Cybersecurity is a hot topic these days. There has been quite a fuss about it.
Just take a look at the past few months and the numbers are quite scary. In Portugal only, recently there was a cyberattack at one of the main media outlets (which is yet to be fully resolved), followed by a massive attack on Vodafone which provoked massive outages on communication and television services. But there’s more. Right after that, one of the major Portuguese clinical testing laboratories, Germano de Sousa, was also under attack.
And this is just a slight overview of what’s been going on in this tiny square o land. A deeper search and we probably would be taken aback by the numbers of cyberattacks occurring all over the world.
Although the number of occurrences might be astonishing, there are more worrying questions to dwell on, namely: how is this cybersecurity issue impacting businesses? What are companies doing to overcome these cyberattacks? How will this shape the way businesses will operate from now on? Or even, what’s the economic downside or (on the contrary) upside of these new cybersecurity measures?
From the top: understanding the concept of cybersecurity and cyberattack
One prevents the other. The other breaches the one. This is the easy part.
But dig deeper!
Cybersecurity: the mighty guardian
Cybersecurity, as the name implies, is a system that intends to protect your technology from multiple threats, such as illegal access to information or theft.
According to IBM, “Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security, cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organization”.
Cisco goes a bit further and explains the concept as “the practice of protecting systems, networks, and programs from digital attacks”, which usually are “aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes”.
Now, on to the concept of cyberattack.
The dark side of a cyberattack
If we’re going for a straight technical definition, we can use the one presented by Cisco, which describes a cyberattack as a “malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network”.
Check Point Software Technologies Ltd. (a USA provider of cybersecurity solutions to governments and corporate enterprises globally), also says that “a cyberattack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks. Cybercriminals use a variety of methods to launch a cyberattack, including malware, phishing, ransomware, denial of service, among other methods”.
We could spend long hours dwelling on the definition of both these concepts, but there are more important questions to address. Let’s move on, then!
Cybersecurity: impacting businesses at the core
There’s no denying that cybersecurity is now a hot topic. Mainly because it impacts businesses deeply. Yes, of course, citizens end up also harmed, but for companies, the damages are quite vast.
Just think about it.
Having a strong cybersecurity defence is important to protect all types of data from theft and damage, namely, intellectual property, personally identifiable information (PII), professionals and/or clients’ data, protected health information (PHI), industry or governmental information systems, and so on!
A cybersecurity program is a first and main wall for any organization, to avoid attacks and data breaches.
In a time, when the number of cyberattacks (daily) is getting higher by the hour (almost!), there’s no denying that the increasingly sophisticated cyber criminals’ skills configure a higher risk for companies, especially if paired with poorly configured cloud services and/or data protection systems.
For companies, the losses resulting from cyberattacks go further than just the data breach itself. There are, what we can call, more central damages, those being:
1. Economic costs
Meaning: losses of intellectual property or corporate data and, most probably, damages on the information systems. Given that most cyberattacks come handing a ransom demand, this means companies will have to face economic downsides whether it is to pay the asked value or to repair the damaged systems.
2. Regulatory costs
Let’s not forget about the importance that the General Data Protection Regulation (GDPR) have these days. A data breach is probably the ultimate GDPR violation. This means that a cyberattacked organization might face regulatory sanctions and, consequently, fines.
3. Reputational costs
Yes, this might even be one of the main prices (if not the highest) to pay for a cyberattack or cyber-breach.
For a company to be the target of cybercrime, this means it doesn’t fully protect its digital assets. This also means, that – from a consumer’s standpoint or a commercial perspective – there’s a loss of trust and, ultimately, a possible loss of consumers or clients (both existing and/or future) for competitors which (at least apparently) have a better cybersecurity system in place.
It is common to say that it takes time to win a client, but one can lose him in just a matter of seconds. This goes along with this subject, given that a single tiny flaw in a cybersecurity system, which might lead to data breaches, is a nasty outcome for consumers who – increasingly – value strong digital protection.
If anything, both clients and consumers expect more sophisticated cybersecurity measures to prevent any possible damage.
Keep in mind that having a good reputation in the market is extremely valued. So, if companies put that at risk, there will be consequences.
All about regulation
Speaking about cybersecurity these days is a must, especially considering that most businesses have a strong digital presence (whether we’re talking about institutional websites or e-commerce stores).
Everyone is exposed – one way or another – to potential risks. Therefore, legal regulation must take place.
In Portugal, the Portuguese National Cybersecurity Centre is the entity responsible to ensure digital security, both for public and private organizations. Within the agency’s scope of action, there are several activities (meant for citizens and organizations) aiming to raise awareness and the needed training for adequate and safe use of cyberspace.
The agency also publishes several alerts and gives recommendations, as well as technical recommendations and guidelines for the best practices for better use of the technology. Plus, they’re also responsible for the definition of the national level of cybersecurity alert.
The Portuguese National Cybersecurity Centre carries out an effective coordinated response on incidents affecting the cyberspace of national interest. This happens through its internationally accredited CERT.PT service, in close cooperation with multiple competent entities.
On another – very important note – the agency works under the Legal Regime of Cyberspace Security which embodies the EU’s NIS Directive (Directive on security of network and information systems). This means that the agency regulates, supervises and provides legal measures to ensure the overall level of cybersecurity.
The NIS Directive states, for instance, that member states must be “appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority”. It also says that member states must cooperate to “support and facilitate strategic cooperation and the exchange of information among the Member States”.
Ultimately, this means that all the businesses operating in all the member states as essential services (namely: energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure) must ensure to take adequate measures concerning cybersecurity and must also notify relevant national authorities of serious incidents.
Regarding the Portuguese National Cybersecurity Centre, it is currently creating a certification intending to certify Portuguese organizations, guaranteeing they comply with the European norms to identify, protect, detect and recover from cyber threats that might jeopardise cybersecurity.
To help organizations, they have available the National Cybersecurity Framework, which intends to help organizations perform a “risk-based approach to tackle cyber threats, establishing the foundations for the implementation, on a voluntary basis, of security measures for networks and information systems”.
The document “provides guidance for decision-makers and IT departments” to enable them to fully comply with the regulation in place, whilst contributing to a “better national cybersecurity and, ultimately, to a sustainable economic development”.
Through these measures, businesses must now comply with a series of norms, which – eventually – will help prevent some serious and damaging attacks.
Best practices: a to-do list
There’s no such thing as too much protection when dealing with cybersecurity.
Cybercrime is getting more and more refined. That’s why everyone has to keep their eyes wide open and, preferably, take some protective actions.
At an individual level, there are several actions one can do to prevent some major damages. The Portuguese National Cybersecurity Centre provides a guide with best practices to reinforce cybersecurity. For instance:
- Implement a two-factor authentication system (for email and/or social media access);
- Secure the wi-fi access (by changing the password, the network name, choosing a secure crypto configuration and creating a separated network for visitors);
- Do not open suspicious links (given that they might contain malicious or phishing software);
- Make sure your firewall is up!
- Avoid unknown emails or sending confidential/sensitive information by email;
- Create secure email /cloud passwords (the bigger the better; 12 characters at least, including alphanumeric and special characters).
These are just a few simple examples of what to do. It might seem quite obvious, but believe it or not, these are some of the most common mistakes, which ultimately are the entry door for hackers. Obviously, companies must undertake further and stronger actions to prevent cyberattacks. But it’s a start.
Information is money! Security is gold!
We’re living in some dazzling and – at the same time – uncanny times. On one hand, the digital tools and possibilities are immense, with everyone wanting to profit from them. But on the other hand, there’s some suspicion about it, and the cybercrime increasing is not helping.
The truth is: these days information means money. Hackers make money out of cyberattacks. Companies either lose or protect their money, depending on how they deal with this matter. And ultimately, having a strong security system is the key to preventing all the damages that might come out of a cyberattack.
Nowadays, there’s almost some sort of an industry operating on the dark side of the web, to overcome even the most secure systems in place. So, no surprise that companies like Vodafone Portugal or the Impresa media outlet were hacked. And let’s not forget the governmental institutions around the globe which are constantly been targeted. And even if sometimes the invading entities invoke some moral values to do so, the outcomes tend to be quite negative.
Given this scenario, it is understandable that there’s so much talk around this subject and, more importantly, such a big investment in it.
Companies want to keep their assets protected as much as possible. The same goes for their clients and so forth. Businesses of all sizes must ensure that cybersecurity is understood among their staff. Meaning: they all understand the risks, the threats it poses and they know how to mitigate the menaces.
To do so, it is also important, that companies include regular training about cybersecurity and that they guarantee to have a framework to work with to reduce the perils of data leaks or breaches.
But let’s face it. This is a continuous work in progress. Cybercrime is hard to detect and harder to predict (given its evolving nature).
In addition, it’s not always easy for everyone to understand the direct and indirect costs of a cybersecurity breach (even the tiniest).
There’s a long road ahead. But the most important step is taken: everyone is looking now!