Cybersecurity has been a growing concern for a long time now. Yet, the prominent cyberattacks that took place in 2020 showed that cybersecurity is no longer just a technical issue that can be sorted out by an IT department alone. Cyber risks must be treated as serious business risks. Examples are striking, such as the massive cyberattack on the monitoring software provider SolarWinds. The attack affected not only the company itself, but also spread to its clients: Microsoft, Cisco, Deloitte and the US Department for Homeland and Security among others. Not surprisingly enough, on the first days of 2021 the media revealed that the SolarWinds attackers have gained access to the source code for Microsoft products, which is the type of knowledge that can be used to stage novel attacks.
We have identified the five fields of action that all organizations should focus on in 2021.
1/ Raise awareness about the risks
Companies must understand that cyber threats are real and imminent. Not only they severely impact the business concerned. They go beyond that, adversely affecting also partner companies and clients. The SolarWinds attack alone affected 18,000 of its clients. Cyber-attacks have become a very lucrative source of income for organized crime, which is actively seeking ways to increase efficiency of their operations. 2021 will be marked by new, more elaborate attacks. Organized cybercrime will systematically strike weak spots, where they cause maximum damage at minimum cost and risk. This is why a full understanding of own cyber risks becomes essential for effective business functioning for all companies, regardless of their size or type of business.
2/ Expect the unexpected
Beware that as companies learn to neutralize phishing attacks and malware like Emotet and Trickbot, attackers will invent novel tools. 2021 will see innovative attacks, and there is a good chance that old ones such as DOS (denial-of-service) will be revived. According to public sources, in 2020 alone cyber-criminals received in ransom an estimate amount of 25bn USD.
3/ Know your weak spots
In 2021, cyber-attacks will target more than just data. Security loopholes such as “Amnesia:33” remain unpatched in smart devices, leading to safety hazards and unknown business risks in building automation, smart logistics, industrial production and similar. The Internet of Things brings cyber threats to the real world — while traditional cyber defense is still focusing on data only.
4/ Invest wisely in building your shield
Recovery from an APT (advanced persistent threat) is cost intensive and time consuming. Attackers do not discriminate between primary and secondary targets. The company’s size, location or business model does not give immunity against cyber-attacks. IT systems remain compromised for months without anyone noticing, thus causing a cancer-type damage. For example, the already mentioned attack on SolarWinds went undetected for more than 9 months. This is why companies must have a clear plan how to protect their business. Smart investment in intelligent cyber shield software pays off.
5/ Get serious about IT compliance
IT compliance violations must be treated as serious violations. TISAX, currently introduced in automotive supply chain, is a good example of a tool for creating a binding framework for cyber security. Other industries should consider following that route. Companies must seriously consider introducing a common benchmark for cyber security. Those who do not comply with the defined standards, must run the risk of being held accountable for damages.
Some concepts and terms explained
· APT: An Advanced Persistent Threat is a piece of software hidden in the victim’s computer that allows the attacker to remotely control the system on demand. Typically, APTs are only discovered months after the initial compromise.
· Emotet, Trickbot: Popular software tools used by ransomware gangs. End users are tricked into accidentally executing the software that then starts to sabotage the digital infrastructure of the victim. High amounts of ransom are demanded for the restoration of the initial state.
· Amnesia:33: Programming error in a network component that is used by various device manufacturers. The error allows a hacker to remotely control the affected product. The problem can only be fixed by a software update provided by the vendor. However, several vendors already refused to fix the error, leaving the affected systems vulnerable.
· TISAX: TISAX is an international best-practice framework for cyber security for the automotive supply chain. Based on the current ISO standard, it includes a process for auditing and a clearing house for audit results.