Technological advances have led to an increase in cybercrime and, more recently, the Covid-19 pandemic and resultant rapid shift to remote working have led to a spike in cyberattacks. These attacks can have devastating consequences for businesses, including large financial losses and private data being compromised. Increasing cybersecurity practices are therefore an essential focus for companies worldwide. This may be especially important for airlines and health insurers who, due to the sensitive nature of the data they hold, may be particularly vulnerable to cyberattacks. What can companies do to protect themselves and their employees – for both office-based and globally mobile staff, in this new era of cybercrime?
Anticipation > reaction
First and foremost, it is crucial that companies are prepared for cyberattacks and have appropriate and effective countermeasures in place. “Companies need to stop reacting and start anticipating,” Arun Banerjee, Zurich UK Cyber Risk Consultant, acutely summarised. He told ITIJ: “It's very important for firms to understand the cyberthreats that can impact their crown jewels and develop a cyber resilience strategy. Just focusing on protection against cyberattacks is not enough; organisations need to develop strong resilience with response and recovery capabilities. Cyber resilience, not just cybersecurity. It’s also important for firms to develop a strong human firewall with cyber awareness for employees.” The unfortunate fact is that cybercrime is a very real and present part of the 21st century and companies need to recognise that they could be the victim of a cyberattack and ensure that they have appropriate measures in place should the worst happen. Awareness is therefore paramount.
Mike McGarrity, former Vice President of Global Risk Services at Global Guardian, now with Capital One as Global Security Leader, agrees that a proactive approach is important. “This means backing up systems, using multi-factor authentication, updating security solutions and conducting response training exercises to identify and mitigate vulnerabilities,” he explained. “No matter the crisis, preparation, processes, and existing relationships are key to navigating a crisis like a ransomware attack.” In terms of the measures that are available to companies, these range from simple, everyday steps to more sophisticated tools.
Just focusing on protection against cyberattacks is not enough; organisations need to develop strong resilience with response and recovery capabilities
ITIJ also spoke with Matt Shelton, Director, Technology Risk and Threat Intelligence, Mandiant, who provided details of some of the measures that companies can implement to better protect their corporate environment from threats, particularly as they transition to a remote and distributed workforce. “Accessing corporate resources remotely creates an opportunity for attackers to blend in with the workforce. Implementing multi-factor authentication (MFA) on all external corporate resources significantly reduces this risk,” he explained. “Organisations should not stop at MFA. They should implement a single sign-on (SSO) platform to tie corporate and cloud resources together with a common authentication source. Employees will appreciate a common set of credentials while providing administrators with the ability to centralise credential management and monitor for abuse.” Other measures that Shelton advises taking include: deploying a multi-layer endpoint agent on all employee endpoints; deploying encryption on employee endpoints; receiving and reviewing logs from cloud providers; creating suitable corporate alternatives for personal cloud services; providing security awareness training for remote workers; and continually evaluating security controls.
Remote yet robust
With the growth of remote and disparate working, it is important that employers ensure that risk is mitigated not only in the office but also beyond. Banerjee said that the biggest focus here must be on securing user identity. “Previously we used to work in a secure office environment where adequate security was applied around the perimeter of the fortress. But as almost everyone is working from home, we do not have the perimeter around us. So, the security controls need to be tightened around user identity and access,” he told ITIJ. McGarrity also emphasised the importance of security. He said that employees traveling outside the office should be linked through a virtual private network (VPN). “They should avoid the temptation to log on to unsecured Wi-Fi while travelling,” he noted.
ITIJ also discussed the rise of remote working with Gareth Wharton, Cyber CEO, Hiscox, who agreed that protecting organisations that have a mobile workforce can present additional challenges. He too mentioned the importance of using a VPN but said that, even then, vigilance is needed. “Malware groups are getting savvy to this and have started buying up VPN providers to target travelling workers. Employees should check that they are using a VPN from a reputable provider, and not one that is not secure,” he warned. “Employees who travel a lot are at a higher risk of losing or having their devices stolen and therefore using full device encryption is highly recommended.”
Data as a commodity
When thinking about companies that might be vulnerable to cyberattacks, airlines and health insurers would feature on that list due to the nature of the data they hold, and with the world becoming increasingly digitised and connected, these companies’ data are more and more at risk of being compromised. “In 2017, the Economist Magazine cover page title was ‘Data, world’s most valuable resource’. It is the new oil, perhaps much more expensive,” articulated Banerjee, which really highlights the true value of data. And when companies hold personal data, this value soars. “Airlines and health insurers are viable targets because they hold large amounts of sensitive data related to an individual (name, address, email, frequent flyer number, possibly a date of birth, etc.),” said McGarrity. “This is a treasure trove for hackers looking to exploit the data or sell it to other criminal networks.” Wharton agrees: “Airlines typically hold lots of customer data, which includes the most sensitive types of information – passport details, date of birth and credit card data. Health insurers will also hold highly sensitive personal data such as medical history.”
Why exactly are these types of personal and sensitive data so valuable and attractive to cybercriminals? One reason is that it can be held to ransom, as Wharton explains. “This type of data is protected by strong legislation such as the General Data Protection Regulation (GDPR) in Europe. If firms have this data compromised it can lead to large fines, and the criminal gangs know this, so they target this data in an attempt to steal it. If successful, they extort firms with the threat of releasing this data unless they pay a ransom,” he told ITIJ. Banerjee also mentioned the rise of ransomware attacks and how they have evolved. “In the last couple of years, the biggest change to ransomware attacks have been the advent of the leak sites where cybercriminals are not only encrypting business systems, but also exfiltrating data before applying the encryption,” he told ITIJ. “They then publish the data in these sites if the ransom is not paid. So, you are under additional pressure as you are handling business interruption at the same time as a data breach, a double extortion.”
ITIJ also spoke with Manon Gaudet, Assistant Director Aviation Cyber Security, International Air Transport Association (IATA), who agreed that cyberattacks for financial gain pose a big threat. “Often, those attackers have more means than others and are very determined. Some may gain access to your infrastructure and not do anything for weeks if not months, before deploying their attack, or selling their footprint to someone else. Becoming a victim of a ransomware attack is certainly of concern to any organisation, for operations could be impacted as well.” The deep repercussions of cybercrime for a company are not to be underestimated, and with this representing a somewhat insidious threat, it is all the more challenging to contend with.
The magic combination
As cybercrime increases in complexity, new innovations emerge that can potentially be used to counterbalance it, but this is not enough. In addition to technical controls, people and processes are equally important, as Banerjee underlined: “There are definitely a number of technologies available in the market to protect organisations against cyberattack, but unless we have a cyber aware (not trained) workforce, robust policies and processes to support the day-to-day operation of business, as well as strong change management process in place, we will struggle with even the best next next-gen technology.” Wharton agreed that tech, people and processes is the magic combination, and also highlighted the importance of insurance. “We always suggest to customers that the best way to protect themselves is through a mixture of staff training, prudent processes and technology solutions alongside an insurance programme that will protect them when a cyber event happens.” He explained that cyber insurance is slightly different than some other forms of insurance: “It will respond to both the financial impact (business interruption cover) as well as getting the business back on its feet again, by offering services such as IT forensics, legal and PR advice and, if necessary, credit monitoring services if credit card details are compromised,” he said.
McGarrity said that although companies can never completely eliminate risk, what they can do is strengthen their defences. “Opportunities to mitigate cyber risk include training employees not to click on an unknown attachment – that creates a ‘human firewall’, two-factor authentication, updated policies and procedures, firewalls, 24/7 threat monitoring solutions and VPNs,” he told ITIJ. “Training and preparedness with increased cyberdefence measures like firewalls cannot be underestimated.”
Protection through preparation
The threat of cybercrime isn’t going away, and preparedness and resilience are key terms for companies in ensuring they are best placed to counterbalance an attack. This involves, first off, promoting understanding and awareness of cybercrime in order to make sure that suitable measures are implemented. In being prepared and anticipating an attack, companies are likely to fare much better than when simply reacting without appropriate protocols in place. Measures as simple as employees avoiding using unsecured Wi-Fi while remote working could have a big impact, and this is something that can be enforced by spreading awareness among all employees. It is all about being proactive, as Wharton states: “While cyberattacks may seem like an unsolvable problem, taking some simple steps can go a long way to protecting companies. These measures are always a mix of people, process and technology.”
Companies are becoming increasingly aware of the growing risk and building their defences as a result, and so protection is enhanced. But, in turn, cybercriminals’ methods are becoming more sophisticated. “As our mitigation and cyber controls evolve, cybercriminals are also adapting their strategies to keep pace with the change,” Banerjee articulated. This means that companies cannot afford to become complacent, which is why ongoing attention and evolving methods are key. “It is very important to develop a good risk management process with regular and systematic assessments of cyber risk across all critical business processes,” he said. “Know your crown jewels and understand the exposures, risks, and potential impact an attack can bring to a business.” With resilience and cyber awareness, companies are prepared for the ever-evolving risk of cybercrime and can protect their businesses and employees and mitigate their losses.