By Nuno Cândido, Infraestructure Solutions Senior Manager at Noesis
After the state of emergency was declared in Portugal, the priority of most companies was to ensure that their IT systems functioned 100% so that the work did not stagnate during confinement, however, news of computer attacks on multinationals and online scams and fraud multiplied in the media platforms.
With the confinement, there were hundreds, or even thousands, of companies that suddenly saw their consumers transferred to their respective homes where they buy products and share data online. Nuno Cândido, Senior Manager of Infrastructure Solutions at Noesis, explains how retailers can protect consumer’s data. In recent weeks, consumers have adopted online as their preferred shopping channel.
In the last years, there has been an increase in purchases via digital channels (e-commerce, m-commerce, social networks, etc.). What cybersecurity challenges does this trend represent for businesses and consumers?
Right from the start, a challenge in protecting consumer data, as relevant as personal data, purchasing data, consumption habits, and payment data. All of this information is critical and protecting it is critical. Phenomena such as cloning websites or phishing scams are recurrent forms of attempted intrusion and undue capture of access credentials and personal data/payment, for example.
In this context of a pandemic, with the increase in purchases through online channels, does cybersecurity assume special importance for companies?
Cybersecurity is a steady issue in any business. In recent days, news of computer attacks on large companies around the world, and also in Portugal, has been made public. This pandemic period is having an impact on the number of cyber-attacks, that is growing as a result of the enormous sensitivity of the theme and the propensity of users to access content and click on links related to COVID-19. To better illustrate this idea, we know, for example, that the number of registered sites with names related to "coronavirus" increased more than 68 thousand times, and the domains registered with keywords related to the pandemic rise from 3000 to 53 thousand. This example illustrates the current risk, with the emergence of malign websites that exploit this propensity. On the other hand, for organizations, the sudden movement of large numbers of employees into the context of teleworking has exposed organizations to greater vulnerabilities and greater difficulty in monitoring and defending their information and critical data systems. In the specific case of retail, this vulnerability is even more worrying if we consider that they mainly deal with consumer personal data, consumer information, financial information, payment data, among other sensitive data.
Cybersecurity is not just online
Are Portuguese consumers aware of the security threats that exist online or there is still a more "naive" population that is not aware of the dangers that may be "hidden" in these channels?
When it comes to cybersecurity, it is important to realize that we are never fully protected, because this is not 100% possible. However, there is still a great effort to raise awareness, at the individual level, but also at the organizations themselves, precisely because, many times, there is not this perception that the risk is permanent and that cybercrime is increasingly sophisticated. Therefore, on the organization's side, it is necessary that cybersecurity is always at the top of the concerns of any IT department and that there is, in top management, this perception of the importance of the topic. Recently we see the adoption of controls to mitigate the different threats has often been put on the back burner. Also at a particular level, this cybersecurity culture has to be fostered constantly, in all our daily gestures, from basic gestures such as connecting to a public Wi-Fi network in a café, through a culture of defining strong passwords and changing them on a recurrent basis.
What can retailers do to protect their online stores?
This year, Noesis has increased out to its customers the need to adopt new cybersecurity technologies that, based on artificial intelligence and machine learning, help to mitigate these vulnerabilities. The solutions we have been implementing in corporate environments, such as those of our technological partner Darktrace, have an approach that aims to replace the traditional role of the security analyst with mechanisms based on artificial intelligence. This technology allows not only to give visibility to these attacks but also to mitigate or even cancel them.
In recent times, we have seen several companies announcing the creation of online stores. Is it possible to create a secure online store, from a day to another, and respond quickly without compromising customer data and security? What dangers can be "hidden" in this immediacy?
Yes, it is possible to create a secure online store with ease and complying with basic security precepts, such as having a certified and secure website and domain and protected payment systems. Of course, launching a secure online store is not enough. Cybersecurity has to follow a transversal logic and not just focus on the online store. The online store is just one of the components of the business and one of the interfaces. In addition, an online store implies a set of integrations with different organizations' information systems, stock management applications, billing, among others, so it is necessary to efficiently monitor and adopt cybersecurity measures to this entire ecosystem and in the entire network - not just focus on creating a secure online store.
What are, for retailers, the essential measures to avoid cybersecurity problems?
The best approach to cyber risks is undoubtedly a cross-cutting approach to the entire organization, including suppliers, with a 360 ° view of systems and potential vulnerabilities. In fact, as the name implies, risk management aims to mitigate threats and vulnerabilities, while exposing the risk to which the company is susceptible after mitigation. In the absence of a 100% secure formula against cyberattacks, organizations must opt for a risk management approach. It is exactly at this stage that we find several gaps in Portugal: either risk analysis and management is not carried out, or it is incorrectly implemented, or even neglected as to the results it produces. The risk analysis must be based on a series of controls, be they NIST, ISO27k, or CIS, where there are security controls to be applied in the 3 dimensions: users, suppliers, and manufacturers. National organizations must adopt and efficiently implement each of these controls, taking into account the chosen framework.
"The vulnerability is even more worrying [at retail] if we consider that it deals mainly with personal consumer data, consumer information, financial information, payment data, among other sensitive data"
The many threats
The Complaint Portal shows that, since the beginning of the year, complaints related to fraud and fraud schemes have increased. Are these types of security threats expected to increase in the near future?
Yes, it is not only expected but has already been verified. The situation of the coronavirus potentiated this whole situation, the volume of cyberattacks is the largest that we have seen, according to data from the CTI League. In Portugal, we are very aware of phishing attempts, through e-bads, websites, and fake SMS that claim to be a credible entity, such as WHO or UNICEF, in order to obtain the most sensitive data of each one. However, this reality is not exclusive to Portugal, it is a phenomenon witnessed on a global scale.
Another study found that coronavirus-related attacks have increased, including phishing, malicious websites, which claim to offer real information or advice on the pandemic, malware, and ransomware. What can companies do to protect themselves from these types of threats?
Unfortunately, companies also do not escape these attacks and today we see increased vulnerabilities, taking into account the situation that the country is currently experiencing. Employees are connected to unprotected networks. For example, it is enough for someone on that network to let in malware for access to be blocked. In 2019, 24 cases of ransomware were notified to Portuguese companies, companies that operated in a protected environment. Thus, taking into account that attempts often occur in a protected environment, it is natural that the concern is increased, in the current scenario, when companies currently have all their employees working in networks, mostly, unprotected. Given this context, it is essential that there is clear and direct communication and that the most appropriate tools are indicated to be used in order to ensure that remote work is safe. It is also necessary to inform our employees of the various ways that can be the target of a cyber-attack, explain which channels are safe to use, what information can be shared and how to report any suspected cyber-attack. The equipment must also be formatted with tools such as encrypted VPN, various levels of authentication, malware blocking, malicious URLs, and phishing attempts, in order to guarantee safe navigation and connection to the corporate network. For example, one of the ways in which companies can overcome and win this new form of "war" against the growing number of attacks they may have is to automate as much as possible all the functions that professionals perform, be it defense or Red / Blue Team attack; analyze the information that results from this process automation; pass, whenever possible, this analysis to Artificial Intelligence or Machine Learning, analyzing this same information and automating new processes. We must protect ourselves, today more than ever. It is an indisputable fact. At the beginning of this transformation to the remote, the biggest concern of the IT teams was to ensure that the systems of each company worked at 100% so that the work did not stagnate, now it is urgent that they focus on the importance of cybersecurity. Investing in the protection of our data is never too much, we have to inform and be informed. Just a click in the wrong place to let a cyberattacker into our private network.
For companies that are working remotely, what are the biggest cybersecurity threats at the moment?
The main threat arises from this sudden and exponential movement towards teleworking. The sudden transformation that we are witnessing with the current pandemic - a large part of the workforce has started to work remotely in an abrupt way, without considering the necessary IT security measures to ensure that information, employees and the organization are in touch safe with this change. If we combine this factor with the increase in attacks we have seen in recent weeks, we have the perfect recipe for disaster - the likelihood that organizations will see their data compromised is very high. In this sense, how can we, then, trust the devices that connect daily to our network from numerous locations? How can we ensure that we know who is on the other side? Is it safe to share sensitive company information? Noesis has been working with its customers and partners on what we can designate as a second wave of intervention in this pandemic - firstly, it was necessary to put people safe in their homes - in this second wave we must guarantee the safety of users, information and systems. For that, we currently have two very strong partnerships: one with Darktrace and the other with Microsoft, which allow us, through Machine Learning and Behavior Analysis models, to quickly implement the tools that organizations need to detect and mitigate threats from a transversal way, including the users / / information that are in telework.
With the confinement decreed, consumers are more exposed to online platforms. On the consumer side, what can be done to prevent this type of attack? What tips would you give consumers to protect themselves?
First of all, it is very important to pay special attention to the websites where they browse. As previously mentioned, new sites and sources of information have proliferated that take advantage of this situation of pandemic and people's uncertainty. And the problem is not just the issue with the famous fake news and misinformation. The problem is that many of these "pirate" sites spread false information in order to serve as "bait" for cybercrime. Therefore, the first piece of advice is that they only access trusted, well-known websites that they usually visit. A very simple way to verify that it is a trusted website is to verify if the address is composed of "https:" and not "http:". The first case indicates that the website in question has a certificate of trust and security and that the connection is more secure. The same with the icon of a lock that appears in the browser next to the address and which attests to that. Users should also be wary of emails that may appear suspicious or sent by "strange" senders and should not give in to the temptation to click on links in those emails, however tempting the information may seem. This is one of the oldest phishing techniques, but still very effective, even more in the context of COVID-19. It is also essential to adopt strong password policies, that is, alphanumeric and randomly created passwords, in addition to the fact that we must have unique passwords for each application. Using, for example, the same password to access net banking or e-mail is a basic mistake to avoid. There are numerous free password management applications, which are highly recommended. Finally, when it comes to online shopping, the basic advice is to use "virtual" cards, created for that specific purchase and not the original credit card details. MB Net-type applications prevent the possibility of making more purchases with the card if the data on the card is stolen. There are many other techniques or safety tips, these are just a few examples that are easy to implement for any consumer.
"Cybersecurity has to follow a transversal logic and not just focus on the online store. The online store is just one component of the business and one of the interfaces"