The biggest challenges for companies around data privacy are to fulfill all compliance regulations and to know their own data sovereignty
MEDIA 7: You have over a decade of leadership experience in IT security and risk management, how has the cybersecurity landscape changed in recent years?
ALEXANDRE HORVATH: The cybersecurity landscape changed definitely a lot in recent years. While in the beginning hackers or intruders tended to operate on their own and with a clear purpose (e.g., to gain high prestige among hackers or get dedicated confidential data from a specific company), nowadays, they are more organized like a proper organization (refer to picture below) and have specialists for all dedicated tasks, while they also use more technical power (e.g., cloud CPU, Bots and AI).
M7: Cryptix AG is currently working on the research and development of DLT and blockchain. What, as a CISO, do you believe are some of the cybersecurity flaws impeding blockchain growth?
AH: While I would rather talk about the benefits of blockchain and the increase in cybersecurity, I can reveal that the flaws of blockchain are primarily in its use.
I would focus on the following two risks on the application level and user level:
Application-level:
Risks around applications are linked to the automatic execution of smart contracts. Once rolled out on the blockchain, according to the principle of inalterability of the code, they can no longer be modified. It is therefore crucial that before being implemented, these applications are checked and audited several times by independent experts, to guarantee that they will not have unexpected behavior or contain any flaws. Hackers were able to exploit a” reentrancy” flaw in one of the smart contracts and drained several million cryptocurrencies outside an investment fund company to inject them into another smart contract over which they had control (as an outcome the need to secure the code of smart contracts was born).
User level:
Risks around users are linked to cryptocurrency leaks or theft. Some users create portfolios on non-secure exchange platforms from where their private keys can be retrieved. The pirates then take over ownership of the accounts and issue cryptocurrencies in an uncontrolled and unauthorized manner. To avoid these risks, it is thus necessary to store the tokens on secure sites and to generate private keys from computers that are not connected to the internet (e.g., cold wallets), and from standard libraries.
Zero Trust for data privacy will be the first line of defense against unauthorized data access and exfiltration.
M7: Lately, many companies have faced difficulty in keeping pace with GDPR compliance. What are the toughest challenges to international privacy compliance, in your opinion?
AH: The biggest challenges for companies around data privacy are to fulfill all compliance regulations and to know their own data sovereignty (e.g. to know what data should be protected most, the so-called crown jewels). There are a lot of technical details which must be considered as well, like to have a proper data flow process (to know where the data lies, like at rest, in motion or in transit) or to have a proper encryption solution in place.
M7: Insider threats are also a huge challenge for firms across many industries, especially now that new remote-working arrangements are in place. How can these threats be stopped and avoided?
AH: It’s no easy task to detect insider threats because they already have legitimate access - inadvertently or maliciously - to your organization’s data and critical resources. Getting visibility into every user account in the organization and distinguishing normal from malicious user behavior continues to be a challenge (even more with home office possibilities). Zero Trust helps organizations detect and prevent potential insider threats in real-time through identity-based segmentation and by automating risk-based conditional access. Even though security awareness training for employees incrementally lowers your risk of a data breach, initiatives like Zero Trust for your identity store can shut down many types of incursions as they happen or attempt lateral movement.
Read More: SAP's Tim Clark advises brand journalists to create stories in their own voice
Don’t just tell everyone about using password managers and a different password for each online platform. Show your users what kind of impact a credential theft can have for your company or for the victim.
M7: Speaking of insider threats, what do you believe will be the key trends likely to emerge in data privacy landscape over the next 5 years?
AH: As the pressure from the regulators will increase in the future towards data privacy, Zero Trust strategies should be considered to be adapted rather sooner than later. The benefits of Zero Trust regarding data privacy/protection are numerous, including:
-
Continuous risk assessment
-
Data context and sensitivity awareness, for better policy enforcement
-
Enables safe access from anywhere
-
Ensures data is protected everywhere
-
Adheres to current compliance standards
Zero Trust for data privacy will be the first line of defense against unauthorized data access and exfiltration.
M7: Before we wrap up, could you give our readers some pointers on what we can integrate into our daily tech habits to prevent and be aware of eCrime?
AH: Walk the talk by leading by example, so don’t just tell everyone about using password managers and a different password for each online platform. Show your users what kind of impact a credential theft can have for your company or for the victim her-/himself.
Be careful when using smaller devices like smartphones before clicking on an (untrusted) link due to the fact that the URL can easily be hidden. Also, in our private life, we should go more towards Zero Trust so that our digital footprint stays as secure as possible.
Read More: Arkose Labs’ CEO Kevin Gosschalk, aims to, ‘Bankrupt the business of online fraud’