The increased digitization of the world we live and work in, has given rise to an increasing number of cyber threats and IT-risks. Over the past few years, we’ve seen a huge surge in the number, the intensity, and the sophistication of the attacks. But it’s not all doom and gloom. With proper technical solutions such as firewalls, antivirus programs , back-ups and a no-trust attitude, companies can better defend themselves.
The increase & effects of cyber attacks
While working from home has its benefits, it also leaves holes and weakness in the digital defenses of corporate organisations. Hackers are constantly lurking around the corner, seeking opportunities to exploit any weak links. The number and variety of malware has expanded exponentially, with significantly more than a billion known types. We’ve also seen an increase in targeted phishing campaigns and ransomware attacks, where hackers hold a company hostage. They encrypt and even threaten to disclose confidential or sensitive information if the ransom is not paid. Understandably many companies give in to these demands. However, the actual cyber breach costs are often even higher than the already considerable ransom demands. After all, negligence, and failure to protect data is frequently viewed as a bad practice of governance and negatively sanctioned by regulatory bodies. In addition to financial damage, cyber-attacks also tarnish the reputation of the affected companies, because they negatively impact upon the trust of clients, suppliers and society. Cyber security experts are pulling out all the stops to frustrate hackers in their tracks. But even with continuous research and government monitoring, it’s difficult to apprehend and charge cyber criminals.
Often, SMEs feel they’re out of harm’s way when it comes to cyber crime, yet 60% of the SMEs that fall prey to an attack are forced to close shop within six months following the attack. In an interconnected digital economy, any company can be carried along in the snowball effect of an attack, as collateral damage. The aftermath can be devastating for all involved. Regretfully companies mostly only upgrade their defenses, after having gone through such a catastrophic event. Even with preventative measures being close at hand.
Any company, regardless of its size, needs to have a tailor-made cyber security policy. Most of the attacks are targeted at outdated IT systems and weakened protection mechanisms. The information asymmetry in terms of protection doesn’t make it any easier. Software protection manufacturers bombard organisations with solutions they supposedly, and urgently require, a tactic we call FUD-selling. Playing into Fear, Uncertainty and Doubt (read more about this in a previous blog). The companies themselves are often unaware as to what they actually need. Yet, the answer is quite simple. It all comes down to preventative measures, which can most often be integrated into the existing system infrastructure.
Prevention is better than cure
The first, and most basic principle, is a Zero-Trust attitude and approach. Which implies that you must act as though nothing, or nobody can be trusted. This means that verification steps must be applied to all users, servers, and systems. And that all traffic must be inspected, monitored and recorded. My motto is: “never trust and always verify”. A principal design flaw of the internet is that it was based on trust versus untrust and we later on stacked multiple point-solutions to increase the level of trust, by implementing security measures, such as firewalls, multifactor authentication and intrusion detection systems. But as a former CISO of a large enterprise I know that managing spaghetti environments with a billion malware varieties flooding our corporate organisations is not a sustainable way of working. And even in the cloud there is no guarantee – as you can read in our blog on Microsoft Cloud. Zero Trust security is the way forward and this is what we research and tutor at AMS as well.
Secondly, all companies should have an internal or external cyber incident response team (CIRT), who scan and monitor systems and detect threats. A CIRT acts proactively by suggesting security improvements, and act effectively in case of an attack. Thirdly, I also urge companies to make regularly scheduled backups, so they’re able to resume business as soon as possible after an attack.
“Employees are often the weakest link but with continuous awareness training and exercises they can improve their vigilance.”
In addition to a dedicated CIRT team, every employee should play their part in protecting the cyber-fort. Employees are often the weakest link but with continuous awareness training and exercises they can improve their vigilance. Rather than boring training, I would suggest using interactive programs that notify people right away if they perform careless acts or succumb to suspicious requests. Gamification, in which an attack is simulated, also work well. Investing in cyber incident response team CIRT capabilities, inhouse or outsourced, is really worth the money, that’s why we specifically developed a course at AMS on “How to build up a CIRT” as part of the Executive Master in IT Risk & Cyber Security Management.
Even with protection, disaster can strike. In case you get hacked – and you end up right of the “bang“, I recommend acting quickly and appropriately. If you have an incident response plan at hand, now is the time to roll it out. I also urge victims to press charges to the relevant bodies so the authorities can launch an investigation. Unfortunately, many attacks go unreported, even though it is an online crime. Companies are often reluctant because of perceived shame or the undue burden of an investigation. Finally, I recommend all victims to analyse and learn from their mistakes and share with the public what can be learned like University of Maastricht did after their hack . This was a courageous act from the CIO and he gained a lot of credits by doing so.
This blog is based on an interview with Yuri Bobber in FokusIT Magazine.