Posted on

What Do You Do If You Fall Victim to a Cyber Attack?

cyber security

As cyber attacks become a more constant threat, organizations are forced to examine their risk management strategies. Checkpoint found that there were 50% more attacks per week on corporate networks in 2021 compared to the previous year.  

On top of that, more than 55% of large companies are not effective at stopping cyber attacks, identifying and fixing breaches, or containing the impact. Accenture’s State of Cybersecurity Resilience 2021 report also noted that 81% of CISO said that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020. 

We spoke to Nuno Martins da Silveira Teodoro, Cyber Security and Privacy Officer of Huawei Portugal and Tom Hofmann, CISO and DPO of Eniwa AG about whether humans really are the weakest link as well as the role CISOs play in this increasingly risky security landscape. 

 
Nuno Martins da Silveira Teodoro is a cybersecurity expert with experience in cybersecurity strategies and programs, threat intelligence, cybercrime and warfare, and data privacy. He has worked with regulating bodies and managed international certifications and cyber programs.
Tom Hofmann has over 20 years of experience implementing projects from Finland to Tokyo and an interest in how to leverage human-centered innovation in social and technical systems.
 

We need more engaging cyber awareness training 

 

When asked why humans are still the weakest link in cybersecurity despite hours of training, Teodoro counters that humans are simply the “most probable link to be exploited” given the sheer number of employees in any given organization.  

He added, “You only need one to execute what criminal actors want.” 

Specifically, he pointed out that bad actors try to exploit people’s needs to help and support others. This, combined with a lack of cybersecurity awareness from just one person in an organization can have devastating effects.  

Attackers are becoming savvier by exploiting chinks in the human chain via social engineering. So even the latest technology can leave an organization vulnerable if people lack the right level of cyber awareness. According to the Identity Theft Resource Center’s 2021 Data Breach Report, social engineering attacks such as smishing, phishing, and business email compromise (BEC) were the most common cause of cyber breaches in 2021.  

In fact, the 2022 State of Phish report found that 78% of organizations experienced email-based ransomware attacks in 2021. Moreover, 79% experienced spear phishing attacks while 87% experienced bulk phishing.  

Attackers have all the time in the world to exploit humans in an organization and they’re getting very good at it. In contrast, businesses are simply unable to spend all their time and resources training their employees, which presents a disadvantage.  

As such, Teodoro suggested engaging employees in a pragmatic way when training as opposed to showing slides or running computer-based simulations that they do not identify with.  

He said: “This is where I usually try to target the training courses we do, which is to identify the fine details that can indicate that someone is a victim or an attempted social engineering attack.” 

Hofmann agreed that forcing people who are overworked and understaffed to watch boring training videos are ineffective, adding that blaming employees for falling victim to phishing attacks would also be pointless. Instead, he advocated for leaders to try to understand the problems their employees face and what they need to be more secure.  

 

Human-centric approach to cybersecurity

 

On the question of a human-centric design of cybersecurity, Hofmann explained that it’s about combining technical and business viability. However, this is made difficult when there is a lack of trust between employees and their supervisors.  

Hofmann recalled that in his experience, project managers’ bonuses are tied to certain projects. Under pressure to deliver, they do all they can even if it means coming up with workarounds that may compromise security.  

Teodoro elaborated, “For sure, penalization is something that creates a culture of fear, and it creates a culture of not alerting or reporting anything or hiding things that could otherwise be critical.” 

“I think we should foster a culture of transparency, a culture of openness, and a culture where everyone is at ease to report to the upper management or CIO or to anyone who has the responsibility that they believe something is wrong, even if it started with them,” he added.  

Hofmann, who agreed, stressed that the only way to build this sort of trust is for leaders to go out and meet people, while also refraining from using blame or shame.  

Even so, both speakers conceded that this will be difficult to do. An organization-wide cultural shift requires the cooperation of each department. The challenge is that everyone has their own agenda and way of doing things. Each person also responds differently to engagement and security awareness training. This means CISOs are faced with the mammoth task of figuring out how to best engage employees across the organization and merge them together to create a holistic version of security culture. 

When asked about the greatest contributor to behavioral change in cyber awareness, Teodoro suggested creating ‘Cyber Champions’. These are employees from different business areas who can spread the message while also using them as a conduit to understanding what each team is concerned with daily in terms of security.  

 
Gain more insights on how the newest technologies can impact your business in our ME Business Buzz Outlook webinar series with industry experts.
 

Ransomware: To Pay or Not to Pay 

 

 According to the Sophos State of Ransomware 2022 report, there was a 78% increase in the number of organizations hit by ransomware attacks alone in 2021. It is also an expensive breach. On average, the cost of rectifying the impact of ransomware attacks the same year was USD 1.4 million.   

On whether organizations should pay the ransom, Teodoro and Hofmann both agreed that it is the absolute last resort.  

Hofmann specifically noted that paying the ransom only serves to fuel the “ransomware pandemic”. The only exception he would consider is if someone’s life is on the line – for example, if a hospital was hit by a ransomware attack and needed to recovery access to their life-saving systems. He warned, however, that there’s no guarantee that everything will return to normal once a ransom is paid because decryption keys do not always work.  

Teodoro went on to emphasized that resolving a ransomware attack is a complex process, even if you did decide to pay. Finance leaders should consider if they know how to negotiate with ransomware attackers and if they have a team in place with the required expertise to handle such situations.  

This is particularly important given that in 2021, 65% of ransomware attacks resulted in data being encrypted, while only 4% of organizations that were breached recovered all their data, according to the Sophos report. Additionally, 90% of organizations that experienced a ransomware attack has faced operation issues as a result while 86% faced a loss of revenue.  

As such, the experts recommended setting up a crisis management team for cyber attacks to contain the incident and manage the fallout both internally and externally. After all, haven an incident does occur, it has the potential to turn into a crisis. 

Teodoro said, “If you have everything on crisis management prepared, you will know that being vocal, transparent, honest, and confront the public facing audience and your customers in a direct and open way are the best possible thing you can do. If you try to hide or conceal it, you will lose all your credibility.” 

Noting that communication is vital, Hofmann noted his surprise at how leadership in many organizations remain reluctant to openly address breaches on the assumption that it would hurt their brand. He described this as a “biased decision”.  

He explained: “I would rather trust a company who is open about it and who is transparent about what they are doing rather than a company that is hiding stuff from me. As a customer, I would ask, do I trust this organization with my data?” 

Posted on

What’s Your Cybersecurity Budget?

The damage cyberattacks cause organizations is on the rise, costing them millions. Although cybersecurity spending is projected to increase dramatically, CISOs must structure their cybersecurity budgets based on their organization’s needs, vulnerabilities, and swiftly evolving trends such as the shift towards remote/hybrid work and a growing reliance on cloud services. Read on to discover the key current factors driving cybersecurity budget prioritizations. 

 

The rising cost of cybersecurity breaches 

 

 A report by the Identity Theft Research Centre noted that data breaches in 2021 exceeded that in 2020 with an estimated 281.5 million people affected. The cost of this is monumental, especially for businesses. The average cost of cybercrime amounts to $1.79 million per minute for businesses, highlighting the impact that cybersecurity has on an organization’s operations.  

It is no surprise then that cybersecurity budgets are on the rise each year in line with this evolution. Approximately 44% of IT professionals cited improving cybersecurity as a justification for increased IT investments according to the ESG research report on its Technology Spending Intentions Survey in 2022

 
 

In fact, cybersecurity spending is growing at a faster rate than overall IT spending, with 44% of security leaders expecting their budgets to increase in the next 12 months according to CSO’s 2021 Security Priorities Studies. This is in line with the findings reported in PwC’s 2022 Global Digital Trust Insights report stating that 69% of organizations predict a rise in their cyber spending for the year.  

Additionally, tech research firm Gartner projected that spending on information security and risk management will top $172 billion in 2022, a $17 billion increase from 2021 and $35 billion more than in 2020.  

In 2021, Microsoft announced a $20 billion cybersecurity budget over the next five years while Google CEO Sundar Pichai announced that the company is investing $10 billion in that same period. 

 

Cybersecurity spending priorities 

 

Though the projections for cybersecurity spending increase each year, it is still limited. As CISOs grapple with increased risk, they are also searching for ways to spend their funds most efficiently.  

One way to do that is to understand the threat landscape and needs of the organization. In the last three years, Gartner predicted the top five areas to show security spending growth are application security, cloud security, data security, identity access management, and infrastructure protection.  

Current developments will also affect budget priorities. In the two days following the start of the Russia-Ukraine war, suspected Russian-sourced cyberattacks were observed by US-based cybersecurity agencies, an increase of over 800%.  

In March, the hacker group Anonymous warned that it would attack major corporations that have not pulled out of Russia since the war began. It was later reported that the group had hacked Nestle and leaked over 10GB of important data including client information, emails, and passwords. Other organizations that were targeted include Burger King, Subway, and cloud computing firm Citrix. 

The US Department of Homeland Security, FBI, and others have issued warnings for organizations to be prepared for further threats. 

 

Cloud Security is a key focus 

 

The global pivot to remote work catalyzed by the COVID-19 pandemic has redefined many organizational structures and led to a growing reliance on cloud services and digital tools, leaving them vulnerable to different types of cyberattacks.  

An IDC survey by Ermetic found that 79% of companies experienced at least one cloud data breach in the last 18 months. This is alarming given that 92% of an organization’s IT environment is cloud-based, making cloud security a key concern for CISOs and other C-level professionals.  

Unsurprisingly, CISOs are prioritizing cloud security, which would drive budget priorities. According to ESG, 62% of the IT personnel surveyed said they are planning to increase spending on cloud application security while 56% said they are investing in cloud infrastructure security.  

 
 

We have also found, as shown in our latest Cybersecurity Investments trend report, that 60% of CISOs and their C-level counterparts are focusing on cloud security, specifically third-party management and resilience or Zero-Trust Architecture. Many of the organizations interviewed also noted that they are looking to expand their cloud solutions and adopt a hybrid cloud, thus enabling them to secure their processing data on-site.  

 

Employee Awareness can reduce security risks 

 

Another area of focus for CISOs is employee awareness, with 58% of organizations citing it as a key focus of their cybersecurity strategies. A Ponemon Institute study showed that 68% of organizations have experienced at least one endpoint attack, compromising their IT infrastructure and data.  

Similarly, IBM found that a staggering 95% of cybersecurity breaches were caused by human error.  

As Mika Susi, former Executive Director of the Finnish Information Security Cluster said: “Many times, humans are said to be the weak link in cybersecurity. Recently, we have also seen many attacks using an organization´s supply chain and partners as weak spots to get access to their network.” 

Eliminating that factor would mean that 19 out of 20 cybersecurity breaches may not have occurred at all. Though it would be impossible to solve human error completely, it is crucial to implement strong policies and training programs to equip employees with the right knowledge and tools to avoid potential cyber threats, which would decrease security-related risks by as much as 70%.  

One of the challenges with improving employee awareness is that there hasn’t been enough of a focus on building a culture within organizations to identify risks.  

“As I see it, organizations often put too much emphasis on having a formal three-part structure of control and reassurance, and far too little emphasis on building an actual culture that identifies and steers risk as part of its DNA. Of course, building a strong culture of security and implicitly, a risk culture – means including all employees, from the CEO to the bottom-rung shift worker, from the service partner to the short-term consultant. Including all the human risks and employees is key to making an actual risk-based culture,” says Magnus Solberg, VP & Head of Security Governance at Storebrand

Implementing a bottom-up approach to training employees to think in and act in a risk-based manner is one way to mitigate the human factor, says Mr. Solberg. He also suggests arming employees with tools to perform more structured and documented assessments, both mental tools as well as stronger policies, guidelines, and software.

 

Cybersecurity resilience and readiness 

 

At the same time, cybersecurity leaders are actively searching for new strategies to quickly detect and respond to cyber breaches.  

In 2021, there was a major surge in cyberattacks compared to previous years. According to SonicWall’s Cyber Threat Report, there was a 105% increase in ransomware attacks that year from the previous year. Narrowing down, government institutions saw a 1,885% increase and the healthcare industry saw a 755% increase in such attacks. According to Sophos’ State of Ransomware 2021 report, retail, education, and business & services sectors were hit with the most ransomware attacks.  

 
 

In July 2021, Swedish supermarket chain Coop was forced to shut down over 400 stores due to a major ransomware attack on its point-of-sale systems. This was part of the same ransomware attack which affected over 200 businesses, mainly in the US. More recently, several oil storage and transport companies across Europe were hit with ransomware attacks. Specifically, Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands were all forced to operate at limited capacity due to the attack. 

Sophos’ report also revealed that, on average, it costs an organization a total of S$1.85 million to recover from a ransomware attack, up 143% from the previous year. The findings also showed that only 8% of organizations that fell victim to a ransomware attack were able to recover all their data after paying a ransom. Approximately 29% only managed to recover no more than half their data.  

Beyond that, a recent survey found that 66% of respondents suffered a significant loss of revenue following a ransomware attack while 53% reported that their brand images were negatively affected. Alarmingly, 29% said ransomware attacks led to employee layoffs.  

The cost of a ransomware attack or recovering from other forms of cyberattacks could set organizations back a major chunk of their budgets if they are not prepared in advance. In fact, the increased cost of ransomware attacks has also driven up premiums on cyber insurance policies, adding to the need for organizations to be financially prepared.  

CISOs are constantly looking for ways to strengthen their organization’s ability to resist and recover from a multitude of threats, which in turn informs their cybersecurity investment priorities. What other factors should organizations consider when setting their cybersecurity budgets?  

Posted on

ECSO’s Luigi Rebuffi: Bridging the Gap In Trust and Talents Within Cybersecurity

The impact that COVID-19 has had on cybersecurity has shown how much work businesses still need to do when dealing with cyber threats. From attacks such as the SolarWinds hack, there is a need for CISOs to build awareness, prevention, and security practices into their organization’s culture.

As the Secretary-General and Founder of the European Cyber Security Organisation (ECSO), Luigi Rebuffi shares with us his insights on the role of Public-Private Partnerships (PPP) in digital security, the challenges that come with it, and how organizations are bridging the talent gap within cybersecurity.

 

Understanding The Role of Public-Private Partnerships in Digital Security

Private-Public Partnerships (PPP) in cybersecurity continue to be a necessity for both the government and the private sector to overcome the increase in cyber threats. While PPPs can serve as a foundation for effective critical infrastructure security and resilience strategies, there is still a need for clarity from both sides.

Rebuffi highlights how cooperation will be key in setting up an effective relationship between the government and businesses to effectively use PPP in cybersecurity.

 

How can PPP be used effectively for both the private and public sectors to overcome digital threats?

 

When looking at a public-private partnership, the traditional relationship in the private sector gives information to the public sector, which will then assess the situation and give guidance on how to solve the crisis.

However, a more dynamic cooperation must be continuously built up in order to be ready and react rapidly in an efficient partnership in case of a crisis. That is what we’re trying to set up with ECSO, since 2016, where there is full cooperation in different elements of the cybersecurity ecosystem.

Cooperation with the public for policy and legislation to give certain advice and standards, certifications, investments, discussion on the cyber threats, and what are the cyber threats that the private sector is facing every day, not only during the crisis periods.

And the cooperation should not only be about overcoming the crisis but also about how you support the companies, including SMEs and startups through education training in the development of certain innovative technologies and services.

It is a full spectrum of cooperation. Not just a quick fix in the case of a crisis, like the SolarWind attack. And we need to change that, to have that full public-private cooperation across different ecosystems. It is a bilateral relationship, not just a transfer of information.

 

Establishing Trust and Overcoming the Challenges In Public-Private Partnerships

The creation of the PPP was meant to improve the collaboration between private stakeholders and the public agency for Information Sharing. However, establishing trust has always been the biggest barrier for many businesses to engage in PPP.

Rebuffi reiterates the point that the key foundation in building a solid bridge between the private and the public sector will be on CISOs to build trust while overcoming the challenges that come with incorporating PPP within their organization.

 

What can organizations do to foster trust and improve the relationship between the public and private sector and bridge the gap in PPP?

 

Trust is not easy to build, especially in this period characterized by COVID-19. Establishing trust via remote connection is not an easy task, especially when you are working on sensitive matters such as cyber security. You need a kind of bottom-up approach where you first build up trust in your sector.

For example, if you are in the private sector, it is easier to build up trust with the people that you know, the people who are around you, in your region, in your country, and your sector. So you build trust from the bottom up.

The problem then is to see how you can link with other sectors or from other countries.

 

What challenges does the CISO face in establishing and nurturing PPP within their organization?

 

CISOs are still struggling because they are still trying to convince their management of the importance of cybersecurity, IT systems, and the investments needed. It is something that I imagine will be exacerbated by the acceleration of the digital transformation due to COVID-19.

The challenge will be more pushed towards getting the system working to have better control of data so that when we talk about digital sovereignty, we can think about better control of data. Looking ahead to cybersecurity trends in 2024, CISOs will likely encounter evolving challenges in managing these aspects, necessitating even more robust and forward-thinking strategies. They will need to stay abreast of the latest developments and adapt to the rapidly changing cyber landscape. And CISOs who are dealing with security, sensitive applications, and services, would need trusted and reliable supply chains.

So, on one end, they have to overcome the skepticism within their organization while finding resources to “feed” their systems correctly and find trust in reliable solutions. Of course, there’s also the problem of educating employees, as the human factor is also non-negligible.

 

Fostering Talent to Bridge The Cybersecurity Skill Gap

With cybersecurity becoming an integral part of an organization’s business strategy, the demand for talent has grown significantly as well. However, the number of skilled and qualified workers is still well below the demand, with gender balance still being a major issue.

Rebuffi continues to advocate for more gender balance in cybersecurity through the Women4Cyber Foundation and highlights how CISO and IT leaders can still help nurture an environment for building talents in cybersecurity.

 

How can IT leaders and CISOs attract, retain, or build cybersecurity talents within their organization?

 

CISOs, IT leaders, and I would also say human resources, have to show to the talents that they have the opportunity in this cybersecurity domain for a structured and well-paid career.

Some people are interested in working in cybersecurity as it is a career that is evolving continuously. You keep learn and you face challenges in a very dynamic environment while somehow contributing to the growth of the society or organization. But talents want to be properly compensated and want to see a path in their career.

And of course, IT leaders and CISOs have to show their employees that they can give adequate education and training to those who want and are looking to transition from a traditional job to one that is more linked to the digital sector due to the digital transformation.

 

How have initiatives such as Women4Cyber helped in fostering cybersecurity talents?

 

We are at the beginning stages with Women4Cyber, which is growing like a strong wave, and now we see the creation of national chapters across Europe. We are starting to see that people want to cooperate with different activities, support inclusion, and increase the participation of women in cybersecurity.

And this is important to us because we cannot exclude 50% of the population from the talent pool simply because they are women, and businesses are slowly learning that and trying to be better.

I will say that we are seeing smaller companies, like IT startups, and larger companies awakening and looking for experts, as well as hiring more women. But as I said, the movement is a strong wave that will come up and businesses have to realize that we desperately need people and they need to support that.

Posted on

How Banks Stay Competitive in a Digital Landscape with Increased Cyber Threats

Ricardo Ferreira, Field CISO, Fortinet

In banking and finance, the transformation strategy needs to have the customer experience in focus to build trust, which is crucial in today’s digital life with fewer physical customer meetings.

Banks must be agile in their business model to quickly create new applications that are required for an optimized user experience, says Ricardo Ferreira, Field CISO at Fortinet.

With DORA (Digital Operational Resilience Act), European financial institutions get new guidelines aimed at reducing the risk of cyber-attacks. Fortinet helps its customers comply with these regulatory requirements. – We can protect everything that has access to the network and banks should have a security architecture that includes multiple private and public cloud platforms. What makes Fortinet unique is that we can take a holistic approach to security in the financial institutions’ digital transformation journey, says Lars Berggren, Country Manager Fortinet Sweden.

 

An improved user experience with Bank 4.0

In the Nordics, cash handling has decreased significantly in recent years, while digital payment solutions have increased rapidly. Swedish banks, for example, were early in launching internet banks, but in recent years the focus has shifted to make sure they comply with the regulatory requirements. With new Fintech companies attracting customers, Swedish banks need to put more effort into their digital development to be competitive. Cyberattacks and threats are becoming more and more sophisticated. Fortinet provides support in the digital transformation and has crucial expertise in risks and threats

– Cloud-based platforms, both private and public cloud, are crucial for banks when developing solutions for a better, high-quality user experience. The transformation that banks need to go through, with new digital platforms and a more agile business model, is what we refer to as Bank 4.0. Today, you need to be fast and flexible to protect yourself and there must be a proactive security platform that supports the business and provides a holistic view, says Lars Berggren.

 

Secure the brand reputation of your bank

Digitalization brings many opportunities for the banks, such as increased sales, finding new business models and applications as well as refined customer offerings. Fortinet can help improve user-friendliness and at the same time secure the bank’s brand reputation by reducing the risk of cyber-attacks, says Ricardo Ferreira.

Read more about the driving forces in the market that are affecting banks right now, and how an improved infrastructure for cyber security can strengthen your competitiveness, in this e-book.

 

About Fortinet

According to Gartner, Fortinet is a leading provider of cybersecurity solutions and enables companies to build secure digital infrastructure and be at the forefront of their digitalization journey. The Fortinet Security Fabric platform provides broad, integrated, and automated protection for the entire digital attack surface, by securing critical devices, data, applications, and connections from the data center to the cloud as well as to the home office.

*This article was contributed by Lars Berggren of Fortinet.