected.

Looking back on how data has been captured throughout the years, we can see great achievements and the subsequent pitfalls when it comes to data privacy. Cookies revolutionized marketing. Tracking cookies were invented in 1996 and incorporated into browsers in 1997. The digital marketer used cookies to collect data and then used that data to target a particular consumer with tailored advertising.

The problem with tracking cookies is that they are a serious violation of a consumer’s privacy. When given the choice only 24% of consumers allow them.

They are on their way out. By 2021 both Safari and Mozilla had total cookie protection. Google tried to introduce a privacy sandbox, but it failed. Google is currently set to phase out third-party cookies in Chrome by 2024. No doubt Google, Facebook, and other tech giants who rely on advertising will try to come up with alternatives to revive their business model.

The reality is that times have changed. The cascade of state privacy laws has occurred because consumers want them. Over the past decade consumers have become increasingly aware of the need for privacy and cyber security. They are demanding better protection from their government, but also better accountability from the firms with whom they do business.

Businesses that can adapt to the new reality will succeed, ones that cannot, will not.

Automate before expiry.

Google’s decision to reduce the maximum validity period for public TLS (Transport Layer Security) certificates, also known as SSL (Secure Sockets Layer) certificates, to 90 days from 398 days will send shockwaves across the cybersecurity landscape. In its “Moving Forward, Together” roadmap, shared on March 3, Google revealed its plan to reduce the maximum validity of public TLS certificates to just 90 days. This may seem minor, but in fact, this is a significant change and one that demands the attention of senior leaders everywhere.

Automate before Expiry.

At the moment, it looks as though this forthcoming industry change will be implemented via a CA Browser Forum ballot. However, if Google chooses to unilaterally enforce the depreciation of certificate lifespans, by making it a requirement of its root program, this would become a de-facto industry standard, forcing every commercial public Certificate Authority (CA) to follow suit. Since browsers have the autonomy to establish their own root program requirements, this modification could take place even if there’s no mandate from the CA/B Forum. By proactively communicating its plans, Google is affording the industry ample time to brace itself for the impending transition, and its implications.

While there is no specific date as to when Google plans to implement the change, it is likely that this 90-day maximum validity period will take effect by the end of 2024. As such, organisations should take the opportunity, and time afforded, to prepare for change.

DIGITAL CERTIFICATES: THE BENCHMARK FOR DIGITAL TRUST

To understand why Google is pushing for this move, it’s essential to acknowledge the significance of SSL/TLS certificates, their ubiquity, and critical functionality across the digital landscape. Digital certificates provide security and encryption for today’s data. Similar to passports, certificates based on public key infrastructure serve as digital IDs that contain the identity information of their holders such as software, code, bots, IoT/ OT, laptops, and devices. Acting as authenticators for both humans and machines, these certificates facilitate seamless communication in the digital world.

Public key cryptography is the backbone of all things digital, ensuring secure business transactions within and beyond enterprise networks. These cryptographic systems secure an array of systems and processes, ranging from a home-office printer to intricate IoT devices in factories, and critical national infrastructure systems. Certificates, functioning as digital trust stamps, authenticate and verify the vast and everincreasing number of human and machine identities accessing IT ecosystems every second.

In recent years, the lifespan of public SSL/TLS certificates has been steadily declining, from three years to two, then one, and now Google intends to reduce it further to just 90 days. The fact is, 398 days (the current maximum term allowed by the CABF Baseline Requirements and by various major root programs) is a long time for a compromised certificate to exist. After all, the longer a certificate remains valid, the more likely it is to become compromised.

90 DAYS: MPROVING AGILITY

By implementing shorter lifespans for certificates, the chances for cybercriminals to exploit outdated certificates are significantly reduced. These situations commonly occur when companies shut down operations, merge with other entities, transfer domain names, or undergo rebranding processes. The transition to 90-day TLS certificates plays a crucial role in limiting the window of opportunity for compromised certificates to be exploited. As a result, this measure strengthens the integrity of the entire ecosystem and mitigates the risks associated with service outages and security breaches. Ultimately, it empowers organisations to swiftly adapt to quantum-resistant algorithms, safeguarding their sensitive data against potential threats posed by quantum computers in the future.

However, in spite of the significant operational challenges faced by businesses, surprisingly 47% of businesses continue to rely on manual methods for certificate management. This approach poses inherent problems as it is highly susceptible to human error, resulting in expired or misconfigured certificates. Also, the lengthy nature of manual management discourages organisations from actively monitoring and addressing expired or compromised certificates, thereby escalating the risk of service disruptions, security breaches, and non-compliance with industry standards and regulations. The remedy to this issue is evident: adopting automation as a means of ensuring effective certificate management.

SECURITY WORKLOADS UP AT

LEAST 5X

Despite the critical need for efficient certificate management, a staggering 47% of organisations still need to manage their certificates manually. But with Google’s upcoming 90-day maximum term, organisations

will now face the daunting task of renewing and deploying every certificate in their servers more than five times a year. This isn’t just about a handful of certificates - we’re talking about hundreds or even thousands. The message from Google is clear, manual management is no longer practical, and the ecosystem must enable automation for certificate management with challenges like rogue certificates, gaining visibility for cryptographic decisions, and individual deployment, the task will soon become downright impossible without automation.

Google’s upcoming move is not just about the lifespan of SSL/TLS certificates depreciating, it will also reduce the length of domain validation reuse. This is where it gets even more complicated. The current baseline requirements allow for up to 398 days of reuse, Google aims to protect domain owners and prevent certificate misuse by relying on up-to-date information.

This will mean that businesses will not only have to keep track of their certificates but also re-verify their domains every 90 days. This is where automation becomes even more critical.

IT teams must act now and embrace automation for certificate management, including CAagnostic Certificate Lifecycle Management (CLM) platforms. These solutions enable the efficient discovery of certificates in enterprise environments regardless of the issuing Certificate Authority. They also provide timely notifications for impending expirations and automate the provisioning and installation of renewal and replacement certificates. By doing so, they help prevent outages and security breaches resulting from the incorrect use or renewal of certificates. To minimise the risk of being caught off guard by this industry change, it is crucial for businesses to proactively safeguard their operations through automated certificate management.

Growing cybersecurity concerns.

As a nascent technology, the metaverse is currently under speculation while people debate its potential its risk versus reward. The 3D virtual world has presented itself as a key investment opportunity, with McKinsey confirming that more than $120 billion was injected to build out metaverse technology and infrastructure in the first five months of 2022. Discussions of extraordinary use cases, from teaching virtualised university lectures to performing surgeries for patients in other countries – plus the potential cost saving and accessibility benefits - have been a cause for optimism. Yet the infancy of the technology and lack of understanding of the associated risks has caused the security community to become apprehensive.

Growing cybersecurity concerns.

Opportunistic adversaries will take advantage of the sprawling attack surface that the metaverse paves via social media, streaming services and online gaming, and capitalise on the mistakes made in the technology’s development. Deepfake attacks in the current version of our digital world are already growing, whereby advances in artificial intelligence are used to digitally alter and mimic a person’s voice or appearance with ill intent. 66% of respondents in our Global Incident Response Threat Report saw malicious deepfakes used as part of an attack last year (up 13%), with the majority (58%) witnessing deepfake attacks taking the form of video. But what we should be most concerned about is how new platforms are increasingly being used as a vehicle for deepfake attacks, including third-party meeting applications (31%) and business collaboration tools (27%). Could we soon see a similar uptick in scams inside of the metaverse virtual reality?

If the metaverse does indeed take off in a big way, organisations will need to be considered in how they deliver this nascent technology. Exploring how different tools and authentication techniques can be used will be essential for those seeking to safeguard and shepherd the virtual world.

HOW WILL WE KNOW WHO’S WHO?

It is becoming more apparent that existing types of cybercrime could spread to the metaverse. What a lot of adopters do not realise is that new metaverse technology is being built upon old technology, like Linux servers, in which security is not intrinsically built and vulnerabilities are deep rooted. Europol Innovation Lab has warned that cyberattacks, like misuse of stolen identity to commit fraud and even abuse other users (or avatars), could be replicated in the metaverse. In the context of virtual reality authentication, sophisticated eye tracking, face tracking and motion haptics could be used to record a user’s interactions with the device - how will we be able to tell the friend or

colleague we’re interacting with is really who they say they are? Eventually, the platform could become a magnet for ransomware and money laundering, with cryptocurrencies in active use and more platform-specific currencies expected to materialise.

Continuing to rely on passwords as the primary form of authentication in the virtual world would be a recipe for these breaches to breed. Organisations involved in its build out or use will need to show thoughtfulness towards the controls in place to identify users and deploy watertight authentication.

VIRTUAL REALITY AUTHENTICATION

One-time authentication simply would not work in the metaverse; it needs to be viewed as a lived space, not as a single-use service. Instead, a system of continued authentication leveraging different factors, such as biometrics, and closely monitoring user behaviour will be critical to alleviating some security concerns while providing a seamless experience in the metaverse. The same principles of

zero trust security we’ve become accustomed to in the ‘real world’, namely the belief that implicit trust is always a vulnerability and we must always verify devices and users, need to be replicated in the metaverse. Indeed, it is a delicate balancing act as continual authentication may be deemed invasive by some, constantly collecting user data to qualify that users are who they claim to be. But with the tonnes of data that will be collected to produce a personalised and realistic user experience in the metaverse, there is an urgent need for the security of the authentication process to be improved. Continuous digital authentication of a device, and the identity of the human using the device, provides that additional layer of security to the loggingin process and helps to detect anomalies in the form of mimicry.

Beyond the security challenges in the technology itself, safety in the metaverse must also encompass the safety of individuals in that space. Any nefarious activities humans can do in this world, can be recreated by them in the metaverse. Whether regulation

is decentralised or enforced by the government, action must be taken. Otherwise, we may end up with fragmented versions of the metaverse, each existing within its own walled garden of regulation and security policies.

But before new cyber security strategies can be developed, existing defences for technologies vital to the metaverse, such as 5G, IoT, blockchain and artificial intelligence, need to be fortified. Only then can we ensure a solid foundation for this new virtual realm.

STANDARDISING SECURITY BEST PRACTICES

While the metaverse remains on the fringes of how we use the internet currently, there is optimism that it will introduce new ways of interacting and whole new virtual worlds to live in. With the potential to transform our lives, however, comes a new and attractive opportunity for threat actors. Existing vulnerabilities, inherited by building this new frontier on legacy technology, could be exploited in the professional and personal

spheres in order to profit or cause harm to others. To tackle the cyber risk, a harmonious network of continuous digital authentication, zero trust and thoughtful means of data collection will need to be adopted as the standard operating procedures.

PROUD PARTNERS OF

According to research from IDC1, 85% of organizations already operate in hybrid cloud environments, although most data is still held on-premises. for infrastructure solutions. Fujitsu uSCALE delivers flexible, on-premises IT infrastructure as-a-service solution via monthly consumption-based billing technical flexibility, and you gain freedom from up-front investments. It helps to improve time-to market by leveraging pre-provisioned buffer capacity

on-premises. One key trend is the adoption of consumption-based models such as Fujitsu uSCALE billing based on actual usage. uSCALE supports business resilience, increases financial and capacity that is deployed in your data center ahead of business needs.

Save upto 75% with Cisco Refresh

Who is CHULO

We buy, sell and recycle new and second user hardware. Our aim is to deliver a wide variety of ery good quality network hardware equipment at the lowest possible prices –and with over 30 years of IT industry experience, we understand technology and take every opportunity to get the best deals for our customers. This knowledge coupled with the capabilities of the Ampita Group and agreements with strategic partnerships, enables Chulo to offer global logistic capabilities and fast delivery timescale.

Powered by Cisco Cisco Refresh maximises your budget, whilst maintaining the same Cisco quality, certified protection, and support as you would see on a new product. Plus, the minimal environmental impact will significantly shrink your carbon footprint as reduce the need for new raw materials and irresponsible landfill disposal.

Part of Ampito

The Ampito Group is a leading provider of technology solutions, cloud services, digital media and marketing. Founded in 2006, the Group has seen rapid growth, with presence in North America, Europe and the UK. The Group provides infrastructure, security and cloud ready, data centre networking, wireless and mobility solutions through its dedicated business units.

FOLLOW US ON

STORIES INSPIRED BY MODERN LIVING.