Cyber threats: Opportunities for Innovation & IT
FFHS Business Breakfast of 2.2.2023
Experts from Securnite, GObugfree und Dreamlab Technologies discussed the growing threat of cyber attacks, why Switzerland isn't doing enough to protect itself, and how we can create more awareness to combat cybercrime.
The media is flooded with news of cybercrime. But that’s just half the story: The growing threat level is accompanied by a huge shortage of skilled workers. Is the situation hopeless? Christian Koch, host of the event and head of Corporate Relations at the Fernfachhochschule (FFHS), sees opportunities for innovation and IT. To this end, the FFHS is launching a new degree program, Bachelor of Cyber Security, in the fall of 2023. At the Business Breakfast, experts described the current security situation, possible security measures, and why training programs are urgently needed.
- The threat landscape is rapidly growing: cyber attacks have become a daily reality, in Switzerland, as in the rest of the world
- The complexity of IT systems is increasing: companies are more susceptible to vulnerabilities, and thus to attacks
- The world is increasingly interconnected: cybercrime does not impact just one company, but affects multiple businesses and even countries
- Effective solutions already exist: bug bounty programs, pentesting and cyber radars are good approaches to security
Why does cybersecurity matter?
Anna Mempel, COO of Securnite, opened with a question to the audience: Why is cybersecurity important? The knowledgeable crowd provided compelling arguments about the importance of sensitive data, the global impact of cybercrime, as well as IoT (such as pacemakers).
The number of malicious players, as well as the attack surfaces, is constantly growing
The number of malicious actors and forms of attack are constantly increasing. At the same time, the number of vulnerabilities is growing, providing new gateways for attackers. Business environments are becoming ever larger and more complex. The classic perimeters of one's own network and infrastructure no longer apply. Employees work from everywhere: from home, from a hotel, from the café around the corner. We no longer know our software as well as we used to. Libraries are imported from open source platforms, built in and moved to production - quietly trusting that all will work out for the best. All these aspects increase our attack surface.
Whether data, money or trade secrets, the crown jewels are a company's most important assets and must be secured to ensure availability, confidentiality and integrity.
Why should we protect ourselves?
Mempel speaks of crown jewels. She says, "Whether data, money or trade secrets, the crown jewels are a company's most important assets and must be secured to ensure availability, confidentiality and integrity." Failure to do so can have ruinous financial consequences. As an example, she cites bike and e-bike manufacturer Prophete, where a cyber attack led to a shutdown of operations for several weeks, and eventual bankruptcy. The reputational damage after a cyber attack can also be immense. Trust is the foundation of business. Once this is shaken, a company has quite a poor outlook.
How can we provide cybersecurity?
Vulnerabilities are the gateway for cybercriminals. Rolf Wagner, COO of GObugfree explains how his company GObugfree helps companies identify and fix vulnerabilities as quickly as possible before they can be exploited by attackers. To do this, GObugfree relies on a community of security experts and ethical hackers to conduct bug bounty programs.
In a bug bounty program, security researchers, so-called "ethical hackers" (called "friendly hackers" at GObugfree) search for "bugs" (vulnerabilities) in IT systems and applications. The procedure is strictly regulated. Valid vulnerabilities are rewarded with a "bounty" (reward). For FFHS, GObugfree has created an EDU bug bounty program. Here, students and staff go in search of security vulnerabilities and are rewarded with vouchers, fame and glory.
The benefits of a bug bounty program go beyond early bug detection. Often, a bug bounty program leads to increased security awareness within the company, as well as among suppliers. Since testing is done from the outside, simulating a real attack by cyber criminals (continuous black box approach), it uncovers gaps that would otherwise remain hidden. The collective intelligence and creativity of the community with its diverse capabilities perfectly complement existing security measures such as security audits or pentesting.
Powerful brakes allow for greater speed: for digital transformation and for releasing services to market. Security is thus an enabler.
Security is not a hindrance!
Security is often seen as a hindrance, a hurdle that must be overcome. Wagner compares good security to strong brakes: "Powerful brakes allow for greater speed: for digital transformation and for releasing services to market. Security is thus an enabler."
At its core, IT security is risk management. A company's digital footprint is growing ever larger; a holistic and systematic approach is needed to protect it. In this context, Wagner speaks of vulnerability management. This includes automated scanning, pentesting, attack surface management (to identify all relevant systems), bug bounty programs and vulnerability disclosure programs.
Setting Swiss society in motion
For Dreamlab CEO Nicolas Mayencourt, taking a holistic view of the cyber landscape is key. Cyber risks affect everyone. One in three Swiss companies has been a victim of cybercrime, with an average loss of CHF 6 million. The daily number of digital crimes, 83, is only slightly lower than the number of physical ones. However, it hides an enormous number of unreported cases. Mayencourt makes an urgent plea to everyone: "Stop being naïve!"
Why Switzerland isn’t doing enough
Switzerland is regarded as an innovative country. For a decade, we have been ranked number 1 in the Global Innovation Index by the World Intellectual Property Organization. At the same time, we rank 42nd in the Global Cyber Security Index, behind Cyprus, ahead of Ghana. We are systematically investing in basic research, but doing too little to protect the data and the stability of our systems.
On the internet, everyone is a target. Cybercriminals don't see people, they see IP assets.
Why are we doing too little? Mayencourt believes it's due to a lack of understanding and a false perception of the implications. A basic awareness exists, but many companies mistakenly believe that they are not important enough and therefore not a target. Mayencourt says, "On the Internet, everyone is a target. Cybercriminals don't see people, they see IP assets."
Cyber: freed from all physical limitations
Humans are good at dealing with the dimensions of land, sea, air and space. We have largely explored these realms and our "Freeze, Fight or Flight Response" is tuned accordingly. Cyber, however, sits above all of these dimensions and is freed from all physical limitations. In the hyper-connected cyber space, we are all interconnected, embedded and dependent.
CyObs' cyber radar image provides a holistic view of a company's situation and highlights the external attack surface and blind spots. In relation to Switzerland as a country, this rander shows the need for action. In 2019, 42,220 known critical vulnerabilities were measured; in 2021, the number increased to 113,780.
What is the solution?
In the discussion led by Oliver Ittig, Program Director for Computer Science at Fernfachhochschule Schweiz, the speakers all agreed: People need to feel the impact. To this end, an open error culture helps. Companies should not be ashamed of suffering a cyberattack, but should share their experiences openly so that others can learn from them. Society must also invest in targeted education and training for specialists, focusing on specific competence development and a cybersecurity.