Keeping up with the cybercriminals: information security in the agile era
Mobile devices, the Internet of Things and outdated legislation were put under the microscope last week at the annual Business Information Security Summit in Moscow, as international IT security experts agreed on one thing: business technologies are growing faster than the security systems in place to protect them.
From left to right: Skolkovo's Sergei Khodakov, Dmitry Vostretsov and Dmitry Khandybovich take part in the Cyber Battle. Photo: Sk.ru.
“Business is speeding up, while security remains the same. It’s like business is building a huge express train, but then a small part of it has to get out with all its luggage, get on an elektrichka [suburban train], and then get back on the express train after a while,” said Rustem Khairetdinov, president of the Business Information Security Association (BISA).
The volume of data is ever-growing, and that means the number of security risks is increasing too, he said.
“When what you are protecting changes every few seconds, the old methods don’t work. We have to think of something new.”
The theme of this year’s conference was Information Security in the Agile Era. Agile software development envisages cross-functional teams within an organization that aim to create solutions and then work to constantly improve them, while remaining flexible and swift to react to change.
If five years ago, information systems were updated on a monthly or even quarterly basis, now business systems are being modified every few days, meaning new security risks are a constant threat, the conference organisers said.
“Today, competition on the IT market is not so much among products as among management models,” said Sergei Khodakov, head of cybersecurity and big data within the Skolkovo Foundation’s IT cluster.
“The Agile concept sets new requirements for guaranteeing information security. Fast changes in business processes and the appearance of new services bring with them unavoidable risks for IT systems, personal data and for businesses in general,” he said.
In a panel discussion moderated by Natalya Kasperskaya, president of the InfoWatch group of information security companies, Karl Summanen, vice president of VTB bank, said one of the problems lies in preparing for a threat that cannot fully be defined.
“We can try to make a system in advance, but there is always something we might miss,” he said. Summanen also said that existing legislation doesn’t correspond to the digital world, and should be updated accordingly.
Other participants of the discussion identified mobile devices and the Internet of Things (IoT) as major current threats.
Most financial services – not just banks – have already moved over to electronic versions that can be used on mobile devices, and it’s harder to protect a device than a client, said Artyom Sychev, deputy head of information security at Russia’s central bank. The weakest point is IoT, and the focus should be on making it secure, he said.
Tagir Yapparov, founder and chairman of the board of I.T. Group, agreed, saying that a lot of existing systems are based around PCs, and don’t take into account that mobile devices provide access to corporate accounts.
“We see that people use a huge amount of new technology that we don’t have time to control,” he said.
Fifteen Skolkovo startups showcased their information security solutions at the BISS conference in Moscow. Photo: Sk.ru.
Control of mobile devices was also one of the key themes of the conference’s Cyber Battle between two representatives of security companies: Dmitry Khandybovich, director of StaffCop, which makes information security software that helps small and medium-sized businesses to keep tabs on their employees’ online and computer activity, and Dmitry Vostretsov, head of the Sky DNS project, which provides internet content filtration solutions.
In the discussion moderated by Khodakov, in which participants were each given one minute to answer the same question in four “rounds,” the two specialists clashed over the extent to which it is acceptable for businesses to keep tabs on their employees in the name of protecting company information.
“There are a lot of laws protecting people and employees, especially from covert surveillance on the part of business, and business often crosses that line,” said Khandybovich.
“It pokes its nose in where it shouldn’t and doesn’t inform employees that it’s monitoring them. My position is against monitoring employees. There’s a very narrow range of instances where it should be used, and it should only be used in those cases,” he argued, adding that Constitutional Court rulings uphold the principle that a person’s private life should not be monitored by business.
Vostretsov said that relations between employees and employers fall under the labour law, and that employers were well within their rights to monitor employees if it concerned information security.
“It’s completely normal,” he said.
There is, of course, a way to resolve the long-running issue of security raised by the practice of Bring Your Own Device (BYOD), in which employees use their own devices for work purposes such as email.
“It’s my position that there should not be any work-related information on personal devices, whether it’s a phone or laptop: it’s just not acceptable in terms of security,” said Vostretsov.
“If the employee has a work phone and there is important information on it, of course it should be monitored,” he added.
On this issue, Khandybovich, who was declared the eventual winner of the Cyber Battle, agreed.
“No one controls what employees are bringing to work anymore,” he said.
“In my opinion, if you want to give a mobile device access to corporate data, you have to monitor that device. If you’re not monitoring it, then you should simply block access to corporate data for such devices.”
While participants of the conference debated ethics, threats and legislation, a range of companies presented their solutions to today’s cyber threats on the sidelines of the conference. Fifteen Skolkovo resident companies took part in the exhibition, including:
MobilityLab, with its WorksPad product that turns mobile devices into mobile workspaces by making the employee’s corporate email account, files and programmes available on the device – while keeping that information secure.
ITV group, with its Axxonext video surveillance technology.
Business Ecosystems, with its secure console management system.
Group IB, which makes a counter-cybercrime system to help law enforcement agencies around the world gather evidence and find perpetrators.
Entensys, with its UserGate UTM system that controls internet access and provides protection.