Rik Ferguson: We need to take information security seriously

The world of work is changing, the amount of data is increasing, and companies are moving their business to the cloud. Internationally acclaimed information security guru Rik Ferguson weighs in on what this means for corporate information security.

Rik Ferguson, Vice President Security Research at Trend Micro, is one of the leading experts in information security. He is also a Special Advisor to Europol’s European Cyber Crime Centre (EC3) and an advisor to the European Union. In April 2011 Rik was inducted into the Infosecurity Hall of Fame.

Ferguson is actively engaged in research into online threats and the underground economy. As a futurist, he also researches the wider implications of new developments in the Information Technology arena and their impact on security, both in the enterprise and for society as a whole, publishing papers, articles, videos and participating in thought-leadership initiatives.

‘Data is the new oil and algorithms its refineries’

According to Mr Ferguson, companies and organizations are undergoing a change in the ways they work. Due to the coronavirus pandemic, distance work has become more and more common, and work is increasingly being done in cloud services and applications. The increased amount of data and code processing in the cloud are a challenge for IT departments. How can data, users and practices be managed outside the organization's own network?

Mr Ferguson takes, as a cautionary example, the 2020 attack that could be considered the worst in US cyber history. At the end of 2020, Russian hackers broke into the SolarWinds company’s software that hundreds of thousands of companies and organizations build their data systems on. One of the factors the hackers were able to exploit was the extremely weak password on the company's server. Where there are users, there are always vulnerabilities.

According to Telia's Information Security Specialist Tarmo Hassinen, a significant amount of time is often spent on planning an attack to ensure that the attack itself can be carried out as efficiently and discreetly as possible. He agrees with Mr Ferguson in saying that today's cybercrime is very organised.

'Information security is the enabler of the digital operating environment. It is not a bandage applied to a wound – it must be carefully designed already at the service planning phase to meet the changing business requirements. It's really a question of how important the new cloud service or the data it contains is to the company, and what the consequences of an attack against it could be.'

As distance work becomes more and more common, Mr Hassinen says it is important to protect endpoint devices, increase users' know-how, and consider end-user access rights as part of the company's overall information security policy.

'As for individual technical measures, I would recommend using multi-factor authentication and a password management tool. Furthermore, work devices should be restricted to work use only.'

Information security attacks are increasing in number: what can be done?

People pose the biggest risks to corporate information security. Moreover, there are so many attacks that it is impossible to review all the alarms. Rik Ferguson talks about a skills gap that we will not be able to combat. He proposes automation and orchestration – in other words, the automated configuration, co-ordination and management of data systems and software – as solutions for strengthening information security. Machine learning and artificial intelligence are also essential tools in information security.

In cyberattack prevention, it is important to be able to view the overall picture in real time. Information security companies have various solutions for this, and automation is often at their very core.

'Ideally, cyber threats would be reduced with seamless cooperation between the services provided by technology suppliers. Co-operation would help make all the data from different service layers available. Automation and algorithms are excellent tools for implementing information security through large amounts of data.’

'Human expertise is needed to review the discrepancies that technology won't be able to clean. A competent security operations centre service is often the answer to this challenge,' Mr Hassinen concludes.

Rik Ferguson's views as presented are based on his speech at the Telia Day ONE virtual event in February 2021.