Kaspersky’s David Emm: “It’s no longer enough to be reactive”

Cybersecurity software and services have traditionally been thought of as a way to block an incoming attack or threat, but as the rise of IoT has created a whole new sector of connected devices – ranging from fitness trackers, to smart appliances, to business hardware – the security industry is in the process of evolving its offerings to no longer just react to incoming threats, but to make these products “cyber-immune” in the first place.

PCR sat down with David Emm, principal security researcher at Kaspersky, to find out more about this evolution in the market, how the company is working with the channel, and what emerging areas of technology are in the most need of new security protocols and understanding.

What have been some of the biggest changes in the security landscape over the past year?

Over the past year, the biggest change – when it comes to how cybersecurity affects the business landscape – is the increasing vulnerability of supply chains.

Cybercriminals have clocked onto the fact that hacking a supply chain for data is an effective, and less obvious, way of sneaking through the back door. Businesses have become more educated towards cybersecurity, and in some cases the front door is bolted shut, but supply chains remain a weakness.

The increasing use of smart devices, used by enterprises across many aspects of their operations, is also creating more cybersecurity issues for companies. The more connected devices that are used, the broader the attack surface is. GDPR has of course also had a growing influence on enterprises, as it was always going to. It’s been a year since it came into effect and, for some businesses, has proven to be a massive hurdle to overcome. It has forced them to act.

It’s only recently that we have started to see huge fines imposed for non-compliance; most recently the fine of £100 million imposed on Marriott and the record-breaking charge of £183 million handed to British Airways.

How is Kaspersky responding to these changes and turning them into opportunities?

Historically, the cybersecurity industry has been reactive, but with IoT tightening its grip and becoming more influential and implemented, it’s becoming increasingly important to change this approach and mindset. We need to make devices secure right from the early stages of the design and manufacturing process.

We are regularly seeing smart devices of all kinds entering the market with connectivity, but with little thought to security. Such devices must be made secure before they are available to consumers.

At Kaspersky, we have long recognised that it’s no longer enough be reactive. But in the future, we all need to think in terms, not just of being proactive, but becoming cyber-immune – meaning that every product that is rolled out is vigorously tested to ensure that it is secure, and protected against all known cyber-threats. The approach of retro-fitting security to existing devices and systems is no longer sufficient.

Do you think consumers are becoming savvier when it comes to understanding the importance of security? If so, does this affect the way you develop and market your products?

Overall, consumers are becoming more cyber-aware and now take cybersecurity more seriously. In the not so distant past, hacks and breaches carried a shock factor when they hit the headlines, because there wasn’t the understanding around them that there is today.

However, after so many stories about and around them, people are much more aware than they used to be.

We also used to see experts and spokespeople, such as researchers from Kaspersky, called upon for comment and insights once a breach had happened, but this too is becoming less regular now.

This again shows that there is a wider and deeper understanding of cybersecurity across society as a whole. People are also vastly more aware of the terminology and phrases used within this sector and use them regularly amongst themselves in conversation, which also demonstrates a wider, deeper understanding of the issue.

This has inevitably changed how we market our products – our products available are the same in function, but the way we convey our messages is much different so that they resonate with people’s changing attitudes, just as how the tech they are using constantly changes.

New platforms such as WhatsApp and FaceTime change the way consumers engage with tech, and the age ranges of those who do. As a result, we need to evolve with them, to ensure our messaging does not fall on deaf ears when it comes to marketing our products.

There is no point in including technical terms, industry phrases and terminology to tell a young adult why they should be cyber-aware when they’re using Instagram – the message would fall on deaf ears. Rather than technical jargon, they simply need to know how their actions could affect their lives, and what they can do to guard against those scenarios becoming a reality.

How important are the reseller and retail channels to Kaspersky and what are you doing to work more closely with channel partners?

The channel is extremely valuable to Kaspersky, and we continue to work to maintain an effective working relationship between us and our channel partners. This relationship is very important. Important for us, since it’s a vital way for us to market and sell our products; important for our channel partners, since they want to ensure that their customers secure their businesses using the best products and services.

What emerging areas of technology are in the most need of new security protocols and understanding?

IoT is the big one right now. It is an area that requires a thorough understanding from the cybersecurity industry, manufacturers, businesses and even consumers.

People buy a connected device for the function that it carries out. Consumers buy a baby monitor to check on their children.

However, they don’t necessarily understand the implications of the connectivity built into it. This is often true of manufacturers also: they understand the need to make use of the latest technology, but don’t always understand the security impact. I think that the Government also has a responsibility to safeguard consumers by laying down standards that ensure that smart products are safe for use.

This means developing an industry standard – similar to the safety standards we’ve all come to expect with toys clothing, soft furnishings, etc. Last year the UK Government introduced a code of practice for IoT devices. This is a good start, although I would favour making it mandatory.

What’s next for Kaspersky?

The digitisation of almost everything – from every day objects to industrial processes – is drastically revolutionising the daily lives of consumers and businesses alike and is massively increasing the attack surface available to cybercriminals.

This is an area that Kaspersky has been focusing on for some time, and will continue to do so. It involves the aforementioned shift towards cyber-immunity and more proactive approaches. That represents the only real solution to the problems that IoT devices present – whether for security of consumer goods or critical infrastructure installations.

This article is part of PCR’s Security Sector Spotlight – in association with 

For more security-themed articles, click here