Did you know that the first digital computer was developed in 1943? Just a few years later, people were already speculating that computer programs could reproduce. By the late 1950s, protocols that allowed telecommunications engineers to work remotely on the network could be hijacked to avoid long-distance tolls and make free of charge calls. And yet …

We started talking about cybercrime and cybersecurity much later

We could even say that the interest in this field has increased since the 2000s and has intensified considerably in the last 5 years, in close relation with technological development and with the increase in the number of threats, risks and cyber attacks. Of course, the two concepts have been debated long before the internet even existed. But at that time, only a small group of people could do it because only they had access to new technologies. For the same reasons, the number of cyber criminals was almost insignificant.

The whole phenomenon of accelerated digitisation, the scale and complexity that the technological field has achieved, all of these led to equally matching cyber attacks. We cannot talk about accelerated digitisation without talking about its consequences: cybercrime. Every business should be conducted within normal parameters in the digital environment, without financial or data loss or any other damage. In order to effectively combat attacks and keep them at bay, we need to consider a number of best practices and implement a basic level of cyber security.

The advantages of a beneficial legislative context

The European Union is already highlighting the importance of building a minimum cyber security baseline at industry level. In this respect, we bring up the NIS Directive for the security of networks and information systems. To further strengthen countries’ resilience to cyber attacks, discussions are already underway for a new directive, NIS 2.0, with a much broader scope.

Romania is gradually adhering to the Union’s recommendations on cyber security solutions by implementing the NIS Directive through Law 362/2018. These apply to essential service operators in 7 industry sectors (energy, transportation, banking, finance, health, drinking water, digital infrastructure) and to digital service providers operating in the following three categories: online marketplaces, online search engines and cloud computing services. Among others, the Directive set out concrete measures and requirements for effective security assurance. Moreover, it offers guidelines on notifying incidents to the national authority, for training public, private and sectoral incident response teams and, of course, rules for industry training. Failure to comply with the legal requirements can lead to fines of up to 5% of turnover for essential service operators and digital service providers.

In this context, we can also bring up the introduction of the Payment Card Industry Data Security Standard (PCI DSS), which is mandatory for card payment processing organisations. Also in 2018, the Financial Supervisory Authority published a regulation requiring insurance companies to conduct regular testing (the so-called penetration tests) through which they can uncover vulnerabilities and flaws in their infrastructures, applications or operating systems. Thus, they can confirm that they are applying appropriate security measures. In May 2018, the General Data Protection Regulation (GDPR) also came into force, ensuring the management and protection of data collected from customers, users and visitors.

Last but not least, starting this year, Bucharest will host the new European Cyber Security Centre, which will improve the coordination of cyber security research and innovation in the EU. It will also be the EU’s main instrument for facilitating investment in cyber security research, technology and industrial development.

Recommendations for building resilience to cyber attacks

Usually, companies all over the world tend to adopt a “security by obscurity” attitude and thus act reactively, only when a cyber attack is detected. Thus, even after a potential recovery, they take big risks, such as data corruption, financial loss and reputational damage in front of clients and partners. What’s more, there are fines for such problems, as required by the regulations in force.

Building true resilience to cybercrime also requires a preventive attitude. This involves putting in place basic cybersecurity processes at organisational level, which are often more time and cost effective. In this regard, we recall the early detection of system vulnerabilities in order to address them before a possible attack that would lead to a series of much more serious losses. We can add here developing a security incident response strategy and training the internal staff, including the security team, to properly respond to attacks.

The way we choose to respond to a challenge determines our success. It’s a perfectly valid principle in cybersecurity, too. An incident response strategy is therefore based on both prevention and detection. Moreover, we are talking about a long-term, marathon-like approach. A cyber attack can happen at any time – in 2019, for example, Microsoft reported that they were facing over 300 million fraudulent attempts to connect to their cloud services every day.

Moreover, when we talk about technical teams in companies, we can refer to IT systems administration teams, software development and/or security teams. It is vital to provide them with opportunities that allow them to constantly train on infrastructures and systems in order to face potential challenges and threats in the market, with tools and techniques that have an immediate applicability. An example of such a virtual practice arena is CyberEDU, which combines scenarios inspired by everyday activity with concepts and methodologies aligned to industry standards.

Going further, in order to cover the level of awareness across the organisation and, more importantly, to ensure compliance with GDPR and/or NIS rules, it is recommended that organisations undergo a series of specialised training at least once a year. After the training, a series of simulated and controlled attacks will also be launched, whenever needed or desired, to test the acquired knowledge. Thus, the organization can cover the basics of cybersecurity through theoretical and practical resources that later help employees to properly identify and report such attacks. Subsequently, it will be much easier for the organization to stop the attack, determine the severity of the incident, notify potential stakeholders about the attack, and implement preventive measures for future security incidents. You can read more about this topic on the Bit Sentinel blog.

Resilience to cyber-attacks develops based on a combination of factors. This includes a legislative framework that prioritises the fight against cybercrime. This is complemented by the cooperation of the private sector, which provides all the necessary means for employees to effectively support the incident response strategy.

About the author:

This article is authored by the BIT Sentinel team