Table of Contents
What is Cyber Risk?
In an increasingly hyper-connected world, the internet is a tool that allows you to expand your knowledge and offers numerous opportunities, but the network also hides dangers such as the so-called cyber risk.
What is meant by cyber risk? The Institute of Risk Management defines cyber risk as any risk of financial loss, work interruption or damage to the reputation of an organization, resulting from accidental threats (for example: server shutdown) or malicious ones (for example: stealing of sensitive data) at the expense of the computer system.
Cyber attacks represent a threat to any type of industry, according to the latest Clusit Report on ICT security in Italy and in the world, drawn up by the Italian Association for Information Security, in 2020 were registered 1,871 serious attacks of public domain, i.e. with a systemic impact on every aspect of society, politics, economics and geopolitics. This means an average of 156 serious attacks per month compared to the 139 registered in 2019.
In percentage terms, in the year of the pandemic, cyber crime events recorded a + 12% compared to the previous year, marking an increase in serious attacks of 66% compared to 2017.
The report shows that the most affected sectors were the “Multiple Targets” (20% of the total attacks), which includes attacks made on multiple and often undifferentiated targets, the Government, the military, the law enforcement and intelligence sectors (14% of total attacks), healthcare (12% of total attacks), research and education (11% of total attacks) and online services (10% of total attacks). In addition, attacks on Banking & Finance (8%), hardware and software technologies producers (5%) and critical infrastructures (4%) have increased.
Clusit experts also highlighted an increase in widespread attacks through supply chain abuse, or through the undermining of third parties, which allows cybercriminals to target companies’ customers, suppliers and partners.
Cyber Risk: accidental threats and malicious threats
In the Wild Wide Web – Consequences of Digital Fragmentation report, the World Economic Forum underlines the importance of technologies that characterize the fourth industrial revolution (4 Industrial Revolutions – 4IR) and that are already bringing enormous economic and social benefits to a large part of the global population. In fact, according to WEF data analysis, today more than 50% of the world population has access to the internet and about two thirds of humanity owns a mobile device.
Furthermore, the next generation of 4IR technologies will radically reshape economies and societies: just think of precision medicine, autonomous vehicles and drones that are all rapidly growing markets, while artificial intelligence (AI) alone should make a contribution to the global economic growth of about + 14% by 2030.
Smart technologies have enormous potential and are capable of improving both human life and planet’s health but also cause undesirable consequences, such as cyber risks that have now become a danger to both individuals and companies.
Cyber risk can take place in different forms:
- Accidental event: all those actions accidentally caused by the user, such as incompatibility of hardware parts, failures or unforeseen events, which can undermine the security of the computer system;
- Intentional offences: all those actions carried out by users who are not authorized to process data or use services. Intentional offences can be:
- Privilege escalation: access to systems or to areas by unauthorized users.
- Malicious attacks: this type of attacks, carried out via the Internet or other channels, are the work of users who, using special software, are able to enter a system and manage to obtain the ability of the machine to run resources and data despite their lack of the necessary requirements to accomplish these operations. Malicious attacks are considered: Buffer overflow, DoS, Hacking, Social Engineering, Keylogging, Backdoor, Spoofing, Social Network Poisoning, Spyware, Malware, Phishing.
Cyber attacks can cause:
- Material damage to electronic and computer systems;
- Business interruption with a consequent economic loss;
- Claims for damages from third parties;
- Loss of customers and suppliers plus reputational damage;
- Professional services charges necessary to contain the cyber attack crisis.
Preventing and defending cyber risks: NIST and GDPR guidelines
There are three main elements that characterize cyber risk:
- Fear: spreading terror to individuals and social groups;
- Spectacularity: the consequent hype caused by the cyber attack;
- Vulnerability: exploiting the weaknesses and the IT vulnerability of an organization, a company or a government institution in order to highlight the fragility of information systems.
Cyber risk is not a risk to be underestimated and system prevention and protection activities are essential for identifying threats, vulnerabilities and risks associated with IT assets in order to protect them from accidental and / or malicious threats.
When it comes to cyber security, the main reference are the guidelines of the National Institute of Standards and Technology (NIST) which explain how to prevent a cyber attack and how to manage it if it occurs:
- Identify: identification of risks, of digital and physical assets and of roles and responsibilities within a given context;
- Protect: develop and implement adequate security measures in order to reduce the effects of a possible cyber attack. To protect data and ensure the providing of services, access to resources must be controlled through identity authentication;
- Detect: provide for appropriate measures to promptly identify any type of cyber attack;
- Reply (Respond): have a clear and well-defined action plan to limit damage in case of a cyber attack and restore compromised services;
- Restore (Recover): immediate recovery of the attacked system and restoration of normal operations.
It is important to note that in Europe the protection of personal data in the cyber security field is governed by the General Data Protection Regulation, also known as GDPR, approved with the EU Regulation 2016/679 of the European Parliament and of the Council on April 27th 2016. Published in the European Union Official Journal on May 4th 2016, and promulgated on May 24th of the same year, it has been effective since May 25th 2018.
The application of the new European regulation aims to strengthen personal data protection of citizens of the European Union and EU residents, both inside and outside the EU borders, and to simplify the regulatory environment concerning international affairs, by unifying regulations within the EU.
Furthermore, the regulation addresses the issue of exporting personal data outside the European Union and obliges all data controllers (including those with registered offices outside the EU), who process data of EU residents, to observe and fulfill the established obligations.
Which are the security options against cyber attacks?
There are two different levels of protection against cyber attacks:
- Passive security (or physical security): the set of defensive techniques and tools whose goal is to prevent unauthorized users from accessing resources, systems, plants, devices and confidential information. For example: use of reinforced doors to prevent access to protected areas and to which are usually added personal identification systems;
- Active security (or logistic security): the set of techniques and tools that allow you to protect confidential information and data from unauthorized users and from the possibility to be compromised. Logistic security includes:
- Hardware and software tools;
- User authentication whose operations are tracked in log files. This kind of tracking process is called accountability;
- Authorization to access resources (for example: files, programs, IT devices).
It is therefore essential to adopt technical and organizational measures to protect IT assets and ensure:
- Confidentiality: protected and controlled access to data and the possibility that only authorized users can read the information;
- Integrity: the integrity and readability of the information;
- Availability: access to data in the foreseen times and places.
In addition to the aforementioned authentication system, among the useful countermeasures for defending an IT system from cyber risk we find:
- Mandatory Access Control (MAC);
- Intrusion detection system (IDS);
- Network Intrusion Detection System (NIDS);
- Digital signature.
Cyber Defense: Namirial solutions against cyber attacks
Namirial Cyber Assessment is the innovative platform able to perform an evaluation of cyber threats from an external point of view and without installing any software.
The results help measure the effectiveness of security controls, identify cyber threats and identify gaps in technological areas. In this way, organizations are able to identify the areas in which investments need to be prioritized in order to protect the information system and prevent the loss of resources due to cyber attacks.
Furthermore, Cyber Assessment allows organizations to comply with Article 32 d) which they must comply in accordance to the General Data Protection Regulation (GDPR).
The platform provides two types of analysis:
- Vulnerability Assessment (VA): the Vulnerability Assessment (VA) service consists of the analysis of IT systems with the aim of detecting known vulnerabilities of IT infrastructures on the exposed perimeter of the network. The service allows to reduce the risk deriving from cyber attacks in a quick and timely manner before the vulnerabilities can be exploited by hackers. At the end of the test, a report is generated containing the list of all identified vulnerabilities associated with the related risk class and ways to correct them;
- Cyber Threat Assessment (CTA): the cyber threat assessment service (which includes the Vulnerability Assessment) is able to detect cyber threats, accidents occurring within the organization and vulnerabilities of the systems and services exposed on the public network. This type of analysis is based on external cyber intelligence techniques, does not require the installation of any software and analyzes:
- The exposure of the attack surface;
- The technical vulnerabilities of the systems;
- Data breach;
- Malware infections;
- File sharing over peer-to-peer protocols and much more.
The reports produced by the analysis allow the company to identify and / or prevent data breaches and to implement actions aimed at mitigating the IT risk, thus safeguarding the business. Specifically, the IT threat assessment service allows you to:
- Discover and fix cyber threats related to malware infections;
- Verify leaked credentials (data breach);
- Recognize data breaches through deep web analysis;
- Identify dangerous and / or copyright infringing data transfers on peer-to-peer networks;
- Identify and prioritize the fixing of vulnerabilities.