What Do You Do If You Fall Victim to a Cyber Attack?

As cyber attacks become a more constant threat, organizations are forced to examine their risk management strategies. Checkpoint found that there were 50% more attacks per week on corporate networks in 2021 compared to the previous year.  

On top of that, more than 55% of large companies are not effective at stopping cyber attacks, identifying and fixing breaches, or containing the impact. Accenture’s State of Cybersecurity Resilience 2021 report also noted that 81% of CISO said that “staying ahead of attackers is a constant battle and the cost is unsustainable” compared with 69% in 2020. 

During our ME Business Buzz Outlook panel discussion, What to Do if You Fall Victim to Cyber Attack?, we spoke to Nuno Martins da Silveira Teodoro, Cyber Security and Privacy Officer of Huawei Portugal and Tom Hofmann, CISO and DPO of Eniwa AG about whether humans really are the weakest link as well as the role CISOs play in this increasingly risky security landscape. 

   

We need more engaging cyber awareness training 

 

When asked why humans are still the weakest link in cybersecurity despite hours of training, Teodoro counters that humans are simply the “most probable link to be exploited” given the sheer number of employees in any given organization.  

He added, “You only need one to execute what criminal actors want.” 

Specifically, he pointed out that bad actors try to exploit people’s needs to help and support others. This, combined with a lack of cybersecurity awareness from just one person in an organization can have devastating effects.  

Attackers are becoming savvier by exploiting chinks in the human chain via social engineering. So even the latest technology can leave an organization vulnerable if people lack the right level of cyber awareness. According to the Identity Theft Resource Center’s 2021 Data Breach Report, social engineering attacks such as smishing, phishing, and business email compromise (BEC) were the most common cause of cyber breaches in 2021.  

In fact, the 2022 State of Phish report found that 78% of organizations experienced email-based ransomware attacks in 2021. Moreover, 79% experienced spear phishing attacks while 87% experienced bulk phishing.  

Attackers have all the time in the world to exploit humans in an organization and they’re getting very good at it. In contrast, businesses are simply unable to spend all their time and resources training their employees, which presents a disadvantage.  

As such, Teodoro suggested engaging employees in a pragmatic way when training as opposed to showing slides or running computer-based simulations that they do not identify with.  

He said: “This is where I usually try to target the training courses we do, which is to identify the fine details that can indicate that someone is a victim or an attempted social engineering attack.” 

Hofmann agreed that forcing people who are overworked and understaffed to watch boring training videos are ineffective, adding that blaming employees for falling victim to phishing attacks would also be pointless. Instead, he advocated for leaders to try to understand the problems their employees face and what they need to be more secure.  

 

Human-centric approach to cybersecurity

 

On the question of a human-centric design of cybersecurity, Hofmann explained that it’s about combining technical and business viability. However, this is made difficult when there is a lack of trust between employees and their supervisors.  

Hofmann recalled that in his experience, project managers’ bonuses are tied to certain projects. Under pressure to deliver, they do all they can even if it means coming up with workarounds that may compromise security.  

Teodoro elaborated, “For sure, penalization is something that creates a culture of fear, and it creates a culture of not alerting or reporting anything or hiding things that could otherwise be critical.” 

“I think we should foster a culture of transparency, a culture of openness, and a culture where everyone is at ease to report to the upper management or CIO or to anyone who has the responsibility that they believe something is wrong, even if it started with them,” he added.  

Hofmann, who agreed, stressed that the only way to build this sort of trust is for leaders to go out and meet people, while also refraining from using blame or shame.  

Even so, both speakers conceded that this will be difficult to do. An organization-wide cultural shift requires the cooperation of each department. The challenge is that everyone has their own agenda and way of doing things. Each person also responds differently to engagement and security awareness training. This means CISOs are faced with the mammoth task of figuring out how to best engage employees across the organization and merge them together to create a holistic version of security culture. 

When asked about the greatest contributor to behavioral change in cyber awareness, Teodoro suggested creating ‘Cyber Champions’. These are employees from different business areas who can spread the message while also using them as a conduit to understanding what each team is concerned with daily in terms of security.  

   

Ransomware: To Pay or Not to Pay 

 

 According to the Sophos State of Ransomware 2022 report, there was a 78% increase in the number of organizations hit by ransomware attacks alone in 2021. It is also an expensive breach. On average, the cost of rectifying the impact of ransomware attacks the same year was USD 1.4 million.   

On whether organizations should pay the ransom, Teodoro and Hofmann both agreed that it is the absolute last resort.  

Hofmann specifically noted that paying the ransom only serves to fuel the “ransomware pandemic”. The only exception he would consider is if someone’s life is on the line – for example, if a hospital was hit by a ransomware attack and needed to recovery access to their life-saving systems. He warned, however, that there’s no guarantee that everything will return to normal once a ransom is paid because decryption keys do not always work.  

Teodoro went on to emphasized that resolving a ransomware attack is a complex process, even if you did decide to pay. Finance leaders should consider if they know how to negotiate with ransomware attackers and if they have a team in place with the required expertise to handle such situations.  

This is particularly important given that in 2021, 65% of ransomware attacks resulted in data being encrypted, while only 4% of organizations that were breached recovered all their data, according to the Sophos report. Additionally, 90% of organizations that experienced a ransomware attack has faced operation issues as a result while 86% faced a loss of revenue.  

As such, the experts recommended setting up a crisis management team for cyber attacks to contain the incident and manage the fallout both internally and externally. After all, haven an incident does occur, it has the potential to turn into a crisis. 

Teodoro said, “If you have everything on crisis management prepared, you will know that being vocal, transparent, honest, and confront the public facing audience and your customers in a direct and open way are the best possible thing you can do. If you try to hide or conceal it, you will lose all your credibility.” 

Noting that communication is vital, Hofmann noted his surprise at how leadership in many organizations remain reluctant to openly address breaches on the assumption that it would hurt their brand. He described this as a “biased decision”.  

He explained: “I would rather trust a company who is open about it and who is transparent about what they are doing rather than a company that is hiding stuff from me. As a customer, I would ask, do I trust this organization with my data?”