What are the tenets of proper cybersecurity today?

Cyberattacks have mushroomed throughout the COVID pandemic. Were the cybersecurity strategies deployed by organizations effective?

Quite recently, a panel of experts sat down to find out. It consisted of Vicente Diaz, threat intelligence strategies at Google’s Virus Total, Manuel Garcia-Cervignon, strategic security portfolio at Nestle, and Leonie Lewis, GSMA senior T-ISAC Manager.

Diaz revealed that the roots of our current cyber crisis began in 2015 when state-sponsored cyberattacks began to grow and become more commonplace. He revealed that these programs, often backed by budgets running into many millions of dollars, resulted in malware applications being developed to allow governments to attack victims over the next ten years.

“In 2015 we saw very advanced malware attack governments and institutions,” he said. “Fast forward to now and you don’t see such attacks anymore, but this doesn’t mean that those attacks aren’t there, they’re just hidden and not publicized as much.”

Profitable model

He went on to say that criminals quickly cottoned on to the fact that malware and ransomware provide a highly profitable business model, especially as cryptocurrency allows them to access the ransom without having to go via a traditional bank. This has helped to professionalize the sector, and we should no longer think of cybercriminals as individuals operating out of their basements and instead think of them as highly sophisticated organizations. Indeed, many are recruiting experts who may not even realize that they’re working for criminal gangs.

Lewis argued that GDPR has also played a big part as whereas previously organizations might have been able to keep hidden any attacks they suffered from, this is no longer possible due to the GDPR regulations. Despite this, there remains a reluctance to talk openly about cyberattacks, which she believes hinders the economy in tackling the cyber threat as there is a lack of exposure to the kinds of attacks taking place and how organizations are striving to tackle the threat.

Garcia-Cervignon concurred and suggested that organizations need to go beyond the kind of cybersecurity training that is currently performed in organizations today. At the heart of this change is a greater awareness and appreciation of cybersecurity at the board level so that programs have both a strategic priority and also the requisite budget to adequately tackle the threat. Given the scale of the challenge, cybersecurity is increasingly being seen as a strategic imperative as it can erode any competitive advantage a firm may have.

A strategic priority

Obtaining this level of priority is, in some ways, helped by the sheer volume of ransomware attacks organizations have been experiencing in the past two years. Despite this, however, Diaz also believes that there needs to be a culture of openness around cybersecurity, as attacks are best resolved when they’re identified quickly, and he suggests that employees can sometimes feel cowed into covering up cyberattacks, as though succumbing to an attack is a sign of their inadequacy, or they’ll be blamed in some way. This culture needs to be changed so that employees feel open and confident enough to report any possible vulnerabilities as quickly as possible.

This cultural change could also help to unify the IT and security departments with the rest of the organization rather than the “us and them” mindset that can so often dominate. Lewis believes that information sharing is crucial to successful cybersecurity, and this doesn’t just mean top-down communication from the security teams but also bottom-up communication from non-specialists.

“Good cybersecurity doesn’t just result from actions taken in security teams, and indeed, often begins from the front line from non-specialists who are able to report threats as they emerge,” she explains. “This is especially important in terms of rapid reporting and detection of potential breaches.”

Remote working has made this flow of information that much harder, however, as it has weakened the ties people have with their employers. Garcia-Cervignon argued that cybersecurity needs employees to have good job-embeddedness so that they care about the wellbeing of their employer and are therefore willing to step up and report any issues they encounter or possible breaches they have been privy to.

Attracting the talent

The panel also highlighted the widely documented shortage of cybersecurity talent across the economy, and Garcia-Cervignon revealed that many firms are relying too heavily on third parties to ensure their systems are secure. He believes that companies need to be careful which third-party firms they partner with so that trusted relationships can be established, especially if the organization operates in a sector with high regulatory and compliance requirements.

Doing this successfully is crucial, however, not least as the panel did not think that law enforcement agencies will be able to offer organizations a great deal of assistance, with the current emphasis on companies fending for themselves likely to continue in the coming years.

“You need to arm yourself with experts, both internally and in terms of partners you’re working within the security space,” Lewis explained. “This also extends to the team that you’re sharing information with across your community and supply chain so that you can build a protective ecosystem.”

While the panel offered no silver bullets for protecting oneself from cyberattacks, they nonetheless believe that the very fact that these conversations are happening is a positive sign in terms of coming to terms with an increasingly brazen and creative criminal fraternity. If lessons can be learned and organizations become more resilient, then it at least means that the last few years have not gone to waste.