Proliferation of compliance requirements, access to distributed data, growth of cybercrime based on artificial intelligence and automation. McKinsey explains how to tackle tomorrow's curtains right now. Published on 25 March 2022 by Valentina Bernocco How will cybersecurity transform in the coming years? A question that is difficult to answer, in the face of an ever-changing and increasingly sophisticated cyber crime, and considering the digitization processes that will continue to change the way companies work, and therefore their technological set-up of infrastructures and applications. McKinsey tried to predict what will happen in a time horizon of three or five years, and three transformative trends emerged from the analysis of the consulting firm: artificial intelligence (exploited extensively even by the "bad guys"), new ways to access and use data, and the proliferation of rules. Each of these trends poses challenges that will need to be addressed. Or to put it a little more drastically, as McKinsey does, even currently effective cybersecurity technologies will soon be obsolete, so it's better to act early instead of having to run for cover at the last minute.
On-demand access and distributed data For several years, mobile devices and the use of the cloud have increased the habit, but also the need, to access data at any time, from any device, without time or place constraints and, above all, quickly. With mass smart working, accelerated by the pandemic, all of this has become more evident. The production of "per capita" data will continue to grow and companies will continue to collect more and more data on their customers or users, drawing on sources ranging from social networks to online payment transactions. And they will also be responsible for the protection of this data. All this will fuel the Web hosting services market which (as reported by Fortune Business Insight) is expected to reach a value of $ 183.18 billion in 2026.
According to McKinsey, to address the growing risk of data loss, in increasingly dispersed and fragmented IT environments such as those of hybrid work, the best answer is a zero-trust architecture. This model, on which many vendors are recalibrating their offers, provides for a continuous verification of the access rights of the users who request them. Identity management policies become more detailed, for example differentiating which corporate data a specific user can have access to.
McKinsey also stresses the need to use behavioral analysis and reminds us, if ever needed, that employees are the number one vulnerability within companies. Solutions that use analytics to monitor requests for access to IT resources, device health and traffic flows will be valuable in the future even more than today. Only by defining in advance the "normal" behavior of users or devices is it possible to identify abnormal, intentional and unintentional ones. Behavioral analysis tools not only help achieve risk-based authentication and access management, but are also valuable for incident detection and response.
Additional technological resources will be “elastic” data monitoring and homomorphic encryption. On the first point, it must be said that today Big Data and the data produced by the Internet of Things, generating heterogeneity and fragmentation, complicate monitoring activities. Using different open-source platforms in combination with each other, however, it becomes possible to extract log data from any location, and then centralize them and obtain an overview and in real time. Homomorphic cryptography is, on the other hand, a technology that allows you to work with encrypted data, for example to perform calculations: this is useful if the data is to be used by external personnel or if the company has confidential information that it wants to keep such.
Faster attacks thanks to automation and AI The use of artificial intelligence and other attack automation tools already allows cybercriminals to become faster, more elusive and more effective in striking. Over the next few years, McKinsey explains, the end-to-end life cycle of an attack, from reconnaissance to exploit, will become even shorter. Furthermore, AI and machine learning techniques will allow malware to modify themselves and their functioning, as the infamous Emotet has already done. In 2020, with machine learning, it used an automated process to send contextualized phishing emails that intercepted other threat emails . Another easily predictable phenomenon, mentioned in the report, will be the growth of ransomware, predicted by all cybersecurity vendors and analyst companies. Similarly, phishing will continue to increase, through which sensitive login credentials are stolen, or various forms of scam are triggered.
McKinsey responds to these problems with three possible solutions. First: use automation with a risk-based approach, that is, reserve it for less problematic and routine activities (such as installing patches or configuring low-risk resources) and instead maintain "human" supervision over resources and riskier activities. Second: use machine learning and artificial intelligence to fight attacks with their own weapons. Third: defend against ransomware not only with technology but also with correct behaviors and procedures, the so-called “cyber hygiene”.
Problems of rules and competences The third trend reported by McKinsey is actually twofold. First of all, in the coming years the rules that regulate the conduct of companies regarding cybersecurity will continue to transform and even multiply, and this represents a first challenge. Businesses will need to meet increasingly stringent and proliferating compliance requirements. Suffice it to say that today there are a hundred different regulations on the flow of data between one nation and another.
Secondly, companies will suffer from a lack of internal skills and difficulties in finding specialized personnel. “In general, cyber risk management has not kept pace with the proliferation of digital and analytics transformations, and many companies are unsure how to identify and manage digital risks,” explains McKinsey. "To compound the challenge, regulators are increasing their focus on corporate cybersecurity capabilities, often with the same level of oversight and attention applied to credit and liquidity risks in financial services and operational and physical security risks in critical infrastructure" .
In this case, McKinsey analysts recommend incorporating cybersecurity into the technological skills of corporate employees, as well as into software development practices (as envisaged by the DevSecOps approach). To equip yourself with the latest technologies, even if you do not have skills on how to implement or manage them, a good resource is the "as-a-Software '' model, that is the cloud, which among other things, as we all know, offers advantages of scalability and automation . McKinsey also recommends diversifying suppliers to reduce exposure to any performance or availability issues. Furthermore, standardizing and coding infrastructure and control-engineering processes can simplify the management of hybrid and multi cloud environments and increase system resilience (the so-called infrastructure and security as code approach). Finally, to keep up with the growing compliance requirements, McKinsey advises companies to formally detail all components and supply chain relationships used in the software, creating a software bill of materials.challenges