Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data

Advenica

There are many examples of companies and organisations that have paid a high price for a lack of information security, both financially and in terms of their reputation. But why aren’t more resources and a higher priority given to preparing for cyberattacks?

The Danish shipping company Maersk says that the cyberattack against them in 2017 cost the company between 200–300 million dollars. Utility companies are suffering from cyber-related malfunctions in several places around the world, for example in Ukraine. There are many more examples.

ship

The term often mentioned alongside cybersecurity is cyber-resilience. Cyber-resilience is the resistance to a possible cyberattack and consists of technology combined with people and processes in the organisation and how well you manage to connect these technical aspects with your business aspects.

But how much energy and money are really put into cybersecurity?

87 % haven’t learned from previous mistakes

According to a survey by the Global Economist Intelligence Unit (EIU), most organisations invest less than 1-2% percent of their revenues in cyber-resilience.

The average cost of financing cyber-resilience is approximately 1.7% of the revenue.

The survey, conducted among 450 companies worldwide, shows a lack of ability to learn from previous cyberattacks - only 13% of board members feel that their organisation has learned from past mistakes in cybersecurity. Likewise, few people say that their level is above average compared to competitors when drawing lessons from a cyberattack. Only 15% of companies indicate that they spend enough on the proactive part of cybersecurity in cyber-resilience.

Too much faith in technology

The latest technology and the most skilled IT department are not enough to defend against cyber-related threats. The management and board must have an ambition to put cybersecurity high on the agenda.

Today’s cybercapacity extends beyond technical solutions - if there is no willingness to prioritise security awareness internally, investing in products is a waste of time.

Too much faith in their own ability

When we look at the Swedish market we see that 90 % of companies consider themselves to have better cybersecurity compared to their competitors. More than a third even state that they are leaders in cybersecurity.

So how is it that we believe we know all about cybersecurity? Are we just being naïve? Perhaps there is a psychological idea that what hasn’t happened won’t happen. A kind of “It’s been OK so far” mentality.

attack

But in reality, cybercrime is increasing and the average time it takes to discover that you are under attack is 191 days. This means that you can make the decision not to prioritise cybersecurity while an attacks is actually taking place.

Too few companies have sufficient priority in cybersecurity. Only a quarter of companies have appointed someone in the board to be responsible for the organisation's cybersecurity. 43 % do not have any insurance against cyber threats, although a hacker attack is estimated to cost about 30 million SEK.

Belief in the future

It's time to take security seriously to avoid high risks and costs that could be much more than investing in building a security-conscious organisation. Businesses today are direct targets for many cyberattacks and companies that depend on IT systems for operation, monitoring and governance are particularly vulnerable.

Information that needs to be protected should be identified and new processes introduced to eliminate the risk of information leakage.

If you are transparent and take proper care of information security, you have every opportunity to show yourself as being competitive in many contexts, such as recruitment, new business partnerships and to encourage customers to start or continue using your digital services. It's time to take cybersecurity seriously.

Advenica

The legend of the Trojan War tells the story of how the Greeks tricked their opponents using a Trojan horse. Advenica's CTO draws a parallel to existing problems with modern technology for IT security.

Troy had been under siege for a long time and the Greeks hadn’t managed to enter the city.

Using a diversionary maneuver, the Greeks fooled the defending forces into believing they had withdrawn. Only a large wooden horse was left. The Trojans took the wooden horse to be a prize of war change and took it into the city. What they didn’t know was that Greek warriors were hidden inside the horse. They climbed out of the horse under cover of darkness and opened the gate to the Greek warriors waiting outside.

The story has been used to describe software that is said to do one thing, but which in reality does something else (maliciously). A large part of the trojan's decision to take the horse into town was based on assumptions of what was observed without verifying the content. If they had looked inside the horse, they would have had the advantage of facing the soldiers in daylight, and perhaps more importantly - preventing the city gate from being opened to let in the rest of the army. Now, the soldiers could fulfil their mission under the cover of darkness.

What did the Trojans do? They accepted what looked like a horse, without checking the contents. It could be that any spectacular war trophy could have resulted in the same actions.

What would a comparison with modern IT security technology look like?

Are there similar problems with modern IT security technology? There are many examples where protection mechanisms make decisions based on the transport method, i.e. the protocol instead of the data being transported. Therefore, they run the risk of unwanted content being transported too. Firewalls often operate on ports or protocols. For example, if you use a firewall that accepts all traffic as long as it only comes across port 80, you run the risk of being exposed to the same danger as the Trojans. Nevertheless, such a procedure is common today where it is used by many IT organisations.

trojansk hast

What’s the reason for it?

It’s probably partly for historical reasons.

The development of defense mechanisms follows the development of attack methods, but they are usually one step behind.

People don’t think there is a motivation to introduce protection against attacks that have not yet occurred. In some cases, this is an acceptable strategy - in other cases it may have devastating consequences. It’s always about analysing and understanding the consequences if the protection falls.

Are there more precise ways to control content and not just the packaging? Yes, of course. By clearly defining the content you want to let in (or out) from your network, you obtain a completely different level of protection. The risk of both intrusion and information leakage is significantly reduced. Content-aware firewalls are a good first step, but even better is a policy-based whitelist of approved data content. Using such a methodology you can run and control at a granular level, down on the smallest data bit if you want.

By screening the content instead of the packaging, you can achieve full control and traceability. That way you avoid ending up in the same way as the victims of the Trojan defense.

Jonas Dellenvall, CTO, Advenica AB