Forty years ago, nobody envisioned that the internet – built to connect networks and devices – would become one of the most concerning landscapes of the 21st century.
In recent decades we have had significant cyber attacks in media, financial organisations, governments, oil and gas, and so on. These breaches coincide with a concerning rise in ransomware as part of the range of increasingly sophisticated attacks. These events became more prevalent as organisations started to expose their networks, data and processes to adapt to a new digital era. The same trends led Fortinet back in 2000 to identify the need for comprehensive security and to develop state-of-the-art solutions that provide broad, integrated and automated protection against security threats.
Data, the new radioactive element
As the digital field evolved, organisations realised data allowed them to make better business decisions. Data-driven business decisions became mainstream, but the methods to secure them stayed the same until the old and outdated 1995 Data Protection Directive was replaced by the General Data Protection Regulation (GDPR) in 2018.
GDPR mandated that organisations must protect user data by default. While GDPR did not slow down the number of attacks – nor was that its purpose – it enacted a shift in how securing personal data was done, from being an afterthought to being required by law.
GDPR also showed that data isn’t oil, and is more like a radioactive source – extremely useful and powerful when contained in data warehouses where predictions and advanced analytics are extracted, but destructive when breached and out in the open, with a long half-life like nuclear waste. Think about the implications of exposing medical records, public political preferences in a regime, and so on: once it leaks, there is no turning back.
Regulations for a new digital age
Data will play a significant role as currency for artificial intelligence systems. As such, data regulations that don’t stifle innovation will be one of the critical aspects that will drive substantial adoption.
The economic powers want to lead the regulatory data space. Europe did it once with GDPR, and it also signalled that it intends to lead the way with recent proposals such as the Data Act, the AI Act, and other digital policies that are part of its A Europe Fit for the Digital Age strategy.
On the other hand, the UK published its National AI Strategy last year, a ten-year plan signifying its intention to build the most pro-innovation regulatory environment in the world.
Besides the necessity of a regulatory framework around data, there is also a requirement for increased cyber resilience – an organisation’s ability to prepare for, respond to and recover from cyber attacks.
The National Cyber Strategy 2022 plan highlights how the UK is focused on resilience as part of its strategy. The EU is implementing a similar approach with its A Europe Fit for the Digital Age strategy, which proposes a regulation to increase resilience in critical sectors and a new set of rules for sharing, processing and storing data.
The revision of the Network and Information Systems regulations (NIS2), and industry-specific regulation such as the Digital Operational Resilience Act (DORA) or the UK equivalent PS21/3 for financial organisations, steps forward to increase resilience in critical sectors.
Enabling resilience in critical sectors
DORA and PS21/3 are significant milestones for financial services organisations (FSOs). They will accelerate innovation by harmonising risk management across member states, identifying critical business services, setting thresholds for critical services, and requiring regular cyber resilience testing.
A key difference between DORA and PS21/3 is that the latter focuses on the financial institution’s own scoped business services, whereas DORA focuses on ICT risks.
Another key provisioning in DORA is how to address third-party risk – as cloud service providers (CSPs) are a big part of the modernisation effort by FSOs, it can lead to concentration risk. DORA has specific provisions for third-party risk management that bring CSPs and other third-party providers into scope for risk management.
In that regard, Fortinet has been at the forefront of risk management, working with customers to support many areas from current and upcoming resilience regulations, such as:
• Operational resilience: Fortinet Security Fabric is the industry’s highest-performing cyber security platform, with a rich open ecosystem spanning over 480 security partners. It covers the extended digital attack surface and cycle, enabling self-healing security and networking to secure people, devices and data everywhere.
• Security monitoring: Fortinet provides platforms and solutions to allow customers to monitor and track risk. FortiManager supports network operations use cases for centralised management, compliance best practices, and workflow automation to protect against advanced threat actors. The threat intelligence provided by FortiGuard Labs helps organisations stay ahead of new and existing threats.
• Digital resilience testing: Fortinet customers benefit from a long-standing commitment to meet the requirements of the most security-minded organisations. With a broad portfolio, comprehensive service offering, and a strong network of partners, Fortinet can help customers test their systems and networks to meet regulatory needs.
A cyber-aware workforce
While technology is key in cyber security, people are the most critical sources for data compromises. Organisations must be prepared for a loss of control if their workforce is not taught cyber awareness.
The World Economic Forum states the current cyber professionals’ gap sits at three million people, which will significantly impact the ability of organisations to respond to threats, and cause delays in digital transformation programmes. In response, the EU and the UK have focused on building digital skills and inclusion via CyberGirls, European cyber security education, the UK Cyber Security Council, and many more programmes in the past years.
Fortinet, as a cyber security leader, has provided both free training through the Fortinet Network Security Expert (NSE) Training Institute and resources on cyber awareness to help build a resilient workforce. It is also committed to helping address the cyber security professional gap by training one million cyber professionals by 2025. Partnerships with active associations such as Women in Cybersecurity (WiCys) or Latin American Women in Cybersecurity (WOMCY) are working to promote the Fortinet NSE certification among those communities and organisations.
Follow Ricardo Ferreira, field CISO at Fortinet, on LinkedIn: linkedin.com/in/securecyber