Statistics show that 93% of all large enterprises were targeted by cyber attacks in 2016 alone. “But cyber security has become a complex issue as business has embraced the internet, cloud, and mobile working,” he told the CyberSec European Cyber Security Forum in Krakow.
In developing a cyber security strategy, Nowak said organisations need to understand the most common aims of any cyber attack.
These are to stop the flow of data, to disturb the flow of data; modify data; steal data; or discredit the targeted organisation, in the public and private sector, including governments.
An important element of cyber security, said Nowak, is to ensure that enterprises, governments and individuals all do their share in terms of keeping cyber space secure.
“Just like someone who is infected with a virus can pass that on to someone else, any entity not following cyber security best practices can create vulnerabilities for others in the cyber community,” he said.
Therefore, Nowak said no individual person, business, organisation or government can achieve cyber security alone. “We need some national and international regulation; telecoms agreements because telcos provide the networks; inter-sectoral co-operation; and for governments, businesses, organisations and individuals to all take responsibility for securing their part of cyber space,” he said.
Focusing on the telecoms sector, Nowak said telecoms and service provider agreements are important because they have to have a comparable level of security.
“If one telco is going to react to a particular situation, partner telcos should react be able to react at the same time and in the same way so that neither one’s actions undermines the other,” he said.
Customer care at the network level, not just at the device level, is also important, according to Nowak to isolate customers from potential criminal activity.
In general, he said businesses should have a professional approach to cyber security that takes into account other users of cyber space.
“This includes producing and selling secure products, so a company that produces smart TVs should ensure that their products are engineered in such a way that security is part of the design to ensure that connecting the TV to the internet does not expose users to risk,” said Nowak.
“Businesses need to change their way of thinking and pay more attention to the way they design products rather than creating products that can be manufactured as quickly and cheaply as possible,” he said.
Examining the internal network and external connections
To achieve a high level of cyber security in any business that is in compliance with regulations, Nowak said the first step is to examine the architecture of the internal network and external connections.
“Step two is to adopt an OSI model approach, because we should not concentrate only on the application level, or the network level or the data processing level. We must look at all levels because it is not possible to have connections between two computers or use services without going through each level, and so we should be looking at security at each level of the OSI model,” he said.
The third step, said Nowak, is incident management, which requires processes for detection, reaction, recovery and protection for the people, procedures and technology at play in any IT environment. “Businesses must pay equal attention to all these components, otherwise the incident response capability will not work properly or effectively,” he said.
With the people component in mind, Nowak said system developers need to have an understanding of security issues, which includes designing systems not only thinking about the functionality but also about the security. Staff responsible for cyber security must also be well-trained, system administrators should be highly-qualified and well-supervised, and users should be aware of cyber risks.
Systems should be designed so that they will not work if correct procedures are not followed, he said, and finally when it comes to technology, devices should be trust-certified, there should be tools to monitor the status of network and services security, software should be resistant to unauthorised modification, and technology development should keep pace with the risks.
“Step four is ensuring security at every step of a system’s lifecycle, because a security chain is only as strong as its weakest link,” said Nowak.
“We will have a lot of security problems as long as people are not informed of dangers, children are not educated on how to behave on a network, engineers design systems thinking only about functionality, architects consider only the efficiency and capacity of the network, and security managers seek to solve security problems using only technology.”