No day in the cyber world looks the same. With attack frequency and sophistication seeming to increase rather than decrease, the battle between attackers and defenders is reaching new heights. Things simply don’t seem to get much better if you follow the news.
Cybersecurity has become an end-to-end story. In doing so, organizations must provide protection and security across the entire breadth and depth. That’s why Techzine recently organized a roundtable, where representatives from several sub-areas of the industry joined us. The main goal was to get a clear idea of how executives, IT professionals, users and other interested parties should look at and deal with the security market. Where should the priorities lie, what does it mean to do a risk analysis of your environment, and how do you implement and maintain it all in a future-proof way?
We will look for answers with the companies Barracuda Networks, Cohesity, Darktrace, Datto, Fortinet, Fox-IT, Okta, Rubrik, SentinelOne, Visma and VMware. They are represented, respectively, by Alain Luxembourg, Dave Stemerdink, Annabel Hazewinkel, Hans ten Hove, Harm Teerenstra, Willem Zeeman, Rachel Case, Jerry Rijnbeek, Sjoerd de Jong, Cindy Wubben and Jan-Willem Lammers.
What’s hot right now?
We start the discussion with a roundup of what 2023 marks in the field of cybersecurity. One of the first topics that comes up based on that roundtable is cyber resilience. This is actually always an important topic, which is slowly seeing some improvement, observes Area Vice President Continental Europe Ten Hove of Datto. “But what you see is that SMBs often underestimate the risk that something can happen to them, and overestimate the ability to recover from it.” Stemerdink, Principal Sales Engineer at Cohesity, sees cyber resilience as one of the core issues. “With that, we see a lot of investment being made to prevent certain things. Fortunately, things often go well, but also regularly don’t.”
As VMware’s Principal Technologist, Lammers does know where those mistakes come from. According to him, the basics are often not in order. “Think about things like cyber hygiene, patching, least privilege, simple things like that.” Zeeman, from his incident response background at Fox-IT, also sees that there are a lot of gains to be made in this area. “What I do see is that some awareness seems to have come around that basic hygiene,” Zeeman said. Here, he points to the favorable trend of encountering more Endpoint Detection and Response tools in corporate environments.
At Rubrik and Barracuda Networks, however, they see that technology also creates complexity. Rijnbeek, Area VP Sales Engineering EMEA & APJ, states what this means for cyberattacks and defense. “All companies are in a transition to the cloud. They are already there or are halfway there. But during that transition, the attack pattern is also changing. You see the shift to focusing on data, so not so much locking down those systems anymore. Extracting that data through phishing is actually the focus now,” explained Rijnbeek.
Luxembourg, Barracuda Networks’ Regional Vice President Benelux & Nordics, also notes that the changing infrastructure can cause problems. “IT managers are changing roles. They then take over existing products that are being used and want to introduce a certain product they know into the new environment as well. They then start tying strings in the IT infrastructure. You notice it gets pretty messy then,” Luxembourg observes.
From their roles as respectively CISO for the Benelux at Visma and Cyber Technology Specialist at Darktrace in 2023, Wubben and Hazewinkel are also watching the hacking side of things with great interest. Wubben: “For us, the war in Ukraine was and remains important. What is going on there and how does that affect our organization? We are in 39 countries, there are all political interests at play there. For example, the Netherlands supplies fighter jets, then you see cyber attacks coming up specifically targeting the Netherlands.” Hazewinkel also sees cybercriminals gaining new opportunities through generative AI. Hackers can use the tools to create targeted phishing campaigns. “These generative AI tools are now available to everyone. They give us new capabilities, but also give opportunities to hackers,” Hazewinkel outlined.
Teerenstra of Fortinet comes into frequent contact with compliance in his work. As far as he is concerned, 2023 is all about NIS2. “We already had frameworks that were hugely important, NIS2 is coming over it. It puts more and more focus on compliance, you also see that CISOs are in demand everywhere.”
SentinelOne, represented by Sales Engineer Sjoerd de Jong, and Okta, in the person of Director for Solution Engineering NEMEA Rachel Case, are comfortable with the issues that arise around identities. De Jong: “There is a lot of work to do to secure identities in addition to endpoints. You see the hacker just logging in and going about his business, for example, after social engineering in the MGM hack.” Case elaborates on that, pointing out the importance of Identity and Access Management. In this, she does see a perception emerging about the capabilities of the technology. Obviously the tools are good, but states Case, “Everyone thinks technology is the answer. I see an assumption that you have a tool and it’s perfect. However, it’s also the processes, the awareness of your employees and how you work with your business.”
With that, Case brings up a point for a new discussion at the table. Within the market there is a perception that humans play a major role in the cyber resilience of your organization. If they are sufficiently aware of the risks of digital action, then they will also behave more desirably, is the thought. Zeeman does have a clear opinion on this. “Front-end awareness, meaning the end user, is one of the first layers. If a hacker is through there, they are in your environment. Even if you train everyone on it every day – there’s always a percentage that clicks. So it’s going to happen, but then? You have a little spark, you have to prevent a peat fire from spreading through your organization.”
So in an ideal world, both aspects are worked on. Cyber awareness can certainly help, as it reduces the number of clicks on malicious links and makes users more willing to deploy security tools. But how do you raise that level of awareness? Constant hammering and finger-pointing is not desirable either, as it is counterproductive toward everyday work.
Luxembourg does have ideas on how to get employees, partners and customers on board. “If I tell my son to clean his room, he gets angry and does it once. But you have to turn it around. If a friend comes over to play and your room is a mess, what do you think they think about that?” With that, Luxembourg says it’s a matter of necessity. “You have to do it. Think what the consequence is if you don’t.”
Luxembourg’s statement also aligns with the general consensus at the table: be prepared for an attack. Because eventually a lot of organizations get hacked. In that respect, you better be prepared for the serious scenario of a hack. The vendors who reason from data protection see a big role in this for a cybersecurity plan, to do simulations around it as well. Carefully map out what is involved in a successful ransomware attack. How do you handle that situation with your employees? What is your press response? Are you going to pay or not? How does the damage mounting by the minute compare to the ransom demanded? You can all think about such questions, to practice it the way companies already do with a fire drill.
Stemerdink of Cohesity also outlines the dangerous perspective of a missing plan of action. “If you’re in the situation of a hack and you don’t have a recovery plan, then you’re too late. Then there are no good choices left to make.” Executives may then spend hours discussing how to handle it and whether or not to pay for it, but that time simply isn’t there.
Change coming with NIS2
So in an ideal world, things would be different. Some guests at the table also definitely see a bright spot that will start to bring change. With the EU directive NIS2, which will come into effect in the Netherlands at the end of 2024, companies can actually no longer be unprepared for a cyber incident. It becomes more or less mandatory to be prepared for the incident, as SentinelOne’s De Jong notes. “If you weren’t paying enough attention to that, a director could be held jointly and severally liable.” In this, De Jong sees a clear difference from how executives acted before, who often relied too much on after a hack to put everything right with the help of the insurance company and an incident response team.
As for cyber insurance, the consensus at the table is largely that it is not currently working quite correctly. VMware’s Lammers even calls cyber insurance a big joke. “Hackers first look at who are customers of the insurers. Then they start attacking the insured parties, because they pay quickly and more. They have become the targets. The model is broken in that respect.”
Fortinet, through Teerenstra, adds that insurance does force companies to face the facts and take responsibility. However, Teerenstra is especially curious to see what the arrival of NIS2 will bring. “You can scrutinize your current cybersecurity infrastructure and scope based on the NIST Cybersecurity Framework. In it are the steps identify, prevent, detect, respond and recover. Based on that, you can create a profile of your organization and do a kind of gap analysis to determine where you stand. You can then create a profile based on your assessment. That’s a very nice start to looking at NIS2 compliance, because NIS2 goes down all those steps.”
The perspective of the CISO
Also at the table is Cindy Wubben of Visma, to whom we can directly submit the statements and insights about awareness and NIS2. “Many companies fall under Visma, each with a managing director. We offer them a security program to be adopted. That includes basic hygiene, but also awareness for the managing director. We are now taking stock of where we stand in terms of NIS2 compliance, in order to prepare a bite-sized program,” Wubben said.
As much as possible, Visma wants to offer a generic program here, to demonstrate compliance. The software vendor is currently figuring out exactly how to do that. However, Wubben calls the NIS2 guidelines very logical. Visma already had a focus on it, so it won’t mean very big changes for the company. “Only maybe demonstrating compliance towards customers, that’s probably where we’ll have to adjust something.”
Also read our background article where we take a closer look at Visma’s security efforts.
A big role for AI and automation
The beginning of this article also briefly mentioned the role of AI in the cyber world. It is also expected to play an important role on both the defense and attack sides. Both camps can improve their techniques with it. For example, Case of Okta indicates that AI can create different dynamics. “A manager with, say, 50 people, does he or she have to look at an access request every time?” She cites that those kinds of checks were previously done by checks with Excel, so to speak, but now it can all be done automatically.
Hazewinkel of Darktrace also sees big possibilities in automation. “At the end of the day, if we’ve made sure the awareness is there, how are we going to make sure companies are secure? I had an SME on the line who said he wants to be able to just sleep at night. That shows the impact on his personal life. That’s why you have to move toward autonomous systems, especially SMBs. They don’t have a security operations center running 24×7. They don’t have the resources; they have to use the available resources effectively. Then go for something that runs in the background.”
What else can we do?
With the ideas that have been passed around awareness, NIS2 and technology, there’s a nice blueprint for your organization of what everyone can do. Are there any other steps we can think about? Are there any particular ideas at the table for the government or the cybersecurity industry to do more?
According to Ten Hove of Datto, the government could certainly invest more. He calls the Dutch government completely invisible in this area. He says this is worrisome, because cyber attacks are a major threat to the country and economy. “The government is not going to do it. Then it’s up to us, with a multitude of activities. In some cases it is good to combine those activities. That’s what we’re doing with the Dutch Cybersecurity Assembly. We all feel the same around the table. We say something different somestimes, but actually it is the same message. We could bundle it into one message and do a national campaign together.”
Jerry Rijnbeek also sees additional opportunities, by imposing higher fines as a government. He thinks the regulations as they can now prescribe fines are far too low. And it needs to be more strictly enforced, as far as Rijnbeek is concerned. “If you don’t have it in order, you get fined. Losing contact information of 20,000 customers is no small matter. Just do something wrong with taxes, and they’ll come after you.” Rijnbeek also states that he actually thinks it is time for a ban on ransom payments within the EU, so that crime is less fed and hackers are no longer focused on Europe.
In the security world, the battle between good and evil continues to evolve and intensify. The urgency of protecting organizations from the growing threat is high in this regard. An important focus here is cyber resilience and the importance of a broad security approach. Organizations must not only invest in preventive measures, but also have the basics in order. Awareness among management and employees can play a special role in this.
The discussion during the roundtable makes it clear that the urgency varies from “five to twelve” to “five after twelve”. A multidisciplinary approach seems to be the desired response to known and unknown threats. In theory, NIS2 could be a push in the right direction. Although it is scheduled for next year, it is best to be ready for it as soon as possible. At the end of the day, this way you are not only following government guidelines, but you are also doing your company a big favor.