Cyber Security ‘Hackers target the weakest link in a company: people’

Tomorrow is Today

We are increasingly becoming internet junkies. We buy online, we read newspapers online, and monitor our health online. This digitisation brings massive opportunities, but also has a dark side: the growing danger of cyber-criminality. ”Hackers are becoming more and more professional, which means we need to become more sophisticated in how we protect ourselves,” says Chris Verdonck of Deloitte.

”It is impossible to put a face on the hackers, a cyber-criminal can be a disgruntled ex-employee or part of a criminal organisation.”

Chris Verdonck, Cyber Leader at Deloitte

With its Tomorrow is Today awareness campaign, Deloitte wants to point out the opportunities of exponential growth in innovations to chief executives and managers. But the consulting firm also warns of the risks linked to the growing hyper-connected world. ”We live in an information society,” says Chris Verdonck, Partner and Cyber Lead at Deloitte. ”Cyber security, the protection of that data, is an inherent part of this.”

More and more companies are building their businesses around data. Thanks to the data of their clients, banks are able to offer individualised and better services. Social media companies are able to offer their applications for free because they monetise the information of their users. And your doctor can provide better assistance because the paper records have been replaced by integrated, digital medical records. ”Data is valuable and can end up in the wrong hands. This is why companies need to protect the data with due care and attention,” says Verdonck.

Who are the hackers?

One of the best known incidents regarding privacy and cyber security in Belgium is the data leak at public transport company NMBS in 2012. The addresses, e-mails and phone numbers of 700,000 customers were available and unprotected on the Internet for months. The incident prompted a shockwave of reactions in Belgium. In the three months after the incident, the Privacy Commission received more than 2,600 inquiries and complaints, about the same amount as the entire year of 2012. The railways immediately took action. ”Today we are a lot further,” says Chief Information Security Officer Tim Groenwals. ”There is a strategy and an awareness right up to the highest level that cyber security has to be a priority.”

How should we conceive this threat? And who are the hackers? ”Cyber-criminality has become a lot more professional over the last years,” says Verdonck. ”Whereas the threat used to be a simple virus, it has now evolved into a so-called ‘advanced persistent threat’: hackers who break into a system unnoticed over a long period. Cyber-criminals take their time to penetrate deep into the company and calmly look for any information that is useful to them.“

Another often occurring threat is phishing, a form of internet fraud which lures people to a false website where they leave their personal details unsuspectingly. This could be a credit card number, a login name or password. The cyber-criminal can use this data to steal money or valuable information. Identity theft, a form of fraud whereby the hacker uses someone's personal details, e.g. to get a loan, is also rising.

”It is impossible to put a face on hackers, it’s a large and diverse group,” says Verdonck. ”Run-of-the-mill criminals, criminal organisations, social or ecological activists, a disgruntled ex-employee or even governments. They all have different reasons to achieve their goal in the digitised world.”

Relevant cyber threats

How can a company arm itself against these new threats? ”First and foremost it is important to call in professional help,” says Verdonck. “If you have a heart problem you go to a heart surgeon, don’t you? And information really is the heart of a company.“ Together with the consultant you ascertain what value the information has for the company. This can be strategic and financial information, but also intellectual property or client information. ”We then look how and for whom this information is made accessible to assess the risks.”

The nature of the risk depends on the company. Take BNP Paribas Fortis, Belgium's biggest bank, for instance. BNP is working on mobile banking. ”The security of transactions is becoming more complex,” says Jan De Blauwe, head of information security & risk management at BNP. ”Consulting your bank account from a mobile device does not need the same security requirements as transferring money to a new beneficiary abroad. The result is more and more diverse methods for authentication.“ A client does not want to use a card reader every time he uses his smartphone to make a purchase. Fortunately, technology opens up new opportunities in this respect. ”Look at the latest iPhone, which has a sensor that recognises your fingerprint. Why could we not use this to make mobile banking more secure?”

For a company such as Agfa, the risk analysis and approach is entirely different. Agfa Healthcare supplies electronics and software to hospitals and doctors for, among other, medical imaging and electronic patient records. Digital criminals are often looking for patient data to commit medical insurance fraud, for example. ”To give you an idea: on the international black market, credit card details are worth 1 dollar. A patient record is worth 50 dollars,” says Geert Claeys, Technology Manager at Agfa Healthcare. This is why Agfa developed a series of security mechanisms for its products, processes and IT infrastructure. But the biggest risk remains with the customers, the whole chain of users. ”Agfa's system runs on the networks and computers of hospitals and doctors. Everyone in the chain needs to be made aware, so that their infrastructure is also safe,” says Claeys.

Weakest link

”A hacker always looks for the weakest link in a system. Usually a person,” says Verdonck. ”Employees who leave their PCs in their cars, customers who respond to phishing messages, or employees with an easy password.“ This is why a general awareness campaign is so important. One of the techniques Deloitte uses to raise the awareness of customers is to send a false e-mail to the employees of a company. A couple of small mistakes should indicate that it could be a case of phishing. Employees who do click on the link are redirected to a website with a training on cyber security. ”A structure can be protected with technology, but for people it is not so simple. Campaigns such as this one help companies and their employees to be more aware of digital data,” concludes Verdonck.

De Tijd (24/3)


We worden steeds meer afhankelijk van het internet. We kopen online, we lezen de krant online en bewaken onze gezondheid online. Die digita-lisering brengt gigantische oppor-tuniteiten mee, maar heeft ook een schaduwkant: het groeiende gevaar van cybercriminaliteit. ‘Hackers gaan steeds professioneler te werk, dus we moeten ze ook professioneler bestrijden’, zegt Chris Verdonck, Partner & Cyber Leader bij Deloitte.

Published: 24 March 2015

L'Echo (24/3)


Nous sommes de plus en plus dépen-dants de l’internet. Nous achetons en ligne, nous lisons le journal en ligne et nous surveillons notre santé en ligne. Une numérisation porteuse de gigan-tesques opportunités mais qui a éga-lement sa part d’ombre : le danger croissant lié à la cybercriminalité. « Les pirates informatiques d’aujourd’hui sont de véritables professionnels : nous devons les combattre de manière plus professionnelle », résume Chris Verdonck, Associé & Cyber Leader chez Deloitte.

Published: 24 March 2015
Did you find this useful?