Few of us today are unaware of the significance of cybersecurity and the threat of cyberattacks on our computers, smartphones, and other devices. We’re constantly reminded never to disclose passwords and to be on the lookout for spam and phishing emails that attempt to manipulate us into divulging personal information—such as those passwords, bank details, Social Security, or medical information.
ADVERTISEMENT |
This form of identity theft, although troubling, becomes even more sinister when it’s directed at governments and other major institutions. “Seeing is deceiving” is the tagline of a popular BBC TV series, The Capture, which explores the effect of deepfake technology—described as the 21st-century’s answer to Photoshop—i.e., threatening national security, shaking the foundations of state, destroying trust, and making us doubt reality.
Far-fetched in many respects, perhaps, but as we move deeper into the era of the Fourth Industrial Revolution, the show highlights the potential risks and threats from rapidly changing and ever-more-sophisticated technologies.
The global cost of cybercrime will reach $10.5 trillion annually by 2025.
Prioritizing the risk
According to the World Economic Forum report “Global Cybersecurity Outlook 2022,” infrastructure breakdown as a result of a cyberattack is the No. 1 concern for cyber leaders, ahead of identity theft. The report also indicates that while 85 percent of cyber leaders agree that cyber resilience is a priority for their organization, gaining decision-makers’ support when prioritizing such risks against many others remains a big challenge. This challenge shouldn’t be taken lightly. CyberCrime Magazine says cyberattacks could potentially disable the economy of a city, state, or entire country, and it claims the global cost of cybercrime will reach $10.5 trillion annually by 2025.
Cybersecurity isn’t new, but in our increasingly interconnected—and fragmented—world, the risks to people, organizations, services, and systems from cyberattacks have never been greater. As technology has grown in sophistication, so, too, have cyber criminals. Uncertainty is rife, and trust is at a premium. Confidence and assurance that our systems are safe is now a basic requirement, and two International Standards—ISO/IEC 15408 and ISO/IEC 18045 for information technology—can help to restore that trust.
The standards work together “like the pedals of a bicycle,” says Miguel Bañón, an expert in cybersecurity evaluation and certification, and convenor of the working group on security evaluation, testing, and specification, which operates under the joint stewardship of ISO and the International Electrotechnical Commission (IEC). ISO/IEC 15408 establishes evaluation criteria for IT security, while ISO/IEC 18045, the companion document, defines the methodology for IT security evaluation. For practical purposes, however, they are the same thing.
Timely revision
The recent revision of the standards couldn’t have been more timely, as they have evolved to meet the complex new needs of the age. “The working group is focusing on technology assurance, testing certification, and providing the standards to ensure that the technology itself is secure,” Bañón says. “This is a significant part of the solution.” The standards also help to manage information and take a holistic approach, but the basic foundation is that the technology is secure.
To succeed in the market, you have to achieve the trust of your customers. This is as true for technology as it is for any other product. With a dizzying array of new products coming onto the market very quickly, such as connected vehicles, for example, how can you rely on a connected vehicle that drives by itself if you don’t have assurance that it’s going to work properly?
As Bañón says, with ISO/IEC 15408 and ISO/IEC 18045, “we are providing the best and the only way, which is internationally agreed, on how to test and evaluate the security of products and systems.” He points out that what was once a niche area is now becoming mainstream, and the market itself is putting cybersecurity upfront as a requirement. Decision-makers and leaders now have to step up and prioritize cyber risks.
Building resilience
At a government level, cybersecurity is something that’s being increasingly recognized. Bañón says that one positive outcome of this explosion of cybersecurity concerns has led, for example, to new and forthcoming legislation in the European Union to strengthen cybersecurity systems. “The EU Cybersecurity Act provides a framework for European-wide certification schemes,” he says. “In the past, if you had to certify the security of your product, you could do that based on national schemes. Now, for the first time, there will be a pan-European certification scheme for products, and this new scheme is based on ISO/IEC 15408.”
As Bañón points out, IT security is not new, and the past application of the standards has had a positive impact on products in the market. He says, “Those products that have typically achieved compliance with the standards, such as operating systems or network devices, have evolved and improved to the extent that the hackers have had to target ‘easier’ products and attack surfaces.”
Compliance with ISO/IEC 15408 requires a high level of maturity, and a high level of resistance against attacks. When we hear news of major cybersecurity breaches today, Bañón says there’s a high chance these hackers are exploiting products that haven’t been certified or analyzed by this standard. “If you’re a hacker, you tend to look for the weakest link in the chain, and today, the easiest route is via products that have not been certified according to the standard.”
Independent and impartial
It’s all a matter of trust. Bañón says, “In our standards, trust is provided after a very rigorous, independent, and impartial review of a product, and after a process of evaluation and certification.” Just as you can’t—and wouldn’t want to—buy a washing machine that doesn’t comply with safety requirements, compliance with these standards, “which are driven by market needs and are the basis of the most successful cybersecurity schemes all over the world,” offers protection from nasty shocks and will deliver peace of mind.
Add new comment