Cybercrime has become a highly professional, highly lucrative industry. All companies, without exception, are strongly advised to invest in their cyber defenses, to ramp these up, and to continuously optimize them.
Barely a day goes by these days without a company hitting the headlines for falling victim to a cyberattack. The commercial damage caused by hacked data, and associated reputational damage is usually immense. Understandably, the number of cases that go unreported is extremely high: Because of the potential implications, in particular, companies are generally not forthcoming in admitting that their systems and data have been encrypted by ransomware and that they’ve been blackmailed into paying a ransom to be able to use them again.
The hackers
Cybercrime has become a powerful, highly professional industry that is organized on the basis of globalized value chains with a very clear division of labor:
Cyberattack service providers provide highly-specific features and components, including guaranteed success rates, SLAs, discount models, etc.
Hackers assemble the necessary components for the desired purpose in a modular manner and configure these as required.
Following a successful attack, the profits are shared, often on a commission basis. The profits made are invested in further developing the respective components, their user-friendliness and configurability, automating the attacks carried out with them, and, of course, in providing new services and detecting and exploiting new avenues of attack.
Knowledge of security weaknesses in hardware and software is usually offered on the black market. You “buy” a vulnerability, whereby the purchase price depends on the quality of the security weakness and associated damage or profit potential.
A whole host of attacks and tools have already achieved dubious worldwide fame (e.g. Stuxnet, WannaCry, Robin Hood, SolarWinds hack, Kaseya VSA attack).
National military interests or intelligence activities are often the target of attacks. However, the majority of attacks are clearly targeted at economic gain. In addition to large corporations, SMEs are increasingly becoming easy prey, and thereby lucrative sources of income for cyberthieves. Virtually any system can be hacked – it’s just a matter of effort.
So, the better protected systems are, the greater the effort the hacker needs to make, and consequently the less interesting the target. This in turn means the more likely the hacker will turn their efforts to other, more poorly protected, more rewarding, and therefore more attractive targets.
Why is cybercrime (seemingly) so successful?
As already mentioned, hardware and, in particular software are prone to architectural and technical vulnerabilities, weaknesses which can be exploited.
In many cases, however, attacks succeed because companies tend to be very careless when it comes to their systems, in terms of system configuration and administration (e.g. original/default passwords are never changed) and negligent handling of system maintenance and patch management: Updates for closing identified security gaps – rapidly developed and made available by the relevant manufacturers in the event of an incident – are not installed by users until some considerable time later, if at all.
Often to the tune of excuses such as “we haven’t changed anything anyhow”. Many like to bury their heads in the sand (“we’re not an interesting target”) in the hope they won’t get caught out, or lull themselves into a false sense of security (“we’ve never been hacked before”).
And last but not least is the human factor – a factor which should not be underestimated: In addition to employee laziness and carelessness, in handling documents and passwords and passing on information, for example, professionally conducted social engineering is fertile ground for cybercriminals. Analyses of attacks carried out often reveal just how alarmingly easy it is for hackers to obtain sensitive information.
Defense against cyberattacks – a hopeless endeavor?
At first glance, it would seem that the potential victim is in an impossible situation, with nothing in their favor:
- All a hacker has to do, for example, is find just one matching vulnerability – the defender has to eliminate all potential weaknesses and protect against a wide variety of attack vectors.
- The hacker can strike at any time, including at the most inconvenient time for the defender (e.g. at night or at the weekend or when they’re on vacation or standing in for someone else) – the defender must be able to act at any time.
- For the hacker, one successful attack is usually enough – for the defender, one successful attack is one attack too many.
BUT:
- In the defender’s favor is the fact that there’s support at hand, in the form of some first-rate, very good, target-oriented, practicable standards, norms, tools, etc.
- They can gradually build up and constantly test and perfect their defenses, thereby making it increasingly difficult for hackers to succeed.
- The defender usually has enough time to identify vulnerabilities and prepare for potential attacks.
- A further advantage: Putting the right measures in the right place quickly puts you at a major security advantage.
Cybercrime as an operational risk
Cyberattacks are now one of the greatest threats to companies, including SMEs. On a positive note: In most companies, the management team is highly aware of cybersecurity as an operational risk. The traditional approach of waiting for a security incident to happen before obtaining approval of necessary improvement measures has long since ceased to be appropriate. Goal-oriented action is what is needed; the main thing is THAT you do it!
One of the key questions to ask in relation to cybercrime is: “How long can you or your organization realistically manage without a functioning IT system?”
The answer to this can be provided through a clean risk analysis, which assesses the company’s assets, potential threats, and necessary protection requirements and breaks these down transparently – often with surprising results! The aim of minimizing the risk based on this analysis is to achieve an optimum balance, from an economic perspective, between an appropriate level of protection and the costs and investments this is likely to entail.
The good news is that acting in a security-conscious manner and putting basic measures in place go a long way to fending off a substantial proportion of attacks. Retrospective analyses of successful cyberattacks show that vulnerabilities that people were perfectly well aware of and that would have been easy to close were often exploited. In particular when it comes to preventing and defending against cyberattacks, significant successes can be achieved very quickly by applying the Pareto principle (80% of the results are achieved with 20% of the total effort; the remaining 20% require a disproportionately large amount of work, with 80% of the total effort) for prioritizing and selecting the most fundamental security mechanisms with the greatest benefit in each case.
How can you best protect yourself? What exactly do you need to do?
The first step is to analyze the current situation (Act2Perform© can be very helpful here) using detailed test catalogs, e.g. ISMS standards, ISO 2700x, ISO 27005, ISO 31010, the IT baseline protection approach from the German Federal Office for Information Security, as well as the Austrian Information Security Handbook and/or Austrian Federal Economic Chamber’s IT Security Guidelines. Such catalogs are also used for funded data & IT security surveys, for example, and are also useful for DSG (national data protection act) and GDPR-related issues.
The key areas for action are derived from these findings, on the basis of fundamental IT strategic considerations and corresponding risk management. The consistent implementation of the resulting technical organizational measures (TOMs) forms the backbone of your cyber defense measures.
The scope of the approach is broad and includes infrastructure, operations, maintenance, network security, endpoint management, and authorizations through personnel deployment.
Focus areas include:
- Protection of the (critical) infrastructure, implementation of target-oriented access and authorization concepts. Of course, the measures taken must work together with and complement existing infrastructure protection measures, e.g. UPS/emergency power supply, data connections, air-conditioning, alternative sites, key management, and supervisory duties for access controls.
- In the event of an incident, smart security concepts and emergency provisions, powerful backup, and disaster recovery mechanisms must kick in, which are also continually tested and perfected during the company’s operations. Crisis management and contingency planning (incl. GDPR-relevant reporting requirements!) are, of course, also part and parcel of this.
- Regular system maintenance, continuous patch management (in particular for identified security gaps!).
- This also includes availability and dimensioning of components, monitoring, and alerts in the event of an attack
- Controlled procurement of software and stringent demand processes
- Deployment of (external) personnel, handling personnel changes
- Authorization concepts, incl. revocation(!) of authorizations on a “need to know/least privilege” basis, password management (particularly critical: reset process!)
- Classification of documents, disposal of documents, data and data carriers, handling of removable media, USB sticks, etc.
- Encryption of workstations, data encryption, clear desk/screen policies
- Remote access security (home office!), multi-factor authentication, handling failed login attempts
- Network segmentation, firewall configuration, use of secure protocols, use of VPN, layered defense/filter mechanisms, hardening of relevant systems, application whitelisting, WLAN security, technical virus protection, anti-malware concept, etc.
- Regulations and guidelines for employees regarding the use of (personal) devices, use of equipment, and use of end devices, mobile devices, e-mail, etc.) Training in use of tools and exception handling
- Regulations for specific groups of persons such as IT administrators, signing of declarations of commitment
- Informing employees about security awareness and raising awareness about social engineering (a classic gateway!), regular training, handling phishing, CEO fraud, behavior on the Internet and in social media, etc.
- Dealing with security incidents (responsibilities, communication, etc.), proper conduct in the event of an incident
The main activities for protecting against cyberattacks include regular performance of audits/assessments and follow-up assessments in the event of changes (e.g. after the installation of new software versions in the course of maintenance activities, replacement of components), as well as vulnerability scans, penetration tests, and recurring checks of compliance with data protection requirements.
Many of these measures are self-explanatory and usually “obvious anyhow”, but some sometimes need to be looked at in more detail. Since even experts can overlook things through “operational blindness” and are not immune to (careless) mistakes, we highly recommend bringing in external expertise.
To ensure your company doesn’t hit the headlines, ResultONE is the partner for you: ResultONE can – in collaboration with highly specialized partners – perform all the necessary audits and make appropriate recommendations. ResultONE also holds a “Certified Data & IT Security Expert” certificate, which is a prerequisite for the provision of subsidized consultations and provides access to related grants.
Get in touch with us – TODAY!