Cyber security was a recurrent theme at Europe's largest bi-annual event on information and communications techology: ICT2018, 4-6 December in Vienna, with one session entirely dedicated to policy and industry best practices. This was the session on 5 December: “Cybersecurity as key for a Digital Economy and Society”. The headline talk came from Khalil Rouhana, Deputy Director General, EC – DG CNECT, who presented some of the most pressing issues of the day in cyber security. He was followed by experts of IoT security, 5G security, quantum computing and verticals like aviation and banking.

SMEs, Digital Awareness and Skills

First off: SMEs. With two-thirds of European SMEs being systematically attacked, awareness is beginning to grow but the journey to risk management best practices for stronger security postures will be a long one. Small firms also need to see the benefits of reporting cyber-attacks to competent authorities so much more can be done to help shield their critical business assets.

Alexandra Maniati from the European Banking Federation highlighted the need for improved digital awareness and skills: "Talent across Europe is terribly fragmented. We need formal education and courses to train the work force of the future, and to also retrain and up-skill the existing workforce".

CYBERWISER - Cyber range and capacity building in cyber security aims to play a key role from this perspective, helping to build essential skills and fostering organisation-wide responsibilities towards cyber security and lower risk-related human behaviour.

Managing cyber risks is increasingly complex and interconnected with a multitude of threat actors and technologies, spanning IoT and 5G. Two experts were on hand to explain why security plays such a central role.These experts also shared additional insights in a side-interview during ICT2018. Here's what they had to say.

IoT Security

Ondrej Vleck, from Avast (Czech Republic) sees the security of the Internet of Things as one of the major pain points in cyber security today, showing just how fast cyber threats are evolving in a crowded space with lots of vendors and options. This is fertile ground for cyber criminals. Ondrej offered a few statistics to prove his point:

•     Gartner forecasts that by 2020, 19 billion devices will be connected to the Internet.
•     60% of these devices will be in the consumer space, spanning apps in smart homes, baby monitors and wearables.
•     Security levels are dangerously low (think “late 80s and early 90s” security levels) with many exploitable vulnerabilities.

Because of the big push in the market for cheap devices, vendors have very little incentive to add security to their devices, while others in the vendor space are not sufficiently skilled in building secure software. Security risks are therefore a time bomb waiting to explode. To counter this, we need to arrive at a point where the security industry can respond to more consumers demanding security and by expediting the sense of urgency that is currently lacking. Ondrej believes this will be most effective through a bottom-up ecosystem approach with financial incentives also for start-ups, increased incentives and the right level of regulation.

5G Security and global standards

The central role of cyber security was also echoed by Dr Anand Prasad, NEC and Chairman 3GPP SA3, who began his talk by saying: "Security is deeply engrained in our everyday lives and because of this we tend to assume it’s somebody else’s responsibility. Yet calculating risk is key". He went on to stress the importance of cybersecurity standards based on “by-design” approaches. Security is a whole new ball game with 5G, as we are moving outside the network parameter with software blocks inside the cloud, which with virtualisation has different security implications. On top of this, IoT devices have different security requirements and the user space is also evolving.

Standards can enable secure connectivity and set of the technical specifications as a first critical step. Within the 3GPP standards body, SA3 (security) has adopted a multi-phase approach to security. In phase 2, they’re working towards unified authentication through a single database, interoperable security and issues like fraud. The priority is to have privacy and security from the very first step. Security also has to keep pace with technological changes and evolving risks. Holistic security from the beginning is therefore the only valid approach.

However, this can only be effective if businesses also step up on security. Management must start taking action, including investments in cyber security and taking holistic approaches cited above. We must consider cyber security as a key part in the ecosystem and crucial for making business happen. In today’s threat landscape, security can be a business driver, benefitting also from partner security services. He concluded by saying, "we need security guidance rather than regulation. On the operational side, we need to create a platform for sharing threat information in private mode".