Successfully averting cyber-attacks: strategies and techniques

Klaus Julisch: Cyber-attacks are increasing exponentially and companies are investing in security. In this game of cat and mouse, is it the cat or the mouse that has the upper hand?

In essence, it’s the cat. Being on the defensive means I am vulnerable in many different areas, so I must protect the totality of my infrastructure – and on an ongoing basis. In contrast, the attacker only needs to be successful once. Being on the defensive also means that I am subject to regulatory and ethical restrictions, such as in the area of artificial intelligence. Hackers are not subject to any such restrictions when using new technologies.

How do hackers sniff out their opportunities?

The IT environments of companies are becoming increasingly complex and interlinked. You only have to think about cloud computing, robotics, artificial intelligence, work from home, BYOD (bring-your-own-device), remote maintenance, and all the other IT technology that is integrated in everyday life – be it in aeroplanes or hospitals. This makes processes more efficient, brings business partners closer together and smooths the way for innovations. Unfortunately, it also expands the target for digital attacks.

Are you able to identify new forms of attack?

Over the past three or four years, attacks on supply chains have become much more prominent. Cyber-criminals scour suppliers for vulnerabilities that they can then use as “springboards” to access the IT systems of their victims. Apart from that, cyber-criminals seem to stick to the well-established routes. They appear to be pragmatic in this regard, adopting the approach, “if it ain’t broke, don’t fix it”.

Dr. Klaus Julisch is Managing Partner for Risk Advisory, a member of the Swiss Executive and lead partner of Deloitte's cyber practice in Switzerland. As a member of the European cyber leadership team, he takes part in managing the growth of Deloitte's cyber services across the region.

Klaus Julisch: Fraudulent emails are still a favoured tool of cyber-criminals. Is it possible that, thanks to AI, they will one day be so good that we will no longer recognise them?

At the moment, most phishing emails can be detected if you know roughly what to look for. Hackers often stress the aspect of urgency – because the recipient must act as quickly as possible, they make mistakes. Links to obscure websites and poorly written content are also suspicious. In addition, I recommend always checking the sender’s email address. But AI is learning fast. The time will come when we can no longer rely on conventional identifiers of phishing emails.

What is your advice for companies in this far-from-level playing field?

Companies have a number of options for protecting themselves. For starters, I would recommend that they practise “cyber-hygiene”. In this context, “hygiene” is understood as a form of “hand washing” – although it doesn’t make you healthy, it helps to prevent infection. In the context of cyber-security, cyber-hygiene for a company first and foremost means doing the basics.

For example?

A good example is patch management, which involves companies regularly updating their software on a company-wide basis and, ideally, doing so automatically. In addition, companies should always install anti-malware software and keep it up to date. Of course, passwords should also be protected, such as with two-factor authentication. In this context, a concept should also be developed for monitoring the access rights of privileged persons such as system admins.

How important is it for employees to be well-informed?

Cyber-criminals often create a false sense of trust and exploit fear or negligence in order to obtain access to buildings, systems or data.
This would be a further example of “cyber-hygiene”. It is now standard practice for companies to regularly simulate phishing attacks in order to raise employee awareness. As well as raising awareness, it is also important for companies to show their employees how to identify and report suspicious activities. Another aspect concerns the corporate culture. Companies must create an open environment in which employees are encouraged to report incidents without fear of reprisals if, for example, a confidential document is accidentally sent to the

Klaus Julisch: If, despite all these precautions, an attack by a hacker is successful, what can you do?

Even if cyber-criminals manage to hack into the company’s IT system, this doesn’t necessarily mean that all is lost. Companies can prepare for such an eventuality in advance by putting together an emergency plan. The plan should comprise clear instructions to ensure a swift response and damage limitation in the event of an emergency. Important: The emergency plan must be practised on a regular basis.

What can a company do in this case?

This depends enormously on the nature of the attack. In general, it is important to understand the extent and method of an attack, in order to be able to contain it. In many cases, systems and data must be restored and recovered. Communication with customers, suppliers, the media and regulators often plays an important part. It might also be necessary to have backup systems in place in order to maintain minimal IT operations while the main systems are being restored. That can be complex.

Should a company pay the ransom?

Many companies pay a ransom to get out of such situations. Unfortunately, that’s a fact. However, the unequivocal recommendation of the experts is not to pay the ransom, because by doing so you are financing cybercrime.