Raconteur

sible entries to customer data. Cybersecu- rity should always be an ongoing process." Introducing a cybersecurity-by-design framework means security becomes a pro- active, end-to-end strategy and spans across the entire organisation and supply chain. Solutions are always tailored to the business, rather than a one-size-fits-all model. Cybersecurity is a fundamental business practice that affects people, processes and technology, and a core principle of imple- menting design processes is integrating security at the beginning of the product development life cycle rather than just as a feature of a product. This enables organ- isations to model and fortify the ongoing cybersecurity posture and build resilience against threats and risks that are also con- tinually evolving. "This is an approach that should be adopted by all," says Inga Schorno, head of information security at Tandem Bank. "As a bank built on open banking, we are a data-driven business and understand the benefits of efficiency and productivity, but acknowledge this must be balanced by identifying digital risks. It is only through an organisation-wide security culture and early involvement that those risks can be successfully identified and mitigated. "Incorporating cybersecurity-by-design principles will help to adapt to the chang- ing threat landscape by involving informa- tion security and risk teams at early stages of development. Failing to see it that way can leave you vulnerable to unexpected threats with a rigid framework unsuita- ble for fast response. Organisations must cultivate a wider cyber-resilient culture with ongoing training and adoption of the security framework." It is crucial that senior management are involved in the cybersecurity design pro- cess. This typically begins with due dil- igence whereby each company's CISO or chief information officer is involved in agreeing the protection, access and per- mitted sharing of data. People are often the weakest link in security so it is important to ensure all employees are well trained on aspects such as cybersecurity best practice. System designers and developers should also be involved at the very least in the planning and implementing stages. Before adopting any systems, design principles require the business to identify what they are for, what's needed to oper- ate them and what risks are acceptable, while ensuring there is no ambiguity about responsibilities. Organisations must make any compromise difficult by reducing the attack surface, designing for easy mainte- nance and making it easy for users to do the right thing. They should make disruption difficult by designing for scalability, identi- fying bottlenecks and testing for high load and denial-of-service conditions. "Any compromises should be easier to detect through collecting all relevant secu- rity events and logs, making it difficult for attackers to detect security rules through Providing protection from the ground up With reactive approaches to cyberthreats proving futile in preventing data breaches, companies are embedding design principles into the core of their systems and processes to give them the protection they require igital transformation and con- nectivity have provided unprec- edented opportunities for busi- nesses and revolutionised industries as a result. But this has come at a price as organ- isations have now been opened up to a growing array of cyberthreats. Companies are under near-constant attack and a traditionally reactive, sticking-plaster approach to dealing with the online assault has proved ineffective, making cybersecurity by design a growing and crucial feature of any organisational structure. Introduction of the General Data Protec- tion Regulation in 2018 has forced organ- isations to take a more proactive approach to cybersecurity. Previously, only strongly regulated companies in sectors such as insurance and banking were required to take strict measures to protect customer data. Now, facing hefty fines for non-com- pliance, companies in all industries are pri- oritising investment in cybersecurity. However, there is still a long way to go. Most small companies are unable to hire security specialists because of the added cost and enterprise-level businesses are often hindered by legacy systems. The result is many organisations are unpre- pared for current cybersecurity threats and unable to take a proactive approach to pro- tecting their business. Cybersecurity-by-design frameworks advocate embedding a proactive stance against threats into business processes. The security team is involved in all devel- opment processes and use their expertise to review and provide advice on cybersecu- rity best practice before anything is rolled out. Implementing a security-savvy design process into all product development and implementation protects an organisation from the inside out. "Security teams need to think of the worst possible situation and then work backwards to implement a cybersecuri- ty-by-design process and measures that will either stop threats or reduce the dam- age," says Dominik Malowiecki, chief infor- mation security officer (CISO) at smart home insurance provider Neos. "Teams need to approach this from the perspective of an outsider and check all pos- Cath Everett Journalist specialising in workplace, leadership and organisational culture, she also writes about the impact of technolog y on business and society. Oliver Pickup Award-winning journalist, he specialises in technology, business and sport, and contributes to a wide range of publications. Davey Winder Award-winning journalist and author, he specialises in information security, contributing to Infosecurity magazine and Forbes. external testing," says Kevin Curran, senior member of the IEEE (Institute of Electrical and Electronics Engineers) and professor of cybersecurity at Ulster University. "Organ- isations should also remove unnecessary functionality, especially where unauthor- ised use would be damaging, anonymising data when it's exported to reporting tools and avoiding unnecessary caches of data." As a company that specialises in digital due diligence, security is very important to Neotas and its clients. As such, a deci- sion was made early on to keep everything in-house with a heavy emphasis on data encryption, Microsoft SharePoint and information resources management. A cybersecurity-by-design framework has been key to achieving this. Neotas shares thousands of links around struc- tures and has many restrictions on its libraries, so it requires a reactive security approach with an ability to see who has access to what and why. As part of ISO 27001 accreditation, Neo- tas needed a robust system to complement its cybersecurity-by-design framework and help mitigate risks. A system from Torsion provides peace of mind by enabling quick changes throughout its architecture and solving the problem of limited control or vis- ibility over data access, which often leads to security and compliance issues. "The reaction internally has been very positive," says Patrick Reynolds, head of operations at Neotas. "Users are confident they are using a simple, secure informa- tion security system. We have seen bigger vendors with software that is bamboozling, but not as effective for what we require. It's about finding a cybersecurity-by-design approach that works for your business." Introducing cybersecurity by design into an organisation provides a holistic set of pragmatic guidelines which can enable busi- nesses to consider the full remit of protec- tion. Companies that don't put design pro- cesses in place to cope with the ever-present avalanche of cyberthreats will be more open to damaging vulnerabilities. Distributed in Published in association with CYBERSECURITY I N F O G R A P H I C C I S O B U R N O U T C O R O N A V I R U S How consumers feel about data privacy and what they do to protect themselves online Stress, changing threats and a skills crisis are just some reasons why CISOs are overworked Hackers are searching for vulnerabilities with the whole nation working from home 03 04 07 Davey Winder D Contributors BIGGES T CYBER THRE ATS TO ORG ANISATIONS Survey of US security professionals It is only through an organisation-wide security culture and early involvement that risks can be successfully identified I N D E P E N D E N T P U B L I C A T I O N B Y 2 2 / 0 3 / 2 0 2 0 # 0 6 5 6 R A C O N T E U R . N E T S E C U R I T Y B Y D E S I G N Publishing manager Reuben Howard Although this publication is funded through advertising and sponsorship, all editorial is without bias and sponsored features are clearly labelled. For an upcoming schedule, partnership inquiries or feedback, please call +44 (0)20 8616 7400 or e-mail info@raconteur.net. Raconteur is a leading publisher of special-interest content and research. Its pub- lications and articles cover a wide range of topics, including business, finance, sustainability, healthcare, lifestyle and technology. Raconteur special reports are published exclu- sively in The Times and The Sunday Times as well as online at raconteur.net. The information contained in this publication has been obtained from sources the Proprietors believe to be correct. However, no legal liability can be accepted for any errors. No part of this publication may be reproduced with- out the prior consent of the Publisher. © Raconteur Media /cybersecurity-2020 @raconteur /raconteur.net @raconteur_london raconteur.net Design Joanna Bird Sara Gelfgren Kellie Jerrard Harry Lewis-Irlam Celina Lucey Colm McDermott Samuele Motta Jack Woolrich Head of production Justyna O'Connell Head of design Tim Whitlock Managing editor Benjamin Chiou Associate editor Peter Archer Deputy editor Francesca Cassidy Digital content executive Taryn Brickner Egress 2019 48% 45% 40% 39% 31% 22% TOP THREE APPROACHES TO MANAGING CYBER-RISK AND IMPROVING RESILIENCE Global survey of risk professionals Allianz 2020 Cyber-risk is part of our overall enterprise risk management and is viewed as a key business risk Monitor and measure security and availability of systems through continuous vulnerability and risk assessments, remediation and sharing intelligence around cyber threats Regular staff information security trainings, awareness and anti-phishing campaigns 45% 52% 55% ® Ransomware and/or malware Accidental data breaches caused by an employee mistake External attacks from cyber criminals DDoS attacks Ransomware and/or malware Indicated phishing and/or spear phishing

• Cover