In an interview to Ntech.news, Nuno Cândido, Cloud & Security Associate Director at Noesis, talked about the main challenges companies face nowadays in terms of cybersecurity.
Ntech.news - What is the impact of the pandemic in terms of IT security in companies?
Nuno Cândido - The pandemic period proved to be a window of opportunity for hackers to take advantage of the vulnerabilities of some organizations that were not prepared, for example, for the massive migration of their employees to a remote work regime.
From one day to the next, organizations saw an exponential increase in external access to their networks, multiplying vulnerabilities and increasing the risk of intrusion.
In addition, the beginning of this period saw an exponential increase in phishing attacks, exploiting the very situation and context of the pandemic. Fake emails, for instance, with information about the virus, which exploited the period of uncertainty and the population's fears about COVID-19, were tremendously effective techniques in that initial period, aiming to infect users' computers with ransomware, leading to difficult situations where large organizations saw their data compromised.
Are there any numbers regarding the increase of phishing in this period?
N.C. - In 2020, in Portugal, there was an increase in incidents of more than 150% compared to the previous year.
Machine-to-machine (M2M) attacks, silent attacks, highly personalized phishing attacks, among others, caused significant financial damage, but also reputational damage, from which many organizations never recover. The European Agency ENISA estimates that around €10 billion was paid in ransomware from Ransomware attacks in the last year alone. Also, the latest report from Watchguard points to 165,000 attacks per day, representing two attacks per second globally.
This growing number of attacks and the public visibility that some cases have assumed has contributed to cybersecurity being more and more in the center of the concerns of the companies' managers and their CIO's, which has led to growing investment in these areas.
According to the most recent IDC study - Security Market in Portugal, 2020 - it is estimated that spending on information security will exceed 197.3 million euros in 2024, which corresponds to average annual growth of 6.3% between 2019 and 2024.
What is the reason for this increase? Have organizations not been appropriately prepared?
N.C. - The factors are multiple; there are obviously cases in which organizations were not sufficiently prepared or even "awake" to this problem. Even so, the most mediatic cases that occurred in Portugal, namely at the beginning of the pandemic, were in some of the largest organizations operating in the market, companies with sophisticated security systems already investing significantly in security solutions.
Thus, it is reductive to think that these attacks only affect small companies or unprepared organizations. It is essential to reinforce the message that the need to adopt cybersecurity solutions is transversal to companies of all sizes, profiles, and sectors of activity.
Attacks are common to all company profiles, and the main success factor has to do with their increasing sophistication. The attackers are increasingly professional and use state-of-the-art technology. They are often orchestrated by highly evolved criminal organizations and are no longer the work of a "curious" shut-in somewhere in his room. This image of the hacker no longer has little adherence to reality.
On the other hand, Phishing attacks rely on a factor that will always be impossible to mitigate 100% - the human factor. Human error, due to the ignorance or carelessness of an employee who, by taking a certain action, may trigger an attack of critical dimensions for your organization.
Therefore, I would say that this increase in attacks that has been seen in recent months is mainly the result of a growing technical and technological sophistication, using machine learning and artificial intelligence, attacks triggered by machines and with a much higher processing capacity than in the past.
This fact, combined with the unpreparedness of some organizations and the lack of training and preparation of their human resources, is the perfect context for these attacks to succeed.
Looking ahead, what can and should be done?
N.C. - The only guarantee of recovery from a ransomware phishing attack is the replacement of backups. Therefore, it is imperative to review the backup policy to ensure that retention and recovery times are adequate for the organization's needs, and periodic execution of replacement tests should be the priority.
Since many attacks originate from email and are caused by human error and user interaction with these malicious emails, user training and education to make them aware of the phenomenon and help identify phishing attacks should also be considered a priority for organizations.
Finally, it is highly advisable to review and modernize email protection systems, using the available new technologies for automatic detection and response based on artificial intelligence to minimize malicious emails reaching users' mailboxes and mitigate the risks.
This type of training has become fundamental to the current ecosystem?
N.C. - Ransomware has become increasingly sophisticated and a growing threat to organizations. Initially, ransomware was distributed by malicious emails, prepared to get the user to execute or open a file, compromising their PC and getting eventual network disks encrypted.
Nowadays, this technique is increasingly evolved and incorporates advanced detection evasion techniques.
In addition, it exploits numerous vulnerabilities that allow it to replicate itself throughout the organization. So, in addition to the individual risk for the user, a company employee, for example, ransomware nowadays seeks to compromise the entire organization. It is increasingly common to see organizations having their whole IT park compromised within minutes.
The cost, of course, depends a lot on the scope of the attack and the dependence that the organization has on its information management systems. Usually, the only way to recover from a ransomware attack is to restore backups, and the "cost" is also very much linked to the quality (and existence) of the backups.
On the other hand, the operation of replacement and restoration of information systems is always a complex and time-consuming activity, so it is not uncommon to have a recovery time of several days, which can mean that an organization is inactive during that period, with very significant losses for each day without operation, and sometimes with repercussions throughout the value chain.
Let's think, for example, of Industry and an attack that manages to paralyze a factory and all the production capacity of that organization for several days. It is easy to understand the direct impact and losses generated by such downtime and the indirect effect that this stoppage will cause throughout the chain, from suppliers to distributors, retailers, and ultimately consumers.
Besides the financial cost and losses, another type of damage is more difficult to quantify, such as the reputational damage that an attack situation can cause. Let's think about the violation of data or sensitive information of third parties (customers, for example). This violation can have irreparable consequences in the breach of trust between the customer (who entrusted his data) and the company.
Therefore, to all the technology investments that organizations have to make to be properly protected and better prepared to respond to an attack, there must also be a continuous training effort and tests to their human structure, the vulnerable point I mentioned before.
What is the role of Noesis, and how can they help?
N.C. - Besides recurring sensitizing initiatives, organizations can and should perform phishing simulations with their collaborators. These kinds of initiatives and tests allow not only to evaluate the level of preparation and attention of employees to possible attacks but also allow everyone to be prepared in the best way possible to deal with real threats.
It's also fundamental to focus on security architecture through a holistic approach that includes "intelligent" technological capabilities and contains standards, guidelines, processes, and practices that guarantee mechanisms to safeguard security policies and privacy of information and access.
It is also necessary to change the security paradigm - to look for abnormal behavior rather than malicious behavior. Artificial intelligence algorithms are one of the fundamental pillars for the automation of cybersecurity and a response to the limits of human capability. Artificial intelligence is a strong ally at the service of cybersecurity and an essential investment today, not only for detecting threats but also in solving and nullifying them in real-time.
We all are (or will be) phishing targets. Therefore, it's essential that all organizations, regardless of their size or activity sector, are increasingly aware at collective and individual levels and, above all, ready to give adequate answers.
How does Noesis act in this field?
N.C. - At Noesis, we have been developing projects for the leading organizations operating in our market, using Darktrace technology, the world leader in cybersecurity solutions using artificial intelligence, of which we are one of the main partners in Portugal.
These solutions reveal much higher effectiveness when compared to traditional protections, as they use the full potential of artificial intelligence and machine learning to detect behavioral pattern changes, for example.
The main message we try to convey to our customers is that it is essential that organizations re-focus on security architecture, and this is perhaps the main challenge currently facing companies. 2021 is a year in which organizations should re-evaluate their IT ecosystem and seek to empower themselves in a structured way with cutting-edge technologies and services that enable them to safeguard themselves against these threats.
The use of artificial intelligence in cybersecurity solutions, for example, is a good answer because it allows organizations to protect themselves and prevent possible attacks in a much more efficient way. It can analyze data and visualize the organization's network, tracing security models while monitoring and scouting, using Machine Learning and Behaviour Analysis.
This type of assistance, based on AI and ML models, will be the future of organizations that want to remain at the forefront of technology with security, and the forecasts for the next decade point to the consolidation of this vision. According to a study by Trend Micro, artificial intelligence algorithms will be one of the key pillars for cybersecurity automation.
Thus, our bet is to provide advanced security solutions, advanced monitoring, observability, and automation, which prove to be more efficient in detecting threats and solving and nullifying them.