Vittorio Massone: Cybersecurity and Covid
The in-depth analysis on cybersecurity in the pandemic months by Vittorio Massone, manager with internationally consolidated experience in telecommunications, media/entertainment, digital, industrial services, government and automotive sectors
For some years there has been a lot of talk about cybersecurity and even more in the last few months of emergency. The destabilization created by the virus and above all the widespread work from home (smart or not) have created the ideal conditions for cyber criminals to increase attacks. A single loophole is sufficient, a single weak point, and this can also be remote, not necessarily central to the system. In addition, the rapid evolution of artificial intelligence has dramatically increased the attackers’ firepower – Google is blocking something like 18 million "malicious" emails per day, especially "phishing" and more than two thirds of these are generated by machines (bots, trolls, etc.) and not by people. This also means that the attacks are random and indiscriminate, thus nobody can feel safe.
The most devastating phenomenon is that of ransomware, where criminals trick people into downloading malicious software ("malware") that encrypts corporate data. They then threaten to block everything unless a ransom ("ransomware") is paid within a certain number of hours in exchange for the decryption key. Obviously payments are in cryptocurrencies. In the most recent version of this crime, the data before being encrypted is copied elsewhere, so that even if the company has perfectly functioning back-up systems (and therefore it can more or less easily switch to the back-up and avoid blocking the company), it must pay anyway not to see their own and customers’ data sold on the market, along with reputational damage, penalties and risks of huge class actions. Finally, the key and access path that criminals have used for the breach is often sold on the black market, for use and consumption by other criminal groups.
Such is the extent of the phenomenon and the severity of potential damage that cybersecurity has become a key issue for CEOs and Boards. This originates the first type of problem, namely a lack of skills and readiness of many companies where key decisions are made. The reference consultants of the "C-suite" are gearing up, but they are not yet credible interlocutors on these issues. The panorama is obviously very different from company to company and from sector to sector, being some companies and some sectors now much more prepared than the average in defending themselves from these attacks. The second problem is related to the search for solutions with pure technological tools. Obviously technology is fundamental, but it is only with a coherent approach to the aspects of People, Processes and Technology that the problem can be addressed.
The human issue is often the most neglected: the employee who clicks on the attachment downloading the malware, and who perhaps then out of fear or ignorance does not raise the alarm to the competent bodies; the administrative employee who receives an email from the CEO (actually a fake but sophisticated message generated through AI) and who bypassing all the procedures and authorizations proceeds to make a payment to a supplier, somewhere, who in reality is a criminal. These phenomena have little to do with technology and much with aspects of corporate culture and awareness. Lately, these "human" approaches have become quite sophisticated, with real persons who, under the guise of a Tech Support from a supplier or a bank, create a relationship of trust with our official, causing him, over the course of maybe weeks, to change parameters, give key information, in fact unwittingly leave the door open to wrongdoers. This, among other things, calls for the need for our suppliers of products and services to be adequately protected, otherwise they could be the weak point exploited for an attack. Although more and more integrated supply chain systems are being adopted, it is not usual for a customer to perform an audit – or even just a survey – on its suppliers.
With AI being used for "deep fakes", this crossing between human behaviour – processes will be even more important: it is already possible to recreate synthetically in a very credible way the voice of a CEO or a CFO – soon also the image, with AR/VR – to instruct an executive to perform certain operations.
Of course, the technological aspects are still fundamental, starting from the architecture of the information systems, the configuration of remote connections, the robustness of identification and access systems, the malware detection and intrusion systems, analysis and continuous-testing systems for possible failure points. Fundamental here is the analysis of the "cyber security debt", as a subset of the technological debt, that is, interventions already identified and considered necessary but which for reasons of allocation of resources and budget are postponed over time. Here are two key considerations: 1) the prioritization of interventions must be made based on risk and potential damage. We cannot defend everything; therefore it is important to make an informed choice – based on business, not technological parameters – of what is most sensitive. 2) An allocation of resources and budget which is appropriate to the risks. These could prove to be highest ROI investments ever made by the company. This issue deserves a doubled consideration in this period of economic and financial crisis as it will be a temptation common to many companies, especially medium-sized ones, but not only, to postpone this type of IT "costs", which in fact fall under "discretionary expenses".
We must be aware that the problem can never be solved 100%, but that one must constantly study, learn and improve in order to be able to stay one step ahead (or at least not too many steps back) compared to criminals. It does not help, from this point of view, that companies understandably are not very willing to do "information sharing" when they are attacked, and to share a post-mortem analysis of what went wrong and how to fix it. The same international collaboration between governments is not as effective as in other fields, which is obviously fundamental as these criminal organizations are often based outside national and European borders.
