Jochen Michels, Head of Public Affairs, Europe, Kaspersky
Official warnings are not abating: the overall cyber threat level is higher than ever before. There are attacks at all levels, affecting companies and government agencies alike. On a daily basis, the media report about denial-of-service attacks, APTs, and the detection of ransomware. Incidence response capacities and coordination are lacking. A shortage of skilled specialists is being criticized. Smaller companies and institutions with few employees are the most dramatically affected, as they are often unable to defend themselves.
The question is how can we comprehensively counter these multifaceted threats? To do this, it is necessary to think of cybersecurity in a truly holistic way. And this includes (i) transparency, (ii) the consistent application of Security by Design, (iii) the establishment of an appropriate cybersecurity culture, (iv) the continuous development of expertise, (v) risk-based, innovation-friendly legislation, and (vi) trust-based collaboration among all relevant stakeholders across industries and borders.
(i) Transparency
A key fundamental principle for trust in cyberspace is transparency. Therefore, cybersecurity companies should provide comprehensive information about their own business practices, principles, and technological issues. After all, every user needs this knowledge so they can make informed decisions when selecting a security provider that suits their needs. The days of the black box –blindly trusting technicians without knowing about the system– are over. Users have the right to know not only what a cybersecurity provider does, but how the company does it. Transparency builds trust. Transparent information policy forms an important basis for sustainable trust. At the same time, openness and the intensive exchange of information help to increase cybersecurity.
Transparency is the cornerstone of Kaspersky's approach to building trust and ensuring the security of its products and operations. Through its Global Transparency Initiative, Kaspersky engages the broader information security community and stakeholders in a collaborative effort to validate and verify the trustworthiness of its contributions.
One of the key components of Kaspersky's transparency efforts is the implementation of independent reviews and third-party evaluation. This includes not only audits and certifications like the ISO 27001 or SOC2, but also participation in external product evaluations. These assessments provide an objective evaluation of the security and reliability of Kaspersky's solutions, validating their trustworthiness. In addition, Kaspersky has established Transparency Centers in various locations around the world. These centers serve as facilities for customers, partners, government authorities, and academia to access reviews of the software code, software updates and threat detection rules, as well as other activities. Through them, Kaspersky provides information about their products and their security – including essential and important technical documentation – for external evaluation in a secure environment.
(ii) Security by Design
Security by Design is an important principle of composition that has been the subject of considerable discussion in recent years, but only a few steps towards implementation have actually been taken by industry, research and politics. However, there has been a paradigm shift in this area –not least because the topic has also reached the political arena– and new legislative initiatives are focusing on security by design, the Cyber Resilience Act for instance.
Kaspersky is breaking new ground with its microkernel-based operating system KasperskyOS, bringing Security by Design to life. The inherent security of KasperskyOS is embedded into its architecture and philosophy. Thus, nothing can run or function unless explicitly allowed by system administrators and application developers. Security policies that describe every permitted action are defined as early as the design stage of an IT product based on KasperskyOS. The KasperskyOS microkernel consists of 100 thousand lines of code, so the attack surface is minimal. The strict isolation of system components ensures functionality in any situation: even if one of them fails, the OS will continue to perform its critical tasks.
(iii) Cybersecurity Culture
Undoubtedly, security awareness needs to be raised in most organizations and should be a key issue for C-suite managers. However, there are many ways to understand ‘security awareness’. Effective training cannot only consist of pure theory. Real-life examples and illustration are critical; interactive simulations can be a great asset and support team interaction. What is more, the content must be integrated into the daily workflow; it is crucial for advice to be implemented. People should not be overloaded with information. Based on our experience, Kaspersky has developed modern and effective methods of conducting security training to impart knowledge, make employees more sensitive to risks in the long run and– most importantly – to build and help maintain a cybersecurity culture within every organization.
At the beginning of October 2023, Kaspersky launched an all-new Cybersecurity for Executives Online Training. Fostering a stronger security culture within organizations the new training program aims to raise attendees’ awareness regarding the modern digital threat landscape and to introduce them to the proper use of cybersecurity skills. The tutor-led online video course comprises modules on cyber risks for businesses, management of cyberattacks and the future of cybersecurity, for example. The course brings together a stellar line-up of the company’s speakers, including Eugene Kaspersky, the company’s founder, as well as Igor Kuznetsov, Direct Global Research and Analysis Team (GReAT). The training is delivered in a microlearning format with tests focusing on the knowledge, practical guidelines and checklists managers need for business cybersecurity.
(iv) Expertise
Kaspersky's commitment to passing on knowledge is a vital component of shaping a secure digital future. The company actively shares its cybersecurity expertise with academia, industry, and the wider community through several initiatives. The Cyber Capacity Building Program equips individuals and organizations with essential cybersecurity skills through training, resources, and workshops. This initiative empowers participants to enhance their understanding of cyber threats and bolster their defenses. Kaspersky's Global Research and Analysis Team (GReAT) plays a central role in sharing knowledge. GReAT experts, renowned in cybersecurity research, offer training sessions and publications to keep professionals updated on the latest threats and strategies. Joint funding projects support research and development efforts, that lead to innovative cybersecurity solutions. By partnering with other organizations, Kaspersky contributes to advancements in cybersecurity technologies.
The Kaspersky Academy serves as a comprehensive education platform, offering courses, webinars, and research materials to nurture the next generation of cybersecurity experts. This global initiative ensures cybersecurity knowledge reaches a wide and diverse audience.
(v) Legislation
Politicians and administrators have recognized the problem of growing cyber threats. Attempts are being made to counteract the challenges, with basic regulation at the EU, amongst other things. The NIS2 Directive, which came into force in early 2023, intends to raise the level of cybersecurity and to improve the resilience and incident response capacities of public and private organizations. Member States have until mid-October 2024 to adopt this new legislation. What is more, the so-called trilogue – a negotiation process in the EU between representatives of the European Parliament, the Council, and the Commission– has started on the Cyber Resilience Act. It aims to introduce mandatory cybersecurity requirements for products with digital elements. It is crucial to periodically update regulation in order to provide legal certainty and to keep pace with increased digitization and the evolving cybersecurity threat landscape.
(vi) Trust-based collaboration among stakeholders across industries and borders
In an interconnected world, cooperation is paramount. Cybercrime knows no national borders, making efficient international collaboration essential. To safeguard the security of citizens and businesses, Kaspersky closely cooperates with international organizations, private actors, and public institutions, contributing, for example, as an industry partner of the Council of Europe. We also offer our expert opinion, like in publications like the 2019 ENISA study "Good Practices for Security of IoT - Secure Software Development Lifecycle", and multistakeholder cybersecurity initiatives, such as the Paris Call for Trust and Security in Cyberspace. The company is additionally a founding partner of initiatives to protect victims and combat cybercrime, such as the Coalition against Stalkerware or the No More Ransom Initiative. Besides this, Kaspersky has participated in activities and forums of the United Nations Internet Governance Forum (IGF) for several years in a row. These collaborative efforts exemplify Kaspersky's commitment to safeguarding citizens and businesses through international cooperation.
In conclusion, Kaspersky's commitment to transparency, Security by Design, passing on expertise, cooperation, and the pursuit of a sustainable cybersecurity culture underscores its commitment to shaping a secure digital future. In addition, Kaspersky provides its expertise in the context of numerous normative-legislative initiatives and contributes to the systematic development of cybersecurity law in an open dialogue. By embracing these principles, Kaspersky plays a vital role in fortifying cybersecurity defense and mitigating the ever-evolving threats posed by our cyber adversaries, and contributing to a safer and more resilient digital ecosystem for all.