Ciberseguridad y Covid-19: Retos en seguridad informática para prevenir el fraude
20 de October de 2020
20 de October de 2020
The crisis caused by the Covid-19 pandemic has triggered a number of big challenges and tests for the business world, many of which are related to the field of cybersecurity. The boom in Internet use and the huge shift of business traffic to the digital sphere has incentivized digital crime and electronic fraud.
In view of this scenario, what should companies do? What role should cybersecurity play in organizations, particularly in these times of pandemic? Aware of the importance of this topic, the EAE On Session series recently broadcast an event entitled “Challenges in computer security to prevent fraud” in which 5 experts in the field discussed everything that we should know about the issue.
The conversation was moderated by the cyber-investigation specialist Selva Orejón, with the participation of Franz Erni, the Country Manager of Fortinet Perú; Martín Pablo Fuentes, the Security Business Senior Manager at Centurylink; Andrés Galindo, the Chief Business Development Officer at Digiware; and Christian Cuenca, the Information Security Officer at Kushki Pagos in Ecuador.
¿Ready to learn about cybersecurity and ransomware?
What role does cybersecurity play in all this pandemic scenario?
This is a vital issue because we have to evaluate how our companies have been working and, consequently, how the attack surface has changed. We use the term attack surface to refer to everything that could be a target for a significant attack in terms of the continuity of a company’s business operations. There has been a huge change in the way we interact and the location of the data. We used to be based in the office and the perimeter was more secure. That is not the case anymore. It is all different.
I think that the pandemic was like an enforced gap analysis of organizations’ cybersecurity strategies. As a result of this situation, companies have seen whether or not their cybersecurity strategies were robust enough to keep operating. Plenty of companies had to rush to take measures, so not all were well-prepared or equipped to protect cybersecurity. Many companies didn’t give it the significance it deserved.
The role of cybersecurity has become quite strategic and, in our region, despite being so important and a vital element for facilitating digital transformation, cybersecurity was seen as a secondary factor that lots of companies decided to halt, when, in fact, it should have been one of the main areas of investment at that time. What happened as a result? More than 22 cases of high impact ransomware in big companies in Latin America.
The cybersecurity should be an obligation and this is our opportunity to become really strategic. The experts should focus on gaining the terrain that we deserve.
Andrés, has it been possible to shift this perspective of cybersecurity from simply as a technological issue to seeing it as a key part of a company’s strategy?
I have to be honest, more from the Latin perspective, we like to give the impression that we are fine, even though we have a pandemic within the company. On top of that, we don’t have regulations that force us to expose what is happening attack by attack. In my opinion, at a cultural level, we still have a long way to go to tackle this situation and accept what is happening.
Christian, what is this reality like in Ecuador?
In Latin America, we are all pretty much in the same boat, but it should be highlighted that cybersecurity has to be proportional to the company’s size, processes and strategies. If the company grows, its cybersecurity has to adapt. Likewise, with tools, we cannot keep using the same ones we did in previous years, because the threats are evolving.
What have been the most common incidents and crimes during Covid-19?
There are lots of different crimes, including the following:
Each of these crimes takes advantage of one of the company’s weak points. They may use viruses, phishing campaigns, etc. So, how can we stop them?/p>
Franz, how does the team at Fortinet approach the situation?
One really important point is that we tend to have a reactive culture or, in other words, the incident occurs and then we take measures and, moreover, I end up buying based on need rather than a strategy. Therefore, whatever the size of the company, it is crucial to draw up a plan.
There are lots of types of attacks. The most famous, especially in the press, is ransomware. However, the common denominator is that they all attack the client’s side, so we have to rethink the strategy and focus it towards the client, the end user. Therefore, we have to raise their awareness and teach them that they are responsible for every time they click.
How come crimes are being repeated effectively despite the advances and increased awareness?
In my opinion, what we lack is a culture of cybersecurity in companies and not only in terms of the end users, but also with respect to the members of the cybersecurity team. So, we have to look at the cases that have happened and, rather than ignoring them, use them to adapt our plans.
Martín, do you agree that we need to raise awareness of this issue?
Absolutely. A false sense of security leads companies not to take the necessary measures, both in terms of raising awareness and the technical execution to protect the organization. What we see happening is that companies consider cybersecurity as a side-line of IT or, in other words, they put in a server and a firewall and think that is enough. They don’t see security as a crucial element of the organization’s DNA. Every person and department must, in some way, form part of the cybersecurity strategy.
Not only do we have to be prepared to react in response to any scenario evaluated in our security plan, but we also have to be ready to respond in the worst-case scenario.
The attack surface multiplies. That is a fact. We didn’t use to have the cloud and now we do, but do we know how to manage it? Do we know how to make the cloud secure? The same thing happens with machine learning. Are we protecting machine learning? But lots of people store all the company’s most important metrics there. Don’t they want to protect it?
Severe vulnerabilities multiplied practically within 3 years. There is no way to cover 15% of these weaknesses. Moreover, another important point is the frequency of the attacks to take advantage of these vulnerabilities: an increase from one crime every 55 days to one every 2 days. So, the risks tripled. We have to ask ourselves as experts whether we are giving companies the right recommendations? We have to think about the solutions that we are proposing and selling.
I believe in optimization. We have to use everything we have available to us in order to apply innovation.
The thing that I will take away with me from the discussion so far is how tricky it is to strike the balance between the need for business development on the one hand, and risk control on the other. One thing that is very useful is to calculate the loss of income and the emerging cost after the incident. When you translate that into a monetary amount, things change.
Moreover, at an international level, state security forces and intelligence agencies have a really serious problem in terms of the end prosecution of the perpetrators of an attack. When you cannot exert sufficient legal pressure, a situation of apathy is generated among the state security forces.
In terms of training and promoting cybersecurity, I recommend showing how the attacks affect the industry and their organization in the training sessions, so that the end users understand that this is a real threat that happens every day, that we may be under attack at any time. Then they will understand that we have to take great care.
In a world that is increasingly digital, cybersecurity has become an essential requirement and, as the experts emphasized, it is not just a technological issue, but it also has to form part of a company’s business culture. By doing so, all the employees, directors and customers will be equipped to strengthen security and prevent cybercriminals taking advantage of the company’s weak points.
What about you? Are you careful every time you click?