Cybersecurity “Dojo”

cyber-GEIGER

Solution for small businesses to protect themselves against cyber threats

SMEs and micro-enterprises are increasingly “going digital”. This also increases the likelihood of incidents due to negligence or malicious attacks. It’s crucial that these small businesses are aware of their risks related to data protection, privacy, and cybersecurity, and get help in reducing them. There are plenty of solutions available, but they don’t match the needs of small businesses with no expertise in digital technologies or resources to invest in costly and complicated solutions.

GEIGER, an EU-funded Horizon 2020 innovation project, aims to close this gap. The project is developing a “Geiger counter” for cybersecurity, which dynamically shows the level of current risks for the company, and allows the user to take simple measures to lower the risk exposure significantly. GEIGER is also building an ecosystem of competent individuals and organizations that offer help, by collaborating with schools and partners to develop a standardized learning program, the “Certified Security Defenders”.

 Cybersecurity | Prevention vs Detection

Did you know that the first digital computer was developed in 1943? Just a few years later, people were already speculating that computer programs could reproduce. By the late 1950s, protocols that allowed telecommunications engineers to work remotely on the network could be hijacked to avoid long-distance tolls and make free of charge calls. And yet …

We started talking about cybercrime and cybersecurity much later

We could even say that the interest in this field has increased since the 2000s and has intensified considerably in the last 5 years, in close relation with technological development and with the increase in the number of threats, risks and cyber attacks. Of course, the two concepts have been debated long before the internet even existed. But at that time, only a small group of people could do it because only they had access to new technologies. For the same reasons, the number of cyber criminals was almost insignificant.

The whole phenomenon of accelerated digitisation, the scale and complexity that the technological field has achieved, all of these led to equally matching cyber attacks. We cannot talk about accelerated digitisation without talking about its consequences: cybercrime. Every business should be conducted within normal parameters in the digital environment, without financial or data loss or any other damage. In order to effectively combat attacks and keep them at bay, we need to consider a number of best practices and implement a basic level of cyber security.

The advantages of a beneficial legislative context

The European Union is already highlighting the importance of building a minimum cyber security baseline at industry level. In this respect, we bring up the NIS Directive for the security of networks and information systems. To further strengthen countries’ resilience to cyber attacks, discussions are already underway for a new directive, NIS 2.0, with a much broader scope.

Romania is gradually adhering to the Union’s recommendations on cyber security solutions by implementing the NIS Directive through Law 362/2018. These apply to essential service operators in 7 industry sectors (energy, transportation, banking, finance, health, drinking water, digital infrastructure) and to digital service providers operating in the following three categories: online marketplaces, online search engines and cloud computing services. Among others, the Directive set out concrete measures and requirements for effective security assurance. Moreover, it offers guidelines on notifying incidents to the national authority, for training public, private and sectoral incident response teams and, of course, rules for industry training. Failure to comply with the legal requirements can lead to fines of up to 5% of turnover for essential service operators and digital service providers.

In this context, we can also bring up the introduction of the Payment Card Industry Data Security Standard (PCI DSS), which is mandatory for card payment processing organisations. Also in 2018, the Financial Supervisory Authority published a regulation requiring insurance companies to conduct regular testing (the so-called penetration tests) through which they can uncover vulnerabilities and flaws in their infrastructures, applications or operating systems. Thus, they can confirm that they are applying appropriate security measures. In May 2018, the General Data Protection Regulation (GDPR) also came into force, ensuring the management and protection of data collected from customers, users and visitors.

Last but not least, starting this year, Bucharest will host the new European Cyber Security Centre, which will improve the coordination of cyber security research and innovation in the EU. It will also be the EU’s main instrument for facilitating investment in cyber security research, technology and industrial development.

Recommendations for building resilience to cyber attacks

Usually, companies all over the world tend to adopt a “security by obscurity” attitude and thus act reactively, only when a cyber attack is detected. Thus, even after a potential recovery, they take big risks, such as data corruption, financial loss and reputational damage in front of clients and partners. What’s more, there are fines for such problems, as required by the regulations in force.

Building true resilience to cybercrime also requires a preventive attitude. This involves putting in place basic cybersecurity processes at organisational level, which are often more time and cost effective. In this regard, we recall the early detection of system vulnerabilities in order to address them before a possible attack that would lead to a series of much more serious losses. We can add here developing a security incident response strategy and training the internal staff, including the security team, to properly respond to attacks.

The way we choose to respond to a challenge determines our success. It’s a perfectly valid principle in cybersecurity, too. An incident response strategy is therefore based on both prevention and detection. Moreover, we are talking about a long-term, marathon-like approach. A cyber attack can happen at any time – in 2019, for example, Microsoft reported that they were facing over 300 million fraudulent attempts to connect to their cloud services every day.

Moreover, when we talk about technical teams in companies, we can refer to IT systems administration teams, software development and/or security teams. It is vital to provide them with opportunities that allow them to constantly train on infrastructures and systems in order to face potential challenges and threats in the market, with tools and techniques that have an immediate applicability. An example of such a virtual practice arena is CyberEDU, which combines scenarios inspired by everyday activity with concepts and methodologies aligned to industry standards.

Going further, in order to cover the level of awareness across the organisation and, more importantly, to ensure compliance with GDPR and/or NIS rules, it is recommended that organisations undergo a series of specialised training at least once a year. After the training, a series of simulated and controlled attacks will also be launched, whenever needed or desired, to test the acquired knowledge. Thus, the organization can cover the basics of cybersecurity through theoretical and practical resources that later help employees to properly identify and report such attacks. Subsequently, it will be much easier for the organization to stop the attack, determine the severity of the incident, notify potential stakeholders about the attack, and implement preventive measures for future security incidents. You can read more about this topic on the Bit Sentinel blog.

Resilience to cyber-attacks develops based on a combination of factors. This includes a legislative framework that prioritises the fight against cybercrime. This is complemented by the cooperation of the private sector, which provides all the necessary means for employees to effectively support the incident response strategy.

 

 The Need for Cybersecurity Education

If you’re reading this article, chances are that you accessed it from your phone. That wouldn’t be unusual: in 2020, around 68% of website visits came from mobile devices, a 5% increase from the previous year. This situation is just a simple, everyday example of how fast digital transformation is happening. A phenomenon that started more than 30 years ago is only recently becoming more easily observable and widely analyzed.

Digitalization is also about people

The social distancing rules imposed as a result of the pandemic have accelerated, if not forced, the digitalization process even further. Working from home, the use of social platforms and new applications, equipment or infrastructure services have highlighted our need for technological solutions. In turn, companies have focused on automation solutions and upgrading with new capabilities. The number of digital users has grown.ore and more data has moved to digital environments – and here we refer specifically to the transfer of data to cloud solutions.

But digitalization is not just about systems and infrastructures. Digitalization is also about people. They are the ones who use them and who need to be aware of both the benefits they can enjoy and the risks they are exposed to. Lack of digital experience unfortunately leaves the door open to cybercrime. It only takes a simple internet connection to become a potential target for an attacker. Thus, the human factor is the primary cause of security breaches.

Cyber attacks in Romania

Compared to other European countries, Romania has a much harder time adapting to technological processes. There is also still a tendency to think that cyber-attacks only target reputable individuals or large, global companies. Thus, there are too few prevention, detection or response measures taken against such incidents. According to a recent study, Romania ranks last in Europe in terms of cyber security.

In recent years, various business sectors have been targeted by cyber attacks. Probably the most broadcast have been ransomware attacks on healthcare institutions across the country. With ransomware, the cybercriminal encrypts data on a network and demands huge sums of money as ransom from the victim to have their data unblocked. The most recent is the case of the Witting Hospital, which in July 2021 fell victim to an attack with the ransomware application known as Phobos. This program has also been used in similar attacks that took place in 2019 on four hospitals. Even though we are talking about a ransomware application with a medium level of complexity, the Phobos attack was successful due to the lack of antivirus solutions. This series of attacks has thus highlighted the low level of cybersecurity within the healthcare system and the need to implement security measures and policies.

A few months later, the Faculty of Electronics of the University POLITEHNICA of Bucharest was targeted by cyber attackers. They extracted lists and some personal user data from the platform that provides the interface between students and the secretariat. Representatives of the faculty said they have faced numerous attacks over the years. This is the first one that was successful, as the targeted platform used an older interface function.

The banking sector is also a popular target for attacks, especially phishing attacks. With these, attackers use the image of a legitimate institution to gain (via email, SMS, social media or even phone calls) access to customers’ personal data and subsequently to their financial resources. A recent example is provided by ING Bank. In this case, the attackers sent SMS messages that appeared legitimate to the bank’s customers. However, they asked for personal data to be updated via SMS, an unusual practice for ING. Phishing attacks are also very common on marketplace platforms such as OLX or Publi24, where communication is mainly via email or direct messages.

Unfortunately, these are just a few examples. The real number of cyber attacks in Romania is much higher. In 2021, CyberInt identified over 16,000 attacks with the most popular ransomware application alone – Locky. Also, in 2020, working from home has favored the perpetuation of phishing attacks. As a recent study by Orange Romania shows, these totaled 32% of all monitored attacks. According to the same study, most cyber threats (29%) were critical. At the same time, Bucharest, Iasi and Timisoara are the most targeted cities by cyber criminals. Last but not least, Orange’s series of real-time reports consistently show at least 100,000 security incidents in the last 7 days monitored.

Awareness – a vital step in stopping cyber attacks

The above-mentioned examples show very clearly that cyber attacks can be launched against public and private institutions or even individuals and companies alike. Therefore, prevention in this area is not only the responsibility of internal IT teams or specialized teams, but also our own responsibility as digital users.

In order to best fulfil this responsibility, various organizations in the public environment have launched or support awareness campaigns. For example, October is European Cyber Security Month, an annual campaign coordinated by the European Union Agency for Cyber Security (ENISA). This year, it addresses, among both citizens and organizations, security issues related to the digitalization of everyday life, which has been accelerated by the COVID-19 pandemic. Another campaign is SiguranțaOnline, launched by the Romanian Police, the National Cyber Security Directorate (DNSC) and the Romanian Association of Banks (ARB) to inform citizens to protect themselves against online fraud.

Cybersecurity education – a must-have for companies

Any massive change in society, such as digital transformation, especially when it is generated by a crisis like the pandemic, favors the activity of cyber criminals. In such situations, they will take advantage of any vulnerability, including users’ lack of knowledge and training. 

We mentioned earlier that the work-from-home phenomenon of late has meant that phishing attacks in particular, and cyber risks in general, have increased. Now more than ever, organizations’ infrastructure is exposed to threats because the perimeter of activity has expanded. But just as the human factor is the main cause of security breaches, it may also be the best line of defense in the incident response strategy any company should develop.

To achieve this goal, every company’s human resource should be trained on multiple levels to create a strong cybersecurity culture. In other words, every employee should:

  • understand what the real impact of a cyber-attack on the company might be and what damage it can actually cause;
  • accept that they themselves play an important role in any cyber criminal’s plan of attack and that they are responsible for any consequences that occur as a result of an attack;
  • know the rules for using the infrastructures, systems, platforms and devices provided by the company;
  • become familiar at a theoretical level with the different types of cyber attacks that can occur;
  • know how to identify and report a potential attack to qualified personnel.

To ensure results, cybersecurity awareness must be supported by constant communication between the employee and the company. This can include internal information campaigns on cyber news. However, they will only be effective if they are supported by regular training sessions, starting from fundamental to more advanced or up-to-date topics. It is also useful that any theoretical concepts learned are put into practice through regular testing of employees.

And to ensure long-term results, all these activities should be seen as core and mandatory throughout the employment period, not optional. Just as occupational health is carried out annually, the company should also ensure that there is a cyber security hygiene in place, checked regularly.

There are various platforms offering access to courses and practical resources alike that companies can use in these sessions. One such platform, for example, is PhishEnterprise. It focuses mainly on educating employees to identify phishing attacks – which are the most common. In addition to theoretical resources that explain various basic concepts about phishing and other social engineering tactics, the platform can also be used for hands-on exercises that simulate such tactics to give employees a real-life experience.

The role that each of us inadvertently plays in cybercrime strategies is extremely important. It is not enough to simply rely on the latest and most powerful systems or tools that could guarantee our data security online. It is our duty as digital users to be aware of the risks we are exposed to on a daily basis by simply connecting to the internet. And our awareness is the result of a continuous process of education, started with the sole purpose of developing a proper and healthy cyber security culture.

The next series is coming soon! Stay tuned!