Cybersecurity concerns as Information Systems Evolve
Cybersecurity needs to find innovative new approaches and tools to address the challenges of technology and society.
There has been a dramatic shift in the habits and practices of companies and employees in recent years, particularly as regards their relationship to work and the workplace. This change has resulted in a need to rethink both cybersecurity and access to tools. As with the Internet of Things (IoT), employees’ PCs have become isolated within unmonitored networks where perimeter security has reached its limits. The centralized cybersecurity model that relies on a single identity manager and a static network is no longer adequate. It needs reinventing to accommodate new technologies, particularly those created by Web3.
The current difficulty implementing cybersecurity within this type of setting explains the evident lack of security within the IoT. Barracuda’s The state of industrial security in 2022 report backs up this assessment. The report highlights that not all industries have the same risk appetite, cybersecurity culture, or funding. Given the considerable changes in usage and technology, there is an urgent need to strengthen this culture and raise risk awareness. Cybersecurity tools and methods must evolve to support the decentralization of devices and their connections and respond to threats.
Web Evolution and Related Threats
What Is Web1?
Web1 (the World Wide Web) was developed in the 1990s to provide a platform for organizations to build Internet-based websites and static web pages. Internet users are consumers who read content on pages and use hyperlinks to navigate from one page to the next. Servers simply send pages to users. Cybersecurity risks have not yet been established but finding pages and building a search engine is already a problem.
What Is Web2?
Web2, also called the “social web,” is an upgrade to the platform that lets users add, create, and share content with each other. This web version puts social apps like Facebook, Twitter, and YouTube front and center.
The web’s content is no longer static. It is now dynamic, meaning web pages can be customized in line with user expectations and preferences. This new web version is becoming more intrusive in users’ lives so that companies can learn more about their customers and offer them new digital services. This presents an opportunity for ill-intentioned parties to gain access to large volumes of data or cause disruption inside an organization. Consumer data is becoming crucial (“Data is the new oil”), and it is the property of the social applications that collect it!
What Is Web3?
Web3 is the next iteration of the Internet. It builds on the concept of decentralized networks (blockchain and more). Many people think of Web3 as a futuristic concept, but it is actually much closer than we think. In reality, many of its components are already firmly established in the public’s perception. For example, central banks in some countries are already launching digital currencies.
Web3 technologies are already revolutionizing industries and aspects of daily life, which also introduces new security risks.
With the goal of a new decentralized architecture where user-to-user exchanges are stored in a series of blockchains, Web3 will shift the power from companies like Facebook to users. Similarly, attacks will also move from central platforms to large-scale attacks on users. To prevent the corruption of a link in this decentralized chain, its security must be as close to the user as possible. This model is only as strong as its weakest link.
Web3 will not be the final destination. Further developments are already on the horizon, each bringing its own set of potential security threats that cybersecurity will need to address.
Cyber Risk Insurance
The decentralization of networks and exchanges means that protection needs to be built as close as possible to the user. Exchanges between devices and users happen directly in this scenario. This requires an individual security bubble in each instance. This bubble has to function as a perimeter security system, deciding whether or not flows are authorized.
Cyber risk is covered by insurance, just like any other risk, but this new market is still in its infancy for several reasons:
- Delays or lack of information system security, mainly observed in French SMEs and VSEs. The vast majority of these companies lack cybersecurity tools and internal guidelines.
- Insurance products are becoming less profitable for insurers. To deal with this systemic risk in a French ecosystem that is clearly behind when it comes to SMEs and VSEs, insurers must review their product lines, tighten their terms, and increase their rates.
- Large companies are no longer buying this type of product because it has become too expensive and has not adapted to meet the new threats.
The cost and limitations of cyber insurance are becoming a genuine concern for organizations as exclusion clauses get more stringent and the difficulties of brand reputation and operational recovery after an attack become more pronounced. Companies of all sizes must learn to manage cybercrime, and therefore their exposure surface, one of the primary variables insurance companies use to determine policy cost. Cyber risk scoring is becoming more important for insurers and their clients, who must look at their own scores and those of their subcontractors. Tools like SecurityScorecard make this task easier by analyzing a company’s direct exposure surface on the Internet and monitoring the exposure surface of subcontractors.
Companies increasingly need this type of monitoring and scoring to satisfy insurance providers and their customers, who are more wary of entrusting them with their personal information and financial transactions online.
Cybersecurity in the Health Sector
The healthcare sector is a prime example. This sector has seen explosive growth since the emergence of COVID and the subsequent pandemic. The need to test millions of people has put the handling and security of their personal data in the spotlight. To adequately address these concerns, the industry must be up to speed with technological developments and the latest cybersecurity strategies.
The health industry also attracts the GAFAMs (Google, Apple, Facebook, Amazon, and Microsoft), who have been working on connected devices for wellness and sports for some years. The two companies responsible for the lion’s share of the work in this area are Apple and Google, with the former creating devices like the Apple Watch and the latter developing Wear OS, used by many different brands of connected watches. The GAFAMs have also launched health and wellness services to go with their connected devices and capitalize on the “gold mine” of information that connected watches collect.
Today, these same corporations are expanding their offerings to include health-related services. This is the case, for example, with Amazon’s initiative to streamline the patient’s journey, from the initial contact with Doctolib and the appointment with the acquisition of Signify Health, to hospitalization via the network of 180 One Medical clinics and drug delivery. Unlike in France, where only doctors can write prescriptions, in the U.S., Amazon will be able to suggest exams at any time during the healthcare process.
These examples show why data security and privacy are so important!
Given these changes in society and technology and the new challenges they bring, cybersecurity must become more personal, private, and close to the user.
Cellenza supports businesses with cloud security issues. Do you want to learn more about our “Cloud Security” offer? Contact us!