Perspectives
Successfully averting cyber-attacks: strategies and techniques
All of a sudden, hackers have access to internal company data and are threatening to publish or encrypt it. They use this tactic to blackmail the company and get money. How can companies protect themselves against cyber-attacks?
It is hard to put an exact number on the financial damage caused by cybercrime. But there are certainly some estimates. According to Cybersecurity Ventures, cybercrime caused damage to the tune of USD 8 trillion worldwide in 2023.
That is ten times the gross domestic product of Switzerland. And the trend is on the rise – by approximately 15 per cent annually. These costs are caused by a wide range of damage, such as stolen, damaged or destroyed data, productivity losses, industrial espionage and the associated theft of intellectual property. On top of this, there are the forensic investigations of the theft, the recovery and restoration of the data and systems, legal costs, reputational damage and, of course, ransom money, which is obtained via blackmail in so-called ransomware attacks.
To counter cybercrime, there is now an equally fast-growing cyber-security industry. According to the figures of the World Economic Forum, this grew four times as fast as the global economy in 2023. But is this enough to stand up to cyber-criminals?
Klaus Julisch: Cyber-attacks are increasing exponentially and companies are investing in security. In this game of cat and mouse, is it the cat or the mouse that has the upper hand?
In essence, it’s the cat. Being on the defensive means I am vulnerable in many different areas, so I must protect the totality of my infrastructure – and on an ongoing basis. In contrast, the attacker only needs to be successful once. Being on the defensive also means that I am subject to regulatory and ethical restrictions, such as in the area of artificial intelligence. Hackers are not subject to any such restrictions when using new technologies.
How do hackers sniff out their opportunities?
The IT environments of companies are becoming increasingly complex and interlinked. You only have to think about cloud computing, robotics, artificial intelligence, work from home, BYOD (bring-your-own-device), remote maintenance, and all the other IT technology that is integrated in everyday life – be it in aeroplanes or hospitals. This makes processes more efficient, brings business partners closer together and smooths the way for innovations. Unfortunately, it also expands the target for digital attacks.
Are you able to identify new forms of attack?
Over the past three or four years, attacks on supply chains have become much more prominent. Cyber-criminals scour suppliers for vulnerabilities that they can then use as “springboards” to access the IT systems of their victims. Apart from that, cyber-criminals seem to stick to the well-established routes. They appear to be pragmatic in this regard, adopting the approach, “if it ain’t broke, don’t fix it”.
Dr. Klaus Julisch is Managing Partner for Risk Advisory, a member of the Swiss Executive and lead partner of Deloitte's cyber practice in Switzerland. As a member of the European cyber leadership team, he takes part in managing the growth of Deloitte's cyber services across the region.
Artificial intelligence changes the threat level
The attacks by cyber-criminals are becoming noticeably more sophisticated. Artificial intelligence has a lot to do with this. Thanks to AI, hackers can identify vulnerabilities in systems more quickly and, since AI has automated many processes, certain attacks have become even easier. Once the attackers have broken through the lines of defence, AI can be used to analyse the stolen data. However, the cyber-security industry has recognised this threat and is working on counter measures, as well as on finding ways to use AI for defence purposes.
Klaus Julisch: Fraudulent emails are still a favoured tool of cyber-criminals. Is it possible that, thanks to AI, they will one day be so good that we will no longer recognise them?
At the moment, most phishing emails can be detected if you know roughly what to look for. Hackers often stress the aspect of urgency – because the recipient must act as quickly as possible, they make mistakes. Links to obscure websites and poorly written content are also suspicious. In addition, I recommend always checking the sender’s email address. But AI is learning fast. The time will come when we can no longer rely on conventional identifiers of phishing emails.
What is your advice for companies in this far-from-level playing field?
Companies have a number of options for protecting themselves. For starters, I would recommend that they practise “cyber-hygiene”. In this context, “hygiene” is understood as a form of “hand washing” – although it doesn’t make you healthy, it helps to prevent infection. In the context of cyber-security, cyber-hygiene for a company first and foremost means doing the basics.
For example?
A good example is patch management, which involves companies regularly updating their software on a company-wide basis and, ideally, doing so automatically. In addition, companies should always install anti-malware software and keep it up to date. Of course, passwords should also be protected, such as with two-factor authentication. In this context, a concept should also be developed for monitoring the access rights of privileged persons such as system admins.
How important is it for employees to be well-informed?
Cyber-criminals often create a false sense of trust and exploit fear or negligence in order to obtain access to buildings, systems or data. This would be a further example of “cyber-hygiene”. It is now standard practice for companies to regularly simulate phishing attacks in order to raise employee awareness. As well as raising awareness, it is also important for companies to show their employees how to identify and report suspicious activities. Another aspect concerns the corporate culture. Companies must create an open environment in which employees are encouraged to report incidents without fear of reprisals if, for example, a confidential document is accidentally sent to the wrong email address.
Protecting company data is a top priority
Another piece of the cyber-security puzzle is the protection of company data. In the case of ransomware attacks, hackers use cryptovirological malware to permanently block access to data unless the company pays a ransom. It therefore makes sense for companies to invest in a back-up storage location that cannot be compromised by cyber-criminals. For smaller companies, this could be as simple as a hard drive that is not connected to the network. For larger companies, cloud providers offer the necessary infrastructure.
Klaus Julisch: If, despite all these precautions, an attack by a hacker is successful, what can you do?
Even if cyber-criminals manage to hack into the company’s IT system, this doesn’t necessarily mean that all is lost. Companies can prepare for such an eventuality in advance by putting together an emergency plan. The plan should comprise clear instructions to ensure a swift response and damage limitation in the event of an emergency. Important: The emergency plan must be practised on a regular basis.
What can a company do in this case?
This depends enormously on the nature of the attack. In general, it is important to understand the extent and method of an attack, in order to be able to contain it. In many cases, systems and data must be restored and recovered. Communication with customers, suppliers, the media and regulators often plays an important part. It might also be necessary to have backup systems in place in order to maintain minimal IT operations while the main systems are being restored. That can be complex.
Should a company pay the ransom?
Many companies pay a ransom to get out of such situations. Unfortunately, that’s a fact. However, the unequivocal recommendation of the experts is not to pay the ransom, because by doing so you are financing cybercrime.
The three most important tips for combatting cyber-risks
- Take the issue seriously. Every company is vulnerable.
- Invest in cyber-hygiene.
- Consider which attacks the company needs better protection against. Proceed in a risk-based manner. Ask yourself: How could an attack take place? What damage could an attack cause? What countermeasures need to be taken?