As new IT solutions are being developed and more and more function switch over to online platforms, opportunities for criminals open up as well. From the point of view of a cyber security professional in the fight against data break-ins the significance of awareness and prevention stand out.
– SMEs don’t often realize their business could include anything interesting to criminals, Netox Senior Systems Architect Heikki Virkkunen points out.
– If it’s not known what’s not knowzn, it’s easy to end up executing cyber security with antivirus programs or firewalls but completely forget for example the employee cyber education.
The risks and them being realized sometimes come as complete surprises.
– In reality SMEs are tempting targets for criminals exactly because the level of cyber security is not often comprehensive.
Virkkunen names to usual reasons for data break-ins.
– The motivation for cyber criminals is almost without exception money or information that can easily be transformed into money. Notwithstanding are the so-called state actors, i.e. the intelligence agencies of other countries whose objective is to gather exploitable intel, infiltrate networks for cyber war purposes or to otherwise influence.
Virkkunen says an attack can take place indirectly as well. For this reason it is useful for companies to take into account their position in the supply chain.
– Relatively often the real target is in fact situated on a higher level of the chain but breaking in a subcontractor’s systems is significantly easier.
The biggest challenge
When it comes to offering cyber security services Virkkunen has found the idea of the necessity of comprehensive solutions being the most challenging message to deliver.
– Cyber security solutions are often difficult to get included in a budget, since it’s not understood what it is and how it works. It’s easily seen as something that only costs money but doesn’t increase sales.
Virkkunen states that this has a lot to do with the lack of experience.
– If a company has never had to battle cyber security issues it’s all the more difficult to perceive the need for solutions. Data and its significance to business is not yet completely understood. Financial transactions use data and if for example networks get corrupted not a single product ships.
From the expert’s point of view there has been progression.
– Earlier we often met the problem where there existed an awareness of cyber security risks but a lack of familiarity with one’s own risk field and cyber security needs. Now it’s understood that something should be done and there’s also interest towards solutions.
Even though they are regrettable as they happen, Virkkunen sees the big media covered data break-ins having a positive effect as well.
– To companies they flesh out on a great scale what cyber security is and what needs to be in order. Many companies – whether they know it or not – operate through trust. By losing that they also often lose a great amount of their wealth fast.
Virkkunen fittingly compares cyber security to an insurance.
– Obviously everyone has a home insurance even if nothing would ever have happened. This is how cyber security should also be perceived.
Virkkunen emphasizes the execution of whole cyber security programs instead of individual technical solutions but stresses that genuine prevention originates from the top.
– The company’s IT chief of CIO often understand the need for more comprehensive solutions and might even contact a service provider but can’t get the solutions through in his/her own company. In a situation like that it’s pretty much useless for he/she to begin any kind of program.
Another problem has to do with the perception of the form of cyber security services.
– The understanding the companies sometimes have is that cyber security is a project with a beginning and an end. Of course the risks are analyzed and obvious flaws are covered but in the world of information technology the situation might be completely different in merely six months. A successful cyber security program needs the management’s support so that necessary resources are always on hand.
Virkkunen says the most important thing is that not a single sector gets left completely without attention.
– A functional cyber security program guarantees that the management mechanisms and practical implementation are comprehensive, i.e. all business sectors and systems are covered by cyber security governance.
Emphasis is on education.
– The break-ins usually happen in one of two ways. Either the attacker exploits an existing vulnerability or lures a person operating in the network to click a link which in turn leads to a malware program that contaminates the user’s computer. Constantly educating both the end users and board of directors on the rising threats is a relatively affordable way of improving a company’s cyber security.
Expert is happy to help
Because in many organizations there are difficulties in perceiving cyber security as a whole, Virkkunen states that in those cases expert services are not easily seen relevant either.
– This can however be an endangering mistake. In the civilized world there probably aren’t any companies left that wouldn’t practice their business relying to at least some extent on information technology. A cyber security program shields these critical components so that doing business would even be possible.
Even if the risks and solution needs would be perceived, investing one’s own resources in them at the expense of the core business might be undesirable. Outsourcing IT solutions is in fact a smart move for many companies.
– The expert’s task is to make sure that the cyber security program is comprehensive enough and covers essential systems and processes. In smaller companies there might not be a need for a full-time resource so it might be a good idea to procure the cyber security governance as a service.
Expert’s help is also valuable in directing resources.
– When it comes to preventing data break-ins its necessary to stay realistic. The amount of available resources is often limited, and to be able to direct them to right applications, the risk management needs to be solid. Functioning risk management provides a company with a clear image of a riskmap, impact and through them a priority list to help guide resources.
Virkkunen points out an important factor concerning the principals of service providers.
– Questions are a typical approach to the existing cyber security of a company but the problem is that the answers don’t always represent the real situation. On paper everything might be in order, but at the same time no one has made sure whether the process has been tested.
Concrete process check makes the difference.
– The Netox operational procedure has a more hands-on style making it clear to the customer company which systems and processes are critical and this way in need of more comprehensive protection, Virkkunen encapsulates.
Cyber security and remote work
Especially in the light of this year’s events the cyber security expert considers it important to also take into account the characteristics of distance work.
– While distance working it’s important to remember that both common cyber security principles as well as the company’s own policies apply also at home. Internet and different IT systems are global and in no way tied to the location where working takes place.
Remote working has its own distinctive risks.
– The risk level is raised by the security of the home network and other appliances that are connected to it. Surprisingly many household appliance or entertainment center wishes to connect with internet for different services or updates. Especially through IoT appliances it’s relatively easy to access a home network. On the other hand not too many people bothers to segmentalize their home network or even knows how to do it.
Virkkunen acknowledges that company laptops or other such property is often protected opposed to other computers at home but reminds about the predominant setting in IT surroundings.
– One needs to take into account that different types of malware programs have so far found a way to break through all man-made protections. It’s pretty much a constant cat and mouse situation between the cyber security professionals and cyber criminals.
From an expert’s point of view simply raising awareness goes a long way.
– Basic cyber security management as well as the technologies and mechanisms that go with it should be included in common knowledge also at home. Many of us keep important things such as documents and photos only in digital form so even for securing them it’s worth spending a little time and effort.
The employer’s responsibility over the so called cyber welfare of its employees is not something that Virkkunen would encourage to forget.
– Securing remote working belongs in its part in the overall coverage of a cyber security program and it’s also recommended to encourage employees to utilize skills they learn at the company’s cyber security training also at home.
To conclude here are tips from Virkkunen to a very simple and efficient data break-in prevention method, password.
1. Use a different password for every application
2. Use a password management softwares
3. Use MFA to at least the services, that if broken into can cause financial or emotional harm
4. Favor passphrases instead of passwords since they are easier to remember and are longer by nature
5. A password needs to be long enough, preferably 13 characters or longer
You can check the safety of your passwords here: https://www.security.org/how-secure-is-my-password/”>https://www.security.org/how-secure-is-my-password
You can check the safety of your passwords here: https://www.security.org/how-secure-is-my-password
Read more about Netox Cyber Security Services