Risk management

31 March 2016

Awareness is best weapon against cybercrime

From Sony to TV5: major cyberattacks have become commonplace in current affairs. So much so that it has become essential for all organisations – both large and small – to arm themselves against attacks from hardened professionals. A real challenge, in other words, for the Belgian corporate world. And yet, a few common-sense measures are often sufficient to minimise the risks. And boosting awareness amongst employees would definitely be near the top of the list. Read more about this and other tips in this article.

Synopsis
  • Cybercrime is a serious challenge for any organisation.
  • Data security is based on a few basic measures.
  • Investing in employee training is a key element of ensuring cybersecurity.
Who are these cybercriminals?

"The hackers behind these threats are typically part of well-structured and highly specialised organisations with a sophisticated business model”, says Alexandre Pluvinage, Cybercrime Coordination Manager at ING Belgium. In our increasingly connected world, confidential data is becoming increasingly important… and an increasing number of people are trying to get access to it. Hackers have their sights set on profits that far outweigh their investment, and employ all kinds of IT infrastructure to boost their effectiveness. “The fraud being committed today is nothing new, but thanks to new technologies, much easier to do.

Phishing, malware, ransoming and CEO fraud

"When it comes to online payment systems, anything out of the ordinary should set off alarm bells amongst users."Some of the easiest-to-prevent attacks would have to be phishing (obtaining information under false pretences) and malware (infecting computers with pernicious software). In both cases, hackers have the same goal in mind: executing fraudulent online transactions or having you do it for them. “When it comes to online payment systems, anything out of the ordinary should set off alarm bells amongst users”, emphasises Alexandre Pluvinage. “They should develop the reflex to stop all pending transactions and contact their bank via the number on the back of their bank card.” Another variation on the same theme is ransoming, where the company’s activities are blocked by installing so-called ransomware, while a third form of fraud that is gaining in popularity of late involves stealing the CEO’s identity.

The direct costs of cybercrime

Statistics originating from CERT.be – the federal cyber emergency team – reveal that instances of cybercrime are increasing at alarming rates. The Belgian Cyber Security Coalition, of which ING is a part and which groups together a number of Belgian players from the private sector, the public sector and academic world estimates the annual cost of cybercrime in Belgium alone at 3.5 billion euros.

Reputational damage and more as indirect cost

On top of that, the sheer fact of demonstrating the vulnerability of companies to cyberattacks is accompanied by certain indirect costs: reputation damage and damage to corporate or brand image, direct or indirect financial losses, operational disruptions, and more… And that is not even including the costs of any legal action taken by affected third parties.

It could happen to anyone

According to a survey conducted by the VBO, 66% of all organisations are insufficiently informed to put an effective cybersecurity policy in place. “More and more companies are becoming aware of the dangers,” states Alexandre Pluvinage. “Unfortunately, too many managers assume that hackers aren’t interested in their organisation. And yet, the figures prove that it’s not such something that happens to ‘someone else’: many attacks simply happen at random and involve sending thousands or even millions of e-mails at once. The name or size of the company affected often has little or nothing to do with it.”

The line between private and professional life is dangerously blurred

How of u scan claim never to have opened a personal e-mail or private Facebook message at work? In the case of SMEs, the boundaries between one’s digital private and professional life are even thinner. The trend for companies to put all their electronic eggs in one basket is increasing. Which is clear, among others, from one of its key elements: e-mail. E-mail is the most important link between all other digital services (social networks, online shopping, contact with tax authorities, etc.).

Choose a strong password

An additional problem is that passwords are still not secure enough. Classic cases such as ’12345’ or ‘password’ are sadly still commonplace. It sounds self-evident, but a 100% secure password is an absolute must. And while there are no miracle solutions for this, there are a few handy tricks: a long sentence which also contains capitals, symbols and numbers, for example. A password can also be adapted depending on what it is used for.

Upgrading your IT can be faster, simpler and cheaper than you think

Security may come at a price, but adequately securing an IT system does not necessarily have to cost the earth. Every company needs to adapt its security level to its size and available resources. “Focus in the first place on the basics and stick to them religiously. Concretely: equip all devices with a firewall and an affectively, regularly updated antivirus programme, make regular external back-ups and setup your operating system such that it automatically and immediately updates itself.” These basic rules can already protect you from falling victim to a great number of random attacks. Because negligence and human error remain the biggest source of ‘contamination’.

Invest in a human firewall: your employees

Security is also important in the contexts of a company’s human resources: from the CEO to the employees,” emphasises Alexandre Pluvinage. Something which unavoidably begins with good communication and good training. “Every employee has to know how to identify abnormal activities and how to react appropriately.

Emergency procedures

The company, on the other hand, has to implement the appropriate procedures such as an emergency hotline or e-mail address for urgent notifications. “It is essential that everyone knows who to notify if they receive a suspicious e-mail. And even if the person in question has already clicked the infected link, it is important to realise that doing nothing is far worse. The message is clear: immediately contact the specialists who will take appropriate action to limit the risks.

Creating awareness and use of common sense

Use common sense and make your employees aware of their working environment and the potential risks"Precisely the fact that the new technologies are so easily accessible makes them an even greater threat. Automatically opening an attached document or connecting a USB stick before securing it, for example. “Vigilance is not enough to repel all threats, but if I could give one piece of advice to companies it would be: use common sense and make your employees aware of their working environment and the potential risks”, recommends Alexandre Pluvinage.

Employees need to develop the right reflex actions

They need to ask themselves the right questions at the right time. For example, every time they receive an e-mail: Do I know the sender? If not, the risk is high and you need to be careful. If you do, then you should ask yourself if the mail was expected or whether it is related to my activities. The risks go down every time I answer yes to these questions, and if the answer is no, I need to develop the reflex to check at once. A simple phone call can prevent a potentially dangerous infection.The ‘origin’ of the e-mail is also important. A phone bill sent by e-mail supposedly from Deutsche Telekom, for example, should raise more suspicions than a message from Proximus.

The risks of a mobile office

And last but not least, the rise of the ‘mobile office’ often implies that the user has direct and external access to the company network. That calls for an effective protection of the IT system, in the interests of safeguarding data security.

Public WiFi networks: a no go?

Another potential risk: accessing public WiFi networks. Caution is key here, even if it is a well-known network in a well-known location! For the potential risks are considerable. It is not difficult, for example, to duplicate a WiFi network and thereby gain access to all connected devices. “A useful tip: never process confidential professional data if you are connected to such a network, and never carry out online payments or perform other sensitive operations.

Smartphones, tablets and laptops

Smartphones, tablets and laptops have the inherent risk of being potential targets of theft or simply used without the knowledge of the owner. “The problem is that not all employees apply the basic security measures they have at their disposal: using an access code to unlock the device, for instance, and limiting the number of unsuccessful attempts, and other tools to locate, block or if required, delete data remotely. Once again: generating awareness amongst all employees is essential for good security.”

Data security at ING

“At ING, cyber security is a very high priority, both internally and with respect to our customers,” emphasises Alexandre Pluvinage. “We continuously invest in the security of our IT systems, training our employees and informing our customers.” ING customers can find all the information they need about the security of their online payment means via http://www.ing.be/en/retail/pages/security.aspx. Because when it comes to security, everybody is responsible for their own security strategy, both the bank and its customers.

Checklist for a mini cybersecurity audit

When it comes to cybercrime, prevention is better than the cure. But which questions to you need to ask yourself when evaluating your company’s security? The ‘Belgian Guide to Cybersecurity’, a publication of the FEB (Federation of Enterprises in Belgium) offers a complete checklist with which to do so. A few basic questions:

  • What is the place of security within your organisation?
  • Do you have a policy with regards to internet and password use?
  • Is internal data classified according to its sensitivity?
  • Does the company have a clear and universally-known procedure in the event of an incident?
  • Have you carried out a risk assessment?

On top of that, there are several useful tools with which to arm your organisation against cyber threats. Febelfin, for instance, recently launched an awareness campaign about secure online banking. More info can be found at www.safeinternetbanking.be.