Society, and therefore businesses, are hyperconnected, using information technology intensively, displacing social relations, extending the scope of this relationship inside homes and to things (IoT - the Internet of Things). New uses of information and communication technologies (ICTs) are also opening up; for example, in the field of Healthcare with accessible pacemakers or in the field of transport, with driverless vehicles.
In addition, each ICT element that we incorporate is more the integration of different products (from different companies) than a single product with a single entity responsible for safeguarding against and correcting failures. The outsourcing of works and in many cases the remote access to elements that require maintenance is added on top of this complex panorama. All of these uses and circumstances increase exposure to attacks from the Internet.
The use of information technology entails the presence of risks: technological risks ranging from errors to criminal attacks.
The News constantly reminds us that security incidents and breaches are becoming more frequent.
COMPANIES AND THEIR APPROACH TO CYBER RISK MANAGEMENT
Faced with this reality and the need to manage the risks derived from the intensive use of ICT technologies, not all companies are addressing security; cybersecurity, in this case. Not only is there a lack of strategy in this area, but also a lack of sensitivity, budget and resources to guarantee its survival in the coming years. All of them, whether small, medium or large companies have to comprehend the need to contract security services, or to build the same services internally, to successfully manage their risks.
Large companies have learned to live with security warnings, attacks and demanding regulations. The exceptional warnings of serious vulnerabilities in relation to the products and applications they are using are so frequent that they are no longer exceptional; this year they are communicating a serious vulnerability about every fifteen days, although there are weeks that two or three warnings occur: the next attack is already brewing even as we speak, and so on every day. These companies, because of their size, leadership, impact on their operations and possible damage to their image, have a security organization, with resources and budgets that, although generally still insufficient, allow them to maintain an active defence against cyberthreats.
With few exceptions, small and medium enterprises are not adapting to the pace that threats and regulations require, as in most cases their priorities are different and cybersecurity is not among them.
The size of the company a priori does not determine the degree of exigency that the cybersecurity has to face, but rather the ability to tackle it internally.
We say that the size of the company does not determine the degree of responsibility for cybersecurity because for example, there are critical infrastructures that are operated by small businesses. Likewise, the vast majority of the 4,811,456 files registered with the data protection agency correspond to them. This responsibility has to be present and has to be developed not only by business conviction, but to satisfy the legal requirement.
However, if it is not the size of the company that determine how it tackles security, it is a strong constraint on whether or not to have their own security organization.
According to the INE, in Spain around 1,823,000 companies have no employees at all, 1,400,000 have less than 20 employees and only 68,000 companies have more than 20 employees, making it difficult for them to have, even if only one person, sufficient knowledge to assume responsibility for security. This is why contracting third parties for services that include "all security" or hiring by medium-sized specialized part-time services such as CISO (Security Officer) will be more frequent, the same as it is usual to contract out legal advice or tax management.
What is cybersecurity? Is it a new concept or is it the same as computer security?
The security applied to the technology throughout its history has been denominated first as computer security, later information security and now Cybersecurity.
This change in denomination responds to the evolution of the perception of where the value for the company resides. We can see in each of the cases where the focus is situated:
Computer security. The significant thing: computer systems.
Security of the information. The information (it is that which has the true value for the company and not so much the computer that treats it).
Cybersecurity: In addition to information, there are now two new focuses of attention; the people and maintaining operations.
Critical infrastructures provide essential services to society, so cyberattacks on those infrastructures have a great potential for harming the operations and everyday lives of people. The impact of an attack can go far beyond the economic, either as the cause (for example, theft of information), by altering the operation (operating costs), as a result of sanctions or damage to third parties, to the detriment of their welfare, quality of life, health or integrity. The latter, the possibility of causing injuries or fatalities, is undoubtedly a qualitative leap in the degree of impact that a cyberattack can cause.
This is because threat agents are not just individual cybercriminals, rather because third parties with higher economic means, skills and abilities have been present; cybermafias (organized networks), cyberterrorists, hacktivists who seek media repercussions (based on their own ideals or those of third parties they sympathize with), cyberspace (industrial or other) or even country-wide attacks (strategy to support their industry, destabilization, undeclared conflict, among other possible causes). It is worth mentioning that the National Cryptological Centre (CCN), under the National Intelligence Centre (CNI), published that in 2016, 90% of the cyberattacks classified as critical, those of greater severity suffered by public bodies or Spanish companies of strategic interest, come from foreign governments.
There are many studies on the costs to a company after a successful cyberattack. We cite as an example that which the anti-malware maker Kaspersky published in October 2016. The study was conducted on more than 4,000 companies from 25 countries and concluded that, on average, a single cybersecurity incident costs large companies 770,252, Euros, while it costs small and medium-sized enterprises 77,372 Euros.
What is most alarming from the study is the importance of the actual moment when the cyberattack is discovered, since the cost of recovery increases significantly. For example, SMEs tend to pay 44% more if they have to recover from a cyberattack discovered after a week or more in the system, compared to if they are discovered on the same day of the attack. Large companies pay a 27% surcharge in the same circumstances.
In the press we see news of well-known brands that have had millions of users' data stolen, and as usual we hardly pay attention, as is the case that has recently happened with Equifax. On the contrary, we usually only take heed when the impact and damage caused when we read statements like Reckitt Benckiser, owner of brands such as Durex, Harpico Nurofen, when they say that the June 2017 cyberattack with the virus 'Petya' produced a loss of 113 million Euros, or when the Danish group Maersk estimates that the cyberattack they suffered this summer cost them between 171 and 256 million Euros.
Unfortunately, the attackers are not always as scandalous as Petya or Wannacry. The ransomware that, in a single weekend of May this year, opened the eyes of many entrepreneurs in relation to what an attack can affect the operations of their business. In fact, it is a disgrace, because the attack acquires greater gravity when the attacker has managed to stealthily accede and to remain during weeks, months or years within a company's systems. This situation of permanence in time could seriously affect commercial secrets and the recovery of operations, and to identify to where it has penetrated, to what extent, what data to filter, what identities and passwords it knows, what services it has manipulated and even created to access to the company; in short, the forensic analysis of the systems and the lack of confidence in what is the secure temporary point of recovery (from which, in re-installing a clean environment, prevents leaving silent back doors for the intruder to take control again later), can cause cessation or degradation of operations for days or months.
Therefore, we expect the demand for cybersecurity to increase to protect against our own damage, as well as damage to third parties. Paradoxically, at the same time it is also true that insurance companies are increasingly reluctant to offer these types of products. This is so due to the ocean of uncertainties surrounding the environment to be insured and the risks to be covered. For example, the day after Wannacry, more than one insurer issued instructions not to accept SMEs cybersecurity policies.
THE OBLIGATION TO NOTIFY
More than one and a half million companies, public bodies, official chambers, associations, public notaries, universities, among others, need to be aware that from May 2018, the new General Data Protection Regulation (RGPD) will be fully applicable.
RGPD incorporates the obligation to notify security incidents that have an impact on personal data. The RGPD provides for a maximum penalty of 4% of turnover, which is certainly an incentive, and reflects the damage that a security breach can cause directly and indirectly to a company.
The RGPD is not the only a law that requires notification (it ended up suffering in silence and with little transparency), the National Security Scheme, the Critical Infrastructures Law or the NIS directive of essential and digital services also require this.
Over the next few years there are a number of factors that will increase the risk that cyberattacks will remain a major problem. For example, by 2020 we estimate that between 20 and 50 thousand million IoT devices will be installed. These devices may have serious security deficiencies, being mostly designed without regard to security, without guarantees of maintenance meaning the elimination of vulnerabilities, and effectively delegating responsibility for the administration of protection to users. Assaults controlled by IoT devices have already been used in attacks.