How much are companies spending on cyber security before a security incident VS. how much they are spending after one happens? Quantify the risks and make sure to maintain a high level of IT hygiene!
Our fifth webinar from the cycle “Conversations with experts” covered what is nowadays considered one of the most important topics – cyber security. Mr. Srdjan Radosavljevic – a security solution architect for Kaspersky Lab in Europe, who was this webinar’s expert, selflessly shared a lot from his 17-year industry experience with the participants, including good and bad case practices along with the importance of the presence of cyber security experts in management.
As government, military, corporate, financial and medical organizations collect, process and store huge amount of data, most of which being sensitive information (intellectual property, financial data, personal information) it is almost impossible to imagine the damage that could be done if someone gets to this data prior of everybody and uses it for bad purposes. A “digital everyday life” guided and secured will always be the right answer.
After the significant changes brought by the GDPR (General Data Protection Regulation), nowadays every piece of data that is processed and placed on any IT system is considered confidential. “The biggest value for cyber attackers is information. The cyber attackers are trying to find what is the most beneficial for them, which usually ends up being money (bitcoins and stock market shares), causing an increase in cybercrime and ransomware.” – says Mr. Radosavljevic.
The fact that cyber terrorists are carefully picking their targets is even strongly supported by recent cyber attacks of healthcare and medical equipment providers, due to the current COVID-19 situation. When it comes to the coronavirus, in this industry it is just another challenging situation in the line. Mr. Radosavljevic said that in the every day life of security officers, chief information security officers, data privacy officers there are a lot of “corona days”. What is changed in these “times of corona” is the progress of digitalization. The consequences of this situation are that in the rush of digitalization nobody really has the time to care for the security measures to protect their digital transformation.
Same security measures and approaches cannot be applied on each and every system. It is very important that you perform a thorough and very detailed analysis of your infrastructure and your network to decide what is initiating critical system and then find a way to isolate or implement a kind of segmentation fight of your network in order to enable protection, but also to respond to these types of attacks. There is no such thing as 100% security, there is always something that you have to allow or change. A lot of countries, faced with the reality of more frequent cyber threats are developing national security teams.
“Attacks these days are becoming more and more sophisticated. There are many types of cyber threats, these guys are very creative.” – says Mr. Radosavljevic. “As we improve our protective measures and security, the attackers are improving their attacking techniques and tactics as well. IT hygiene is a must! That implies on basic level of understanding of cyber security, information security, data privacy. Baseline training for all employees is crucial to strengthen end user protection. – he adds.
The best approach when deciding about cyber protection is the risk assessment approach. It is of a great importance to understand which risk has the biggest impact on your business. Usually risks cannot be neutralized, they can only be mitigated to a certain point.
Tackling the governments question and how they are coping with this raising issue, the Republic of North Macedonia is not the only country having troubles. The fact is that governments need experienced IT specialists to protect the country’s data, but are willing to pay those specialists really poorly. This leads to the conclusion that they are constantly unable to find people who will work hard to protect the country’s data for that not-so-great wage. It is noticeable that there is a big gap in available resources and that is a problem that remains unsolved.
Mr. Radosavljevic suggested for governments to actually outsource those kind of services, and hire a trusted partner who can guarantee the expertise and technology to support this kind of a process. A well planned and controlled outsourcing, managed by officials, stating which data can be processed, in which way, where it must be stored, in which way it must be stored etc.
In terms of business, IT specialists need to have the support form top management to implement at least some of the security measures. Security people must be a part of the top management. It’s all about the risks. Everything is out there and there is nothing that is made up.
How much money are companies spending on security before a security incident VS. how much money they are spending after one happens. It’s funny how in some way after an incident there is always money for IT and security operations.
“Usually the top management tends to “listen more closely” when you put a figure next to the type of the incident, so you need to do the quantification. This has shown to be one of the most efficient ways to persuade managers to implement security measures. In order to convince them try and use showcasing, focus on stories from our region. Bring out the most common risks and calculate the damage that their happening will cost the company, and then from this budget calculate the budget for defensive systems. It’s a kind of and insurance approach.” – Mr. Radosavljevic advises IT employees.
For the Western Europe countries it’s much easier to convince management to introduce security funds, because now, after the implementation of GDPR, if they suffer from an attack and/or data loss, loss of confidentiality etc. they are obliged to pay a penalty. The amount of the penalty is calculated form the yearly revenue of the company. So if we are talking about a group of companies those figures are crazy big. This applies to bigger companies. For smaller companies the number are smaller, but anyway should help in getting the sec funds.
Last but not least, of a crucial importance is to protect our children from all types of cyber threats to which they may be exposed. Kaspersky has found a unique way to bring cyber security closer to the youngest by implementing their Green Bear mascot. Using storytelling and illustration books the Green Bear has made its way to children’s safety while online.
The webinar was organized by M6 Educational Centre and PrimePoint Partners, and was moderated by Elena Mladenovska Jelenkovikj, CEO of M6 Educational centre.