CYBER (IN)SECURITY: perception and mitigation of a global threat

Data and cyber security, as an intangible concept, has been relegated for a long time to a marginal position within organizations. The ongoing technological evolution did not go hand in hand with the development of risk-awareness and the need to adopt appropriate countermeasures with regard to cyber security.

However, the threat has assumed an unprecedent scale. Even those who considered data security a relatively insignificant point are starting to take into account the risk of becoming victims of attacks, even more numerous and difficult to contain.

CYBER SECURITY: between subjective and objective security

Ever-growing attacks

The scenario described in the latest Clusit Report in terms of IT security, at Italian and international level, is far from reassuring.

The year 2019 is defined as “the worst year ever”, during which “has been passed a point of no return” regarding cyber security.  In fact, we are witnessing a very rapid evolution of threats, actors and attack modes, capable of causing increasingly severe and successful effects toward their targets.

The data outline a growing trend: globally, the number of serious attacks registered during 2019 has seen a difference of +37.5% compared to the average number of annual attacks recorded in the last six years. With the same classification criteria, the number of attacks of public domain occurred in 2019 has seen an increment of +91.2% compared to the same data of 2014.

In the vast majority of cases (83%) the cause of the attacks nowadays is Cybercrime, risen by +12.3% compared to 2018 and by +163% compared to 2014.

However, the Clusit Report stresses that these data represent only a part of the real number, since they only cover the successful attacks, or at least those of which victims are aware.

Cyber-risk: in first place among the concerns of business leaders

Several reports start to detect an evolution of the perception with regard to the risk of being victim of a cyber-attack. This awareness, especially from a business point of view, is becoming increasingly widespread and evident.

According to the Regional Risk for Doing Business Report 2019 published by World Economic Forum, the global concern related to cyber-risk has increased substantially, moved into second place among the fears more felt by business leaders, compared to the fifth place recorded in 2018. In Italy and in Europe this concern ranks even in first place.

Similarly, the risk of fraud or data theft is in the top 5 in Italy, while at the European and global level is positioned respectively in sixth and seventh place.  To be note out that, until 2012, cyber-attacks were not even categorized into this Report, but only marginally mentioned as “new risks to consider”.

Following the same approach, the BCI Horizon Scan Report 2019, published by the Business Continuity Institute, states that the concerns related to cyber-attacks and data breaches rank respectively in first and second place (globally) among the threats more felt by organizations. The data, confirmed also for 2020, had never been in apical position in the previous years.

Although from a different point of view, the same concept emerges from the research conducted by Netwrix in October 2019, focused on the priorities of IT professionals for the following year. Both at Italian and global level, the first place is occupied by data security, as a reflection of the concern registered about the risks (perceived and real) in the field of cyber-security. It is worth noting that, in the Italian case, the second priority in the ranking is the data privacy, which is instead in fourth position at a global level (anticipated by automations of manual operations and awareness of cyber-security among the employees).

At the basis of this ongoing change of direction there may be several motivations.

First of all, from a financial perspective, the impact of a cyber attack within the organization would result in severe economic repercussions.  The damage caused by a service interruption is made more serious in case of a data breach or disclosure of personal data as GDPR states. The penalties imposed by the European Regulation are as much as €20million or up to 4% of a company’s annual worldwide turnover.

Another relevant element, both in terms of time and resources, is the cost of containing an attack, especially if this attack derives from previous weaknesses concerning the structure, the equipment and the business consciousness of the risks.

Furthermore, it is necessary to consider the reputational damage, which is not quantifiable but is able to considerably undermine the corporate image, the customer loyalty and the credibility built in time.

MFA: the importance of a risk-based approach

After a first achievement in risk awareness, it must now take immediate further action to implement appropriate strategies in order to mitigate the exposure to threats. In this way it is possible to bring together subjective and objective security.

Awareness and corporate training must be supported by appropriate governance procedures, event and incident management, with the aim of detecting any attacks without delay, by adopting effective strategies of containment and recovery.

Regarding to this, the latest Clusit Report highlights the importance of protecting and regulating access to data and critical resources, through the most effective techniques. According to the Report, Multi-Factor Authentication (MFA) is described as “the most promising avenue”, strong and difficult to bypass today available. The possibility to combine different authentication methods, by adding to accesses and transactions further layers of security, makes system compromise more complex and harder to gain, keeping company data safe.

Among the different urgencies of the moment, it is necessary to keep in mind the importance to strengthen the protection of company resources from illicit or unauthorized access, by promoting a risk-based approach.

Nowadays, data protection goes beyond a physical defence of the enterprise perimeter, moving toward the protection of information, intangible resource but not secondary.

Therefore, the consolidation of a risk culture, properly supported by preventive technical and organizational measures, is the most beneficial approach in this scenario of uncertainty, capable of turning business challenges into opportunities.

 

Discover how Monokee MFA features can help you avoid unauthorized access to your business data.