It cannot be any more relevant or current to be discussing and looking into cybersecurity issues and concerns, for any type, size or form of organization you may be involved in.
Only in the last three weeks we have seen governmental institutions being immobilized due to cyber attacks, with hackers requesting, among others, ransom to release the organization’s databases. Most recent authorities that have fallen victims of cyber attacks include the Cyprus Land Registry, the University of Cyprus and just a few days ago the Open University Cyprus. On the EU scene organizations that have had to face cyber security attacks include, among others, the European Parliament and the fall of its official website following a sophisticated cyber-attack (in November 2022), moments after the MEPs voted t0 declare Russia a state sponsor of terrorism. Globally, institutions like MasterCard have reported being under cyber attacks resulting in data breaches affecting 90k customers in Europe (September 2019), Zoom losing over 500k accounts later found to be on sale on the dark web and of course Facebook reporting a data breach exposing 540 million user records on exposed servers (April 2020).
Recently, Microsoft alongside the International Data Corporation conducted a survey on the security of technological systems in Central and East Europe. The results have shown that the majority of companies are insufficiently protected from cybersecurity threats or do not possess a complete security strategy. According to the European Union Agency for Cybersecurity (ENISA) Thread Landscape 2022 Report on the main cybersecurity incidents in the EU and Worldwide, the most targeted sectors for cyberattacks include:
Digital Services – for services such as email, social media platforms and cloud providers;
Government Administration – due to the high stakes on financial returns from ransoms paid, making the public sector one of the most attractive targets for attacks;
Technology Industry – mainly through supply chain attacks trying to compromise the development of software through zero-day exploits and backdoors attacks;
Financial – the number of incidents with financial organizations has spiked and banks are not the only target; and
Healthcare – based on the exposure and liability given to organizations when patient sensitive data is attacked.
What are the motives behind an attack?
The primary motives for the majority of cyberattacks are of course financial, while in some cases multiple motives can be identified in a single attacked including espionage, retaliation, political motives and disruption. Some of the most desired assets cybercriminals will go after are trade secrets, state/military classified information, server infrastructure, authentication data and financial data. With the high stakes at exposures for healthcare and sensitive data, making entities liable under multiple data protection regulations (in the EU being the GDPR), cybercriminals have started targeting healthcare institutions and professionals, paralyzing healthcare procedures and exposing patients at real life risk.
The ways in which personal data is compromised or retrieved by cybercriminals are often very well camouflaged to resemble true and real cases – i.e. via asking users to provide their card details to execute payments or complete sales transactions; this is also known as phishing, in a wider category of social engineering attacks.
Deface is a malicious attack against a website or a social media profile in which attackers change the appearance of the page, frequently resembling real life vandalism.
Ransomware has become a popular weapon in the hands of malicious actors who try to harm governments, businesses and individuals on a daily basis. In such cases, the ransomware victim may suffer economic losses either by paying the ransom demanded or by paying the cost of recovering from the loss, if they do not comply with the attacker’s demands. Hackers attempt to steal or lock files and data in order to ask for financial compensation to release the stolen data.
Card-skimming schemes have also become a significant threat during the COVID years, due to the massively increased number of online shoppers.
Business email compromise is another growing threat as a result of the vast amount of credentials and personal information being passed on around on various applications. How safe is that “Remember Me” button in the end…
Who is DORA?
On the EU regulatory stage, DORA is coming in to help. Starting to apply from 17th January 2025, DORA (the Digital Operational Resilience Act) is a regulation (2022/2554) adopted by the EU Parliament and the Council on digital operational resilience for the financial sector, listing in the obliged entities for conforming with its provisions credit institutions, investment firms, trading venues, crypto-asset service providers, fund managers, credit rating agencies etc. DORA shall also apply and influence the activity of information and communication of technology third-party service providers (such as web-hosting platforms, marketing agencies, software services, contractors, and consultants – basically anything that is outsourced).
DORA aims to achieve a high level of digital operational resilience for regulated financial entities and as such lays down uniform requirements for the security of network and information systems supporting the business process of such entities, including:
(i) ICT risk management;
(ii) reporting of ICT-related incidents – tackling the issue of the lack of mandate by public authorities and corporations to report data breaches and cyber threat – ; and
(iii) measures for sound management of ICT third-party risk.
What essentially this means is that entities shall be required to have in place strong and bulletproof internal governance and control frameworks that ensures an effective and prudent management of ICT risk, laying the responsibility and liability on the management body of each entity.
By definition, a one-pager cybersecurity framework shall no longer be adequate for entities to prove preparedness and resilience and neither will our ICT high-school class A grade be sufficient to prove ICT risk management awareness by senior management body members. Similarly, incident reporting becomes a top-class priority whereby ICT-related management processes shall have in place early warning indicators, establish procedures to identify, track, log, categorize and classify ICT incidents and set-out plans for incident crisis management, including communication of such incidents to staff, external stakeholders, media and of course clients – reputational damage control.
DORA leaves little way of deviation. It impacts organizations from a technical and contractual perspective. In order to comply with what DORA “needs”, entities and ICT third party service providers will need to assess their currently used systems, perform gap analysis and adjust their contractual arrangements.
Now is the right time to get technology brainiacs and legal brainiacs in the same room.
What’s the rest of the world doing?
Quite a lot actually. On 9th March 2023 the US announced its National Cybersecurity Strategy, with the new framework seeking to protect critical infrastructure, including hospitals and clean energy facilities, from cyberthreats. It also aims to increase collaboration with international coalitions and partnerships to counter threats to the digital ecosystem.
The World Economic Forum is paving on the same path and even taking matters a step forward. The Quantum Security initiative is a community of senior executives and experts from business, academia, governments and non-profit organizations at the forefront of promoting secure adoption of quantum technologies. The initiative aims to address the challenge of the urgent need for attention from enterprise and policy leadership to address the key security challenges while realizing the potential of quantum technologies. It aims to address and tackle:
- Identify emerging and distributed security risks
- Improve education and awareness by developing actionable insights and guidelines
- Showcase use cases and determine emerging focus areas for future research, investment and governance
Cyber criminals are making fortunes not just in black-mailing targets with ransomware, but also in selling-off their data assets. The perpetrators of cybercrime range from powerful intelligence agencies to teenage hackers. Cybercrime is hard to stop precisely because of its distributed nature.
Without national and global cooperation there is not much that victims can do to defend themselves. Cyber insurance is not only increasingly out of reach to most buyers, but it’s potentially making a bad problem even worse.
Awareness, preparedness and resilience may sound like key words in a firefighter training but they fully capture the need for action to safeguard individuals and organizations towards cybersecurity protection and safety.