This year your company will suffer a cyberattack: What to do to be prepared?

In .IT Operations, Blogfest-en by Baufest

How much would your company be willing to lose due to security incidents? Nowadays, it is essential for every company to seriously address this question, as cyberattacks have become a sadly inevitable reality. In other words, it is no longer relevant to say that cyberattacks “might happen”: we must be aware that they will occur.

Wednesday 7 - February - 2024
Hombre protegiendo datos personales en smartphone. Interfaces de pantalla virtual.

Unfortunately, there are plenty of cases of cyberattacks against companies and organizations worldwide, although the details are not always disclosed. For example, in February 2023, the Italian provider of water, energy, and gas services, ACEA, suffered a serious cybersecurity incident with purely financial objectives that endangered critical infrastructure. Although it managed to contain and mitigate the attack, it caused a significant data breach, service interruption, and potential risks to public safety.

In January of this year, the University Hospital Center of Nantes (France) suffered a cyberattack that caused temporary interruptions on its website and online appointment services. This resulted in a serious health issue for critical and urgent cases. In the same month, Beirut Airport (Lebanon) fell victim to a cyberattack targeting the flight information display system and baggage management system; the attack disrupted operations and forced manual baggage inspection with police dogs, leading to delays, missed connections, ticket losses, and financial losses for airlines.

Given this landscape, it is more important than ever for companies to be prepared and anticipate cybersecurity incidents before they occur. They cannot afford to have reactive attitudes toward this issue. On the contrary, they must be proactive in trying to prevent attacks or to recover from them as quickly as possible.

Industrial Cybersecurity

Cybersecurity strategies today not only protect a company’s information and assets but also have a direct impact on the well-being of people and societies, especially in industries where a cyberattack can have significant environmental consequences and even pose serious risks to people’s lives. For example, in the oil sector, there may be an oil spill or a well may explode due to control system failures, power outages, and supply system failures, all as a result of hacking. Similarly, in a power generation plant, a power outage resulting from a cyberattack can cause an entire city to lose power, directly impacting the elderly who cannot use elevators, food spoiling in refrigerators, users losing access to clean water, not to mention the million-dollar economic losses of businesses.

Today, it is very easy for a small failure or oversight to generate a “butterfly effect” in terms of cybersecurity, which can then have enormous consequences. Cybersecurity incidents occur more frequently than we think, although sometimes this news does not come to light. Why? Because these incidents jeopardize the reputation and brand image of companies, as when a company fails to protect its customers’ or suppliers’ data or exposes its sensitive corporate information, it can suffer a tremendous blow to its reputation in the market and among stakeholders. Would you deposit your money in an insecure bank? In addition to losing prestige, inevitably, the company will suffer monetary losses, as if it suffers an incident and the event is known, the value of its shares will drop in the market.

On the other hand, in the event of a hypothetical hack of a power company’s tension line, leaving that line out of operation, the cost that the company will have to face will be triple: on the one hand, it will have the losses derived from downtime (during which it will have to pay salaries without generating income); on the other hand, it will have to face the losses derived from the time it takes to resolve the problem; and also, it will have to pay the eventual lawsuits from users for being out of service.

The Landscape

In a survey by the World Economic Forum (WEF) in 2024, 29% of the organizations surveyed reported that they had been materially affected by a cybersecurity incident in the last 12 months. According to the report, the risk of the cyber ecosystem is becoming more problematic, as 41% of organizations that suffered a material incident in the last 12 months said it was caused by a third party; furthermore, 54% have an insufficient level of understanding of cyber vulnerabilities in their supply chain.

The report indicates that there is a growing cyber inequality globally between organizations that are cyber-resilient and those that are not. Only 30% maintain a minimum viable cyber resilience. While large organizations have shown significant progress in this regard, small and medium-sized enterprises (SMEs) have shown a significant decline. The number of SMEs that say they lack cyber resilience to meet their critical operational requirements is more than double that of larger organizations. In this context, 90% of cyber leaders believe that this inequality requires urgent action.

Furthermore, the shortage of talent and cyber skills is increasing at an alarming rate. In the WEF survey, more than half of the smallest organizations by revenue said they do not have or are not sure they have the skills they need to meet their cyber objectives; only 15% are optimistic about significantly improving cyber skills and education in the next two years. And 52% of public organizations say that the lack of resources and skills is their biggest challenge when designing a cyber resilience strategy.

How to Anticipate

The proactive strategies that companies should take involve both specific monitoring, prevention, and disaster recovery technologies, as well as employee training in cybersecurity and regular audits of the information systems that support production.

Instilling cybersecurity awareness is a key factor. In fact, employee training and awareness in cybersecurity can be the first line of defense against cyberattacks, and it is essential that employees are aware of the risks involved, the actions to avoid, and what the potential warning signs may be. This awareness work must be ongoing (at least twice a year). And then, a phishing test must be conducted to assess how useful that work was.

Another key element of cybersecurity strategies is ethical hacking. Nowadays, companies must hire experts (hackers – “white hat” or ethical hackers, who often work in cybersecurity companies) to conduct penetration tests and allow them to know the vulnerabilities of their systems and production processes before they are exploited by cybercriminals.

Another important aspect is to schedule applications for the company taking into account cybersecurity from the beginning. That is: before building the applications, we must conduct a risk analysis and feasibility study of these, from the point of view of information security (cybersecurity).

The idea is that the application security analysis occurs from the beginning, before coding begins. This is one of the aspects of what modern DevSecOps practices foresee.

On the other hand, there are a series of controls that companies should execute to prevent cyberattacks. In this regard, there are several frameworks or certifications (such as ISO 27001) that define what companies should do during the year in terms of cybersecurity to protect their assets and improve their processes.

At Baufest, we are experts in cybersecurity and help companies with a cybersecurity service that includes the design of comprehensive and scalable plans. Through our computer security service, we reinforce operations by accompanying in the implementation, administration, and assurance of technological infrastructure, both in on-premise and cloud environments. We also guarantee the development of secure and robust software and provide training and awareness services in cybersecurity.

Additionally, we offer an information security management system and provide ethical hacking and ethical phishing services. In this way, we accompany organizations from start to finish to ensure that they are as protected as possible.