The rapid digitalisation of services in recent years has led to an explosion in software and application use. Yet software providers still release products with vulnerabilities, leaving their clients vulnerable to malicious software attacks. “Today we are more connected than ever. We use smartphones to carry out business critical tasks like executing bank transfers. Even hospitals and cars are now connected. This digitalisation will undoubtedly result in more cyberattacks,” warns Jacques Klein, who is also a professor at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg.
Cybercrime is a growing problem for organisations, small and large. Accenture, a global consultancy firm, estimates that up to $5.2 trillion could be lost over the next five years as a result of cyberattacks. Malicious software, or malware, are the most expensive types of attacks for organisations. They can undermine trust in a company and, in some cases, lead to a loss of life. A severely ill patient died this month when her local hospital was unable to admit her because its systems had been knocked out by a cyberattack. The incident could prove to be the first death directly caused by a cyberattack.
Organisations can take simple steps to protect themselves. Professor Klein underlines that companies need to follow cybersecurity best practices like keeping software up to date and training employees to detect phishing emails. But as malware becomes more sophisticated, a growing number of companies will need to beef up their security systems, which can be an expensive endeavour when done manually. Penetration tests, which are authorised and simulated cyberattacks, are a common way for security experts to evaluate an IT system. The security experts who conduct them come at a premium, though, leaving small firms without adequate security support.
The TruX Research Group is already researching how machine learning can be used to perform automated penetration tests, which would make testing faster and less costly. “Automation will enable us to learn even more about the characteristics of malware and what differentiates malicious software from a good software,” he explains. However, Professor Klein warns that hackers can also use automation to gain an edge, for example, by hiding malicious code in remote servers or triggering malware with a delay, what is known as a “logic bomb”. “It’s an arms race,” he states.
Despite the heightened risk of cyberattacks and growing need to automate security systems, Professor Klein believes many companies are still too slow to act. “The truth is many organisations treat cybersecurity as an afterthought,” he says. “They are only prepared to invest in new systems once they have been targeted by malware. That’s the wrong approach.” Professor Klein says strengthening cybersecurity systems by introducing automation can reduce the risk of attacks and save money over the long term. “It is much better to secure your system before you become a victim of malware,” he says.
Automated Data Protection
Automation for security is multifaceted. It can also help companies improve internal processes and manage their data. Under the stewardship of Professor Klein and his colleague Professor François Tegawendé, the TruX Research Group has collaborated with several companies in Luxembourg, including BGL BNP Paribas and the Luxembourg Stock Exchange, to automate documentation processing.
“Financial institutions receive a lot of documents. They need to review, understand and, in some cases, extract information from a massive amount of documents. It is a very burdensome process,” says Professor Klein. The research group used a form of artificial intelligence called Natural Language Processing so that their partners could automatically scan and extract information from documents without having to open them.
Automation can also be used to verify if companies comply with data protection rules such as the General Data Protection Regulation (GDPR). Professor Klein says that while a provider can promise to protect their clients’ data, few people can check if the provider is keeping their word. “Automated GDPR checking can analyse the code to see if companies are really doing what they say they are doing with your data,” he says.
Professor Klein says this is particularly relevant in Luxembourg where a large number of companies outsource software development. “If a company buys a software product, it is still their responsibility to ensure it is GDPR compliant, but how can they do this without proper in-house expertise?”
If a company buys a software product it is still their responsibility to ensure it is GDPR compliant, but how can they do this without proper in-house expertise?
Professor Klein asks rhetorically. His group is developing an automated GDPR check that analyses code. They are searching for partners to pilot their system. “We are always looking for companies to team up with. We can develop innovative technology, but there is no way to guarantee it works unless we collaborate with a partner and test the system in a live environment.”