WhatsApp fraud, phishing emails; it seems like cyber attacks have been the order of the day since the outbreak of the coronavirus. That is why effective cyber security is a must for organisations nowadays. When is an organisation resilient to cyber attacks? And what can supervisory directors do to monitor cyber risk management in the organisation?
Sandra Konings, Partner at BDO, leads the firm’s cybersecurity practice. She has over 20 years’ experience in this area, is the initiator of the Cyber Resilience Center Brainport (CW Brainport) and is closely involved in Rotterdam Port Cyber Resilience (FERM).
Confidentiality, reliability and availability
Cybersecurity is often associated with IT, but the term has broader connotations. Sandra Konings: ‘Cybersecurity is basically a synonym for information security, which includes elements such as confidentiality, reliability and availability of information. This is about dealing with privacy-sensitive information from customers, suppliers or employees, as well as strategic plans or intellectual property. It’s imperative that all this confidential information doesn’t fall into the wrong hands. At the same time, you want to be sure it’s reliable: the information has to be correct and up-to-date. A third aspect is information availability. It must be accessible to you whenever you need it.’
Threats: from state actors to script kiddies
Is it true that the threat of cybercrime has increased since the onset of the coronavirus crisis? ‘We are seeing an increase in attacks, but we don’t know whether they would’ve taken place without the public health crisis. In the past, we would see a rise in the number of cyberattacks during rained-out school breaks as well. When people get bored, they find something to do. That’s when so-called script kiddies or activists come out of the woodwork and apply themselves to learning how to commit a cyberattack. It’s not all that hard and the software you need to commit an attack is easy to find on the internet.’
Sandra Konings believes that the current global unrest poses the largest threat: ‘Intellectual property is of major economic importance. What we can see is that, in turbulent times, organisations are more prone to attacks. State actors with money and resources will go to great lengths to gain access to vital economic or safety information. The Netherlands, for instance, has a lot of expertise in high-tech and seed technology. Governments of countries looking to surpass that expertise may be prepared to go all-out to get their hands on the relevant information. China’s interest in COVID-19 research is a recent example of this.’
The current economic situation also poses a threat: ‘The recession may cause employees to become disgruntled because they’re in danger of losing their jobs or having to accept lower pay since their employer is in financial trouble. They may decide attack the organisation from the inside . Now that people are working from home more, there’s the additional threat of them using their own private devices. Are these secure enough? Their attention may also be slipping. While they would normally have recognised a phishing email, they might not now because they’re distracted by children playing in the room they’re working in. They might even accidentally click on a suspicious link.’
The risks an organisation or company incurs vary from case to case. ‘In an office setting, nearly every organisation uses Microsoft and Google. While updates and patches are continuously being issued for these programs, new vulnerabilities are discovered all the time. And there are always organisations that are not very vigilant about implementing updates. It’s really easy for criminals to exploit a single vulnerability and infect many systems all over the world. That will give them the opportunity to hack into several systems and make money, for instance by holding a company to ransom.’
In an industrial setting, things are a little different. Sandra Konings: ‘There are many different standards in an industrial environment. Not everything is connected to the internet in a production setting. This makes it harder for criminals to hack into a system. And once they have, the question is whether they’ve hit their target. That said, when they’ve hacked into the right operating system, they’ll most likely be able to do some damage. Companies run less frequent updates on their production systems these tend to cause production interruptions. As a result, their systems may still suffer from vulnerabilities that were identified three years ago.’
The consequences of a cyberattack can be catastrophic, both in office and industrial settings. ‘A business interruption is never a good thing, whether it happens in an office, a logistics chain or a production line. As well as being harmful to an organisation’s reputation or image, it may even cause a business to fail. People working in a plant may get hurt or worse if robots suddenly stop working or readings of harmful substances are off.’
Boost your resilience
It has been argued that 100% security is a pipe dream. What does Sandra Konings think? ‘It’s true that 100% protection is impossible. New system vulnerabilities are discovered constantly and in production settings updates are not implemented frequently. It’s important to remember that being a victim of a cyberattack is nothing to be ashamed about, whether the attack happened deliberately or accidentally, for instance if your computer has become infected by chance. What you can do is protect your office and production systems as much as possible and limit the impact if an attack occurs. As an organisation, you need to be resilient.’
So what can organisations do in concrete terms? ‘Run every single system update and keep up with the standards. Protect the industrial environment properly against outside attacks. Structure the IT and OT environments such that you can respond quickly to new threats. Dictate to your suppliers how you want them to handle your intellectual property and prevent you from receiving infected software (e.g. in semi-finished products). Also, train your staff on appropriate behaviour and teach them how to recognise phishing emails and other malware.’
But there are other things you can do as well to build or strengthen your resilience and limit the consequences of an incident. ‘You could consider installing threat-detecting sensors in systems. Additional you could make arrangements with suppliers about alternative deliveries, include cybersecurity in the organisation’s crisis management plan and create a company hotline allowing employees to report any suspicious activity. Remember that your organisation’s crown jewels, such as your strategic plans, customer or employee data and your intellectual property, deserve special protection.’
Strengthening your own resilience works best if you team up with others: ‘You can’t do this on your own. That’s why you should share your knowledge with other organisations and learn from their experiences. In the Netherlands, there are cybersecurity partnerships for nearly every sector and region, such as CW Brainport for the high-tech industry and FERM for the Rotterdam port area. Within a value chain, an attack on one company can have major implications for other companies in the chain. That’s why I urge organisations to join a cybersecurity partnership initiatives. There’s no need to reinvent the wheel.’
Cybersecurity is not just about IT
It is important for a supervisory director to know about an organisation’s cybersecurity risks. ‘Educate yourself about threats in the sector and ask your own organisation about its resilience level. Also look into threat scenarios. If the list of threats doesn’t change, you’re missing something. The nature of threats is that they’re changing all the time. I often come across organisations that have classified cyberthreats as threats purely related to IT. However, you need to understand that it’s also about the production setting and that culture and employee behavior are key aspects as well. Cybersecurity is definitely not just about IT!’
When asking questions about their organisation’s cybersecurity, supervisory directors can rely on the input of the Dutch Cyber Security Council, which has put together guidelines for executives and a convenient checklist. Sandra Konings: ‘I recommend that supervisory directors use the checklist when asking their executive counterparts questions about cybersecurity. A supervisory director should also check whether the organisation has joined a cybersecurity partnership. As soon as there’s talk of a generic approach, they should know that cyber risks have not been addressed properly. Every organisation is different, so there’s no one-size-fits-all approach to effective information security.’
Please do not hesitate to contact our specialists, if you have any questions about this article or require more information.
Read more BDO Insights