Authors: David Horad, Cyber Security and Privacy Officer, Huawei Technologies Czech s.r.o. and Omer Faruk Sahin, Chief Cyber Security & Privacy Officer, Huawei Türkiye

“Don’t trust anyone over thirty,” Jack Weinberg said almost sixty years ago. Today, ICT entrepreneurs and their customers should be much stricter: “Trust no one!”.

Trusting is key. To keep it that way going forward, just use the concept of zero trust.

Trust but verify

Whether it’s a large multinational ICT solutions provider or a small local ISP, they know their suppliers. Probably for a long time and often personally. But even such a long-standing and reliable partner, respective of its equipment or software, can be exposed to attack or just make a mistake internally. What to do about it? It is essential to thoroughly check every solution, every piece of equipment that the supplier offers us or that we already use.

Look for vulnerabilities, available information… Even the ICT sector is a business like any other, don’t just rely on the supplier’s claims, but try to get verified objective information. Using only the supplier as a source is not the most sensible approach. Treat any hardware or software, even from a proven supplier, as if it were from a company you don’t know. That will make you all the more cautious. But how do you ensure a thorough review? It is not always possible to check individual components internally, whether because of human or resource constraints or lack of time.

Third-party verification is the ideal option. Through a firm that is not connected to either the supplier or the customer and has real expertise in technical and security analysis and sufficient credit in the field. There are also suggestions that the state could take care of this, which ICT sector representatives say is a very “serious” idea.

However, the verification before deployment is by no means the end of the process, it is only the first step. When you introduce a product into the system, set up mechanisms so that it can always be authenticated beyond doubt. It is a good idea to check what the new part of the system solution is supposed to take care of. But it’s equally important to know that it doesn’t actually do what it shouldn’t in normal operation.

Less is more

At this point, it’s not about the verification and control mechanisms, but mostly about the end user. It is said that the biggest security risk is between the chair and the keyboard. This is usually the gateway for attackers to access systems, data, information… This is also why it is advisable to give users only the basic rights they need to do their job. This minimizes the risk. And you can then apply the same logic to other parts of the system, even though you have already authenticated them.

Let’s monitor everything

Security Information and Event Management - SIEM - is already a part of almost all major systems whose owners care about them. However, not everything is always monitored - for capacity reasons of techno logies, lack of experts, reluctance to invest in overall development. This has to end and monitoring of security events, their evaluation and subsequent processing of security incidents is another necessary step to ensure the security of the entire system.

Assuming the worst

Even with all possible security measures in place, a security incident may occur. Have security incident management processes in place for such situations. Of course, implement a business continuity and crisis management system.

The best solution

Just as when we get into a car of a proven brand with the automatic belief that it will get us safely from A to B, we also use other services and products that we unwaveringly assume have the highest level of security. None of us is likely to want to drive a brand of car that is commonly associated with problems, or to shop in an insecure e-shop, or to use the services of an operator that has deficiencies in IT security and cannot protect not only its infrastructure but also its customers’ data. Re-integration is a fragile issue and even the slightest careless incident can damage it for years to come. The sooner we adopt the principles of zero trust and get used to the fact that in such a complex world there is currently no better solution, the sooner our digital eco-system will be more secure and inspire more confidence not only among the specialists who can see under its hood, but also among ordinary users, whose use of the services offered will enable their further development.

Last but not least

Cybersecurity is a living process that needs to be addressed end-to-end. This process is the joint responsibility of many stakeholders, from the user to the operator, from the vendor to the public authorities. Cyber ​​security processes that are based on a technical basis and standards will be the key to reliable technology for all stakeholders.