Why are we victims of Cyber-attacks?
The trivial answer is that we do not know how to protect ourselves or do not look as being capable of doing it. This is because cyber-criminals have more offensive resources, than us to prevent and defend ourselves against their attacks.
To counteract the attacks, we need a worldwide investment of 80,000€ / year in cybersecurity and about 825,000 professionals.
To avoid success of attacks like WannaCry, the most profitable investment to protect organizations is training at all levels. Experts recommend start with end users, advising them about the risks of opening suspicious files potentially contaminated with malware (1 new malware is generated every 4 seconds). Then continue with all staff, ending up with the managers, who have to approve the investments and who are criminally liable for the damages that a cyber-attack can cause: a) internally, having to report them to the shareholders and b) externally, notifying in due time to involved clients and suppliers.
However, the most important thing is the training of computer technicians, who must be able to plan, implement, operate and recover protection systems against cyber-attacks, for which it is necessary to start by being able to detect them.
Many European Universities are incorporating cybersecurity subjects to their IT degrees, as well as specific life-long training courses and master degrees, e.g. UPC, URL, ViU, UB, UMU, UC3, URJ, etc. only in Spain. There are also professional associations, like ISACA and ISC2 or private organizations, like Sans Institute or Deloitte, that have world widely recognized cybersecurity trainings and certifications. Many students choose to obtain worldwide-recognized certificates of their knowledge, e.g. those issued by ISACA: CISA (Certified Information Security Auditor) or CSX (Cyber Security Expert). This approach, opens them the opportunity to choose jobs as experts in cybersecurity anywhere in the World.
We do not know the actual reasons that have caused the lack of diligence or interest of the organizations in applying the patches of security of Microsoft during the last months, which has caused that they have been victims of the cyberattack based on WannaCry in 2017. But what is clear is that they have not followed the basic cybersecurity recommendations of all the international expert organizations, amongst them the governmental computer security incident response teams (CSIRT/CERT) (e.g. CCN-CERT, INTECO-CERT, CERT-SI in Spain), and international associations such as APWG and the NCSA, the CERT.EU in European Union or the CERT / CC in the USA. The most frequent answers to this question are based on the lack of personnel specialized in administration tasks of cybersecurity services, or lack of computer resources to automate those processes.
In May 25th 2018, the General Data Protection Regulation (GDPR) entered into force in Europe and moreover, on June 10th of 2018, the European Directive on Networks and Information Security (NIS) as well, increasing the need of even more cybersecurity professionals. The general managers (CEO) and General Secretariat Officers of public administrations should be aware of the new regulations, and will require application and maintenance of compliance with them, and familiarize themselves with concepts such as:
- CISO (Chief Information Security Officer), responsible of coordinating the internal cybersecurity services of the organization and explaining to the management board the possible impacts of cyber-attacks on business processes.
- DPO (Data Protection Officer), to supervise and coordinate measures of personal data protection within the organization, and to warn managers of the risks they may incur if they do not apply the necessary and appropriate measures.
- Cyber-SOC (Cybersecurity Operations Center), to detect possible attacks or leaks of information to / from the organization.
- CSIRT (Cybersecurity Incident Response Team), to coordinate the response to cyber-attacks by internal teams and scale their evolution to both internal management and corporate CERT / CSIRT in the case of multinationals and / or specified government in the national cybersecurity strategy of the corresponding country. In addition, they must collect evidences of the attack, in order to defend the organization against possible complaints and fines, which may be of up to 2% of the organization’s worldwide turnover for each incident (maximum 4% per year).
Awareness and training techniques in cybersecurity tend to mitigate the lack of scalability of traditional methods, and are based on online training. The most modern trends incorporate “serious games” or “gamification” techniques, trying to make the training attractive for all types of students (employees), with the aim of highlighting the achievements made by each employee, improving their satisfaction compared with those of their co-workers. Those awareness programs include recognition of employees’ achievements by the management of the company, with more or less symbolic prizes. An investment of 3,000€ in training can represent a minimum saving of 150 to 200 hours of technician work and productivity lost by affected users per year. An investment of 4,000€ to 8,000€ in training, would have represented a saving of 1,000 to 2,000 hours of lost productivity to any of the company’s victims of the cyber-attacks of Ransomware like WannaCry in 2017.
In September 11th, APWG organizes the Cybersecurity Awareness Summit in Warsaw, to exchange ideas about the best way to implement those awareness campaigns.