World Economic Forum on cybersecurity

World Economic Forum Risk Report 2022 is exciting reading.

Being aware of the risk is necessary to address them and understand the landscape we live in.

It is also a great way to see how risk perception changes year by year.

Looking at the short-term global risk picture, we can see we have weather and climate; economic risks are not top of mind. We have “infectious diseases” to remind us that a pandemic can happen, and we have, some years now, “Cyber Security failure.”

Since I work in the Cyber Security field, I have had, as evident, immediate interest in the cyber security section.

https://www.weforum.org/reports/global-risks-report-2022/in-full/chapter-3-digital-dependencies-and-cyber-vulnerabilities

Data from the report are interesting, but I think that we should understand what those data tell us, so let me do some examples:

“95% of cybersecurity issues can be traced to human error“
the global risk report 2022

Means: Train people, put the correct processes in place, put proper technology in place with a people-centric approach to address the “human” factor. If 95% of cybersecurity issues are related somehow to human error, we have to consider human behavior into the equation. This means that the technologies and processes we put in place should tell us the risk related to our people. People make mistakes, are attacked, are exposed to stakes that can hit our assets. Without understanding this, we will not address the overall risk we face in cybersecurity.

What to do: We have to properly raise awareness and protect communication channels used by people because there will be where a skilled attacker will try his\her move. But in an ever-changing landscape, this is not easy nor enough. For example, we should continually update awareness programs according to people’s current risks and train people based on their risk exposure. This means that our security technology should understand the user risk exposure. This information should be available for the awareness program, and the other security implemented technologies.

At the same time, a security awareness program should be able to monitor the understanding and knowledge of the users and use this information as a parameter not only to deploy the training needs for the specific set of users correctly but also to report the user vulnerability in the user risk rating.

Addressing 95% of cyber security issues caused by humans requires understanding why humans fail and what drives them to make mistakes. This does not require a boolean approach but a complex construction of the context of the risks in a holistic way.

“Insider threats (intentional or accidental) represent 43% of all breaches”
the global risk report 2022

Means: the risks do not come only from outside; the problem can be internal, you have to monitor where data goes, and data do not move by itself; people move data. Again people are the key.

What to do: Data are not all the same, and handling data can be a problem if the data express critical information. Sensitive data, Private data, Intellectual Property, there are dozen of reasons we should protect what makes our digital world “digital.”

But data should be kept alive. Otherwise, they are useless, so people have to access, manage, modify data. But we have to do it correctly and securely. Data does not move; people move it. Data does not change; people change it. And when handling data, people can do a series of actions that, considered an atomic action, are legit. Users can read, modify, move, copy, and delete data.

So how to understand the threats? We should realize the danger not by a single indicator but by the sequence of action performed on the data. And we should be able to do it in a simple way. Simple means I do not have to die to do this check, and I have to understand what sequence of action is potentially dangerous.

“Malware increased by 358% in 2020, while ransomware increased by 435%,
the global risk report 2022

Means: where do malware and ransomware come from? How is it activated?

What to do: Where does malware come from? If 95% of the cybersecurity issues can be traced to humans, I would probably assume that humans are the primary targets used to trigger malware and ransomware. There is the exploitation of vulnerabilities, the use of backdoors, and other fine technicalities, but, according to the report, those address 100% – 95% = 5%. But again, how do humans get in touch with malware or ransomware? How do they trigger it? Email and browsing are probably the most used channel. This consideration per se should address our security spending, focusing on Prevention (trying to stop things from arriving at users), remediation, and, yes, once again, education.

“There is an undersupply of cyber professionals—a gap of more than 3 million worldwide.“
the global risk report 2022

Means: When planning technology deployment, be sure it is easy to manage, provide information that is easy to be understood, give you context. You probably will not have dozens of skilled specialists, so make your investment effective otherwise, you’ll waste your money and security.

What to do: The undersupply of cyber professionals is a plague we will bring with us for some years more. The problem is that a cyber security professional has experience, knowledge, flexibility, and commitment. All those things are expensive and require time to be developed. This means it is not easy to foresee a solution that will quickly fill the gap. We can train more people, but we need to wait until they get the correct experience, and we have to incentivize people to pursue a career that requires constant learning, critical thinking, stress, and passion.

We will not have unlimited plenty of people at our service easily; this means that we need to ease the load of the cyberpeople providing tools, technologies, and consoles, that will make their lives easier, not harder. The easiest way is to plan your security investments, focusing on integration, automation, and visibility. Context and Threat Intelligence should be the way to understand what is going on and focus on the most dangerous threats.

Reading reports is not just reading cold numbers but is a way to understand the actual landscape and the close calls to action.

Happy reading.