Cyber ​​attacks that kill businesses | Economy

| |

Spread the love

They hate to talk about it, but companies are being forced to admit what's going on in their IT systems. And they are usually spooky stories. This same week, Quest Diagnostics, an American clinical laboratory that is part of the 500 largest companies in that country, reported that the data of 11.9 million patients (including credit cards and bank accounts) were exposed for eight months by the security error of a provider. A few days ago, Travelex Holdings, a London-based company, suspended its services in 30 countries because of another hole in their systems, according to Bloomberg. In Spain there have been very striking cases in recent times, such as the hack in Prosegur at the end of November, or the one that forced the suspension of local programming on the SER network (of the PRISA group) that same month due to an attack by ransomware, a file encryptor that also affected consulting firm Everis; or the one that infected the Torrejón de Ardoz university hospital last month and disabled their computers and screens in waiting rooms (and forced their employees to return to pencil and paper).

Data, which was supposed to be the new gold mine with digitization, is also ammunition for cybercrime, an increasingly lucrative and devastating business. According to figures from the consulting firm Gartner, global business security spending reached 124,000 million dollars in 2019, 8% more than in 2017. The Spanish Observatory of Computer Crimes confirms that fraud, counterfeiting, illicit accesses or violations of industrial property, both to individuals and to companies, have shot up to 110,613 cases detected in 2018 (latest figures available). Four years before, they did not reach 50,000. The National Cybersecurity Institute (Incibe) manages more than 100,000 incidents per year of companies and individuals, of which about 700 correspond to strategic operators (from electricity companies to telecommunications companies, ports …). Almost 5,000 people have been arrested or are being investigated for crimes related to cybercrime in the country, according to Statista.

In sum, thousands of vulnerabilities are discovered each month, something that is increasing. Pilar López, president of Microsoft Spain, said a couple of weeks ago in a talk at Esade that the threat of cybercrime "is more real than ever." And it warned that most Spanish companies are not prepared to respond to a cyberattack that could completely paralyze them. “Fortunately, we are making progress and it takes less and less time to detect it. Companies have to learn to protect themselves and design a global security plan ”. It is true that your company sells products for this, but it is also true that the alert does not only come from the sector. Ana Botín, president of Banco Santander, mentioned cyber protection as one of "the greatest social challenges", last summer, during the shareholders' meeting of the Universia educational platform. "It is important to know where the theft was committed, but also who is responsible," he said. Because criminals are everywhere, sometimes they have the support of their own states and it is difficult to put them on the bench.



Cybersecurity in the world

Average cost of each completed attack

in millions of dollars

Banking

Be. Public

software

Automotive

Insurance

Technology

Investment

Energy

B. of consumption

Health

Distribution

Communication

Travels

Public sector

Source: Accenture

C. AYUSO / EL PAÍS

Cybersecurity in the world

Average cost of each completed attack

in millions of dollars

Banking

Be. Public

software

Automotive

Insurance

Technology

Investment

Energy

B. of consumption

Health

Distribution

Communication

Travels

Public sector

Source: Accenture

C. AYUSO / EL PAÍS

Cybersecurity in the world

Average cost of each completed attack in millions of dollars

Banking

Public services

Software development

Automotive

Insurance

Technology

Investment

Energy

Consumer goods

Health

Distribution

Communication

Travels

Public sector

Source: Accenture

C. AYUSO / EL PAÍS

In the security firm S21Sec they have monitored some bands that have achieved income of more than 50 million euros. "It is a round business, there are studies on the profitability of organizations that speak of returns of 2,000%," says Jorge Hurtado, its vice president of Managed Services. "What 15 years ago was a person in a garage, today are teams of hundreds of people with their own tools and a lot of resources at their fingertips." On the Internet, supposed “companies” that offer completely illegal services are advertised without impunity. "Many clients ask us if it is possible to hack a phone, a WhatsApp, a social network … to which we always answer yes, every system is vulnerable and with the right knowledge and tools it can be hacked," they announce in one of them.

José Luis Narbona, associate professor of criminology at the University of Alcalá and president of the National Cybersecurity Association, does not want to sound alarmist, but mentions that Spain is light years away from what it needs in investment and awareness on this issue. “Everything starts from an economic issue and has become a global war. The increase in attacks on Spanish companies is quite high and inversely proportional to the expense they make to guarantee the confidentiality of the data ”. An investment that is often poor, scattered, and almost always has a sense of urgency that makes it useless for building a true business strategy.

Cyber ​​attacks that kill businesses

Silent scams

Lorenzo Martínez, founder of Securizame and a legal expert in computer crimes, has seen requests for data rescue caused by ransomware in SMEs of 3,000, 10,000 and up to 12,000 euros (in larger companies they can exceed 100,000). He has also seen how many small and medium-sized businesses find themselves disarmed (without access to all their systems) and access the blackmail of criminals when they realize that they are at a dead end. Some even after enduring a month looking for alternatives. "There are also scams such as the so-called CEO scam, of hundreds of thousands of euros." The latter is more sophisticated. Imagine a manager who has to pay an invoice to a regular supplier and receives an email — apparently — from that supplier asking him to make the deposit this time into another bank account. He requests it in a cordial email using appropriate language and addressing him by his first and last name. The executive trusts, changes the destination of the money … and loses it. Out of shame, these blunders are often hidden and not reported. Big mistake. Fernando Anaya, director for Spain at Proofpoint, warns that 93% of attacks use email as a gateway, "hence the importance of raising awareness among employees."



Harmful Software (Malware)

Attacks on the web

Denial of service

Internal leaks

Social engineering

Harmful code

Stolen devices

Ransomware

Bots attacks

By consequences of the attack

Interruption

of the business

Source: Accenture

C. AYUSO / EL PAÍS

Harmful Software (Malware)

Attacks on the web

Denial of service

Internal leaks

Social engineering

Harmful code

Stolen devices

Ransomware

Bots attacks

By consequences of the attack

Interruption

of the business

Source: Accenture

C. AYUSO / EL PAÍS

Harmful Software (Malware)

Attacks on the web

Denial of service

Internal leaks

Social engineering

Harmful code

Stolen devices

Ransomware

Bots Attacks

By consequences of the attack

Interruption

of the business

Source: Accenture

C. AYUSO / EL PAÍS

Cyber ​​attacks that kill businesses

Cybercrime attacks all sectors and is at all levels, although some businesses are more vulnerable than others. The bank, of course, is number one on the target. Also the one that invests the most in protection. The American Federal Reserve (Fed) revealed this last Tuesday. The attack on one of the largest banks in the United States could affect 38% of the financial system in that country, according to his calculations. The Fed staff did the exercise of what would happen if a large entity were blocked and could not make payments and collections for just one day: contagion would be immediate, the rest of the entities would try to leverage their liquidity and 4 out of every 10 dollars of the system would be blocked.

It is not science fiction. A McKinsey report cites that since 2013 so-called “Carbanak attacks” (malware-based thefts) have cost global banks $ 1 billion. In them, committed by at least three criminal gangs, as later credited, the thieves demonstrated to have a sophisticated knowledge of the digital environment and to understand the banking processes, as well as the security breaches to reach ATMs, credit cards and transfers. These actions, which affected a good number of Russian banks, also exposed the increasingly diffuse relationship between cyber attacks, fraud and financial crime. José Luis Martínez Campuzano, spokesman for the Spanish banking association (AEB), believes that “as banks strengthen their protection barriers, cyberattacks drift towards the weakest link in the chain, the customer, through phishing, vishing , smishing ”.

It is the evil of this time: societies more digitized and at the same time more naked in the face of cybercrime. Perhaps that is why the polls show a waste of will. A study by Willis Towers Watson and ESI ThoughtLab, presented in Madrid this week, cites that organizations around the world want to increase their investments in cybersecurity by 34% over the next year, and close to 12% will do so by more than 50 %. But whoever believes that money fixes the problem is wrong. Without comprehensive solutions at all levels of the business the answer will fail, according to experts.

Health, the weak point

It happened in a recent congress of the sector. A security officer for a US company told a Spanish professional about the enormous concern in his country about the attacks on health centers. And not, as you might think, for the simple hijacking or theft of data. “I was talking about fear, for example, that a manipulation of the records could change the blood type of patients. That alone could have catastrophic consequences, ”says the recipient of the confidence. A series of attacks registered in mid-2017 in the sector of drug manufacturers already put pharmaceutical companies on guard, although that has not prevented cases from continuing to occur. Bayer acknowledged two weeks ago that a malware called Winnti infiltrated its computers last year. His defense unit cleaned up the affected systems and found no evidence of the data leak, but Costin Raiu, director of his security team, acknowledged that “just because a company has successfully prevented an episode does not mean that the group of criminals who are behind Winnti do not try again ”.

How should the health sector deal with these problems? Xabier Mitxelena, from Accenture, believes that "it is an easy target because it has many entry doors." The consultancy makes periodic simulations in hospitals and points out that, as a critical sector, companies "have to take the risks of technology more seriously." In particular, he talks about "raising awareness among physicians" and the importance of establishing secure communications. Marco Merino, head of technology for the genomic company Veritas Intercontinental, observes two derivatives of the problem. The first refers to personal health data: “Their exposure is very serious and can be used maliciously for the purpose of blackmail or as a pressure tool on certain groups. This generates millions of annual losses, as can be seen in the sector reports ”. Second is the clinical information that companies use for research and development of new drugs. “We are, therefore, in a situation of industrial espionage. Fortunately, highly evolved models of protection already exist ”.

Public services

In the public sector the matter is similar. The information of several city councils in the United States (from Baltimore to Atlanta or New Jersey, but also small cities like Riviera Beach and Lake City) has already been looted by cybercriminals, and some of these cities have chosen to pay a ransom in order to serve its citizens. In Spain, cases are beginning to occur, such as the one that affected the Jerez City Council in October through an email and blocked all the computers. A month earlier, other Spanish consistories, such as Bilbao, had been attacked by the same virus without much success. The residents of the Andalusian city had to endure for several days the blocking of a multitude of procedures, such as the registry or changes of address. The mayor, Mamen Sánchez, refused to pay any ransom.

For Jesús Romero, consulting partner in cybersecurity at PWC, “technological risk is increasingly important and there is a key point: in addition to preparing to protect its assets, now the company has to be prepared to respond. It is important that it is resilient to an attack, that it knows how to act and remedy it as soon as possible, because time is of the essence ”. Like other respondents, he insists that absolute security "does not exist." "Each company must know the residual risk with which it can live to guarantee the continuity of operations, the protection of its brand and the information of its customers."

Xabier Mitxelena, head of Accenture Security in Spain, gives a very graphic example: “If you enter the subway with your son and see something similar to a sandwich wrapped in paper, the first thing you tell him is not to take it. But when we go anywhere, the first thing we do is look for Wi-Fi without knowing if it is secure. "

Luckily in this case the regulation pulls the development of computer security. The ten long experts consulted cite the European Cybersecurity Regulation, the General Data Protection Regulation or the Private Security Law, along with a handful of royal decrees, regulations and technical instructions that have changed the vision of the problem from the councils of administration. “When I started in this I tried to show that security is not a technological concept; that if you do things right, you have a quality advantage. Until now we have built reactive security, trying to protect the company's perimeter with barriers, but that perimeter has changed and the value of the data has risen as a differentiating element of the company's competitiveness ”, says Mitxelena. At least the big companies say they have security integrated as an embedded element in the business and not as a cost or a separate unit from the rest. They have many more resources and are willing to bet on cybersecurity, because they also know that in the long run it will save them and may offer them advantages over competitors. According to a worldwide study by Accenture published last year, successful attacks cause average losses of eight million euros per company in Spain. In the United States, the loot rises to 22 million.

Learned lessons

The consultants recommend, in addition to raising awareness, testing the capacity of companies with periodic drills and continuous analysis. It is common in the large companies of the Ibex and in some sectors that are also very sensitive, such as pharmaceuticals. And if disaster strikes, keep your fingers crossed and not panic.

Telefónica has learned from the incident it experienced on the morning of May 12, 2017, when it was hit by the ransomware called Wannacry. Today Juan Carlos Gómez, the company's global director of cyber intelligence, explains that senior management is very aware of this issue. Your organization integrates security within the same umbrella and combines different tools, from those offered by external providers to those developed in the company or, increasingly, those obtained from the start-ups where they invest. Its network, says Gómez, is global and is supported by 15 centers located in the countries where it operates. "We have a large volume of assets to protect, we make a great effort to raise awareness among employees because, no matter how many measures you have, someone can click and spread an attack." This security, Fernando Anaya supports, "must be multi-layered, there is no single solution or a single technology, but a process." The same is the opinion of Carmen Dufur, director of that area of ​​the Capgemini consultancy. "In our case, 4,000 people work in cybersecurity around the world and that creates a great community that helps generate intelligence, which in the end is a great added value."



Risks that organizations

considered more relevant and are

working to mitigate

In %. Survey conducted by McKinsey

among its managers

Cybersecurity

Normative compliance

Personal privacy

Artificial intelligence

Employee posting

Reputation of the organization

Capitalization of the company

Physical security

National security

Political stability

Do not know, no answer

Cybersecurity in companies

spanish

Percentage of companies that have

implemented or will do so in the next

two years. By number of employees

Less than 30

30 to 60

From 60 to 150

150 to 300

300 to 600

600 to 3,000

More than 3,000

TOTAL

Source: McKinsey and Deloitte.

C. AYUSO / EL PAÍS

Risks that organizations consider

relevant and are working to mitigate

In %.

Survey conducted by McKinsey among its managers

Cybersecurity

Normative compliance

Personal privacy

Artificial intelligence

Employee posting

Reputation of the organization

Capitalization of the company

Physical security

National security

Political stability

Do not know, no answer

Cybersecurity in Spanish companies

Percentage of companies that have implemented or

They will do so in the next two years.

By number of employees

Less than 30

30 to 60

From 60 to 150

150 to 300

300 to 600

600 to 3,000

More than 3,000

TOTAL

Source: McKinsey and Deloitte.

C. AYUSO / EL PAÍS

Risks that organizations consider most relevant and are working

To mitigate

In %. Survey conducted by McKinsey among its managers

Cybersecurity

Normative compliance

Personal privacy

Artificial intelligence

Employee posting

Reputation of the organization

Capitalization of the company

Physical security

National security

Political stability

Do not know, no answer

Cybersecurity in Spanish companies

Percentage of companies that have implemented it or will do so in the next two years.

By number of employees

Less than 30

30 to 60

From 60 to 150

150 to 300

300 to 600

600 to 3,000

More than 3,000

TOTAL

Source: McKinsey and Deloitte.

C. AYUSO / EL PAÍS

Cyber ​​attacks that kill businesses

In the Mango chain, for example, they have what they call “security ambassadors”, company employees who are not computer scientists, but who are attentive to what is happening in each department. "When we launched the measure we were surprised by the number of people who volunteered." In textiles, efforts are concentrated in the logistics chain, where an error would have a direct impact on the stores. They have another eye on the peak sales periods, such as sales or Black Friday, where they admit to having detected "an increase in attempts (of improper access) of up to 300%".

Back to the past

The virus that infected Telefónica and many other companies and institutions, such as the British national health center, did not specifically target the operator. In a single day, it attacked 140,000 machines in more than 100 countries thanks to a security breach in computers with the Windows operating system not properly updated.

The story that may not be a thing of the past. Javier Antón, Fujitsu's director of cybersecurity, recalls that Microsoft stopped supporting Windows 7 and Windows Server 2008 versions a few days ago. “Many companies that have systems based on these applications have been left without this service and will have to migrate to other systems, something that can generate security holes that cybercriminals will surely take advantage of ”. It is, he insists, an unequal fight where the attackers are able to convert their blows into money in a simple way. “The fight is very lopsided because hackers have only one goal: to attack a defined entity. They have gone from being massive hits to targeted, personalized acts. If they want to attack someone, they just have to bide their time, because no one is 100% up to date on patches or operations support. " When this happens, the payment is always claimed in the form of cryptocurrencies so as not to leave a trace. And although there is no rule that prohibits giving in to extortion, experts recommend never doing so, "unless your entire company is at risk of disappearance," explains Antón. Narbona remembers that it can still be completely useless: paying does not guarantee that your data will be returned. Or try again in the future.

The last resort

When all else fails, insurers come into play, who have developed more and more specific products. All the big ones, from Mapfre to Zurich, Axa, AIG or Generali, have entered this business. At Allianz, for example, they ensure that their products not only serve to protect SMEs and freelancers, but that they are increasingly focused on "a preventive strategy" against cybercrime. Many policies cover everything from forensic certification (expertise on computer damage) to recovery plans for business functions or legal advice and defense against extortion or deletion of the fingerprint. But nothing is free. A Kaspersky report cited by the Incibe values ​​the average budget an SME would need to solve a security problem such as data leaks, fraud or denial of service attacks at 33,700 euros. So the usual thing is to contract policies due to legal obligation or to cover only accidents that would irreversibly affect the company.

Another vulnerability, but in a business sense, lies in the low visibility of the Spanish industry in this sector, often exceeded by the offers made by large international or multinational consulting firms established in the country. The Incibe has some 1,600 firms with national roots, out of the more than 6,000 in the sector. Perhaps it is, as Yago Jesús, Director of Technology at eGarante, mentions that "there is a lot of intrusion in the business and its own R&D is not valued as in other countries". An evil that makes more and more freelancers hired for projects that rotate without job stability and no possibility of creating and sharing knowledge. Or, as Lorenzo Martínez mentions, that the solutions imposed by the market to all this avalanche of locks are always the same: "Have a good backup (backup), when in many cases it can also be encrypted". A problem that has two sides, as Arancha Jiménez, security director of Atos Iberia, recalls: the eternal lack of professionals to respond to the high demand of the market. People who "investigate, evolve." Let them go as fast as the bad guys.

Tips for SMEs

Small and medium-sized companies are more vulnerable despite the fact that they can lose all their resources in an attack. The problem, as Sumauto's communication director Isabel García points out, is that "in their thinking they are still analog." Marco Lozano, head of business services at Incibe, recommends starting with a risk analysis that answers these questions: “What do we do? What processes are critical? If there is an accident, how many processes can I count on to continue working? What are my assets and how am I going to protect myself? Establishing the appropriate measures to maintain servers, an uninterruptible power supply, anti-ransomware prevention applications or making backup copies to restore the system “are not extremely complex things or require a huge investment. But sometimes the day to day does not allow us to implement them ”.

Any policy must start with employee awareness. It is important, as indicated in RSM Spain, that they read the security procedures, report unusual calls or texts, accept security updates, do not click on links from strangers and be careful with social networks. And, especially, avoid connecting to secure wireless networks and do not open unknown emails.

. (tagsToTranslate) cyber attacks (t) kill (t) company (t) alert (t) security (t) IT (t) IT (t) put (t) check (t) company (t) start (t) be ( t) currency (t) usual (t) world (t) hyperconnected


Previous

Don't underestimate the power of your white shoes

Baku reported on the continuation of fighting along the entire line of contact in the conflict zone

Next

Leave a Comment

Adblock
detector