Digital transformation & Cybersecurity

The first primates probably appeared on the hearth 55 million years ago. The first hominids appeared about six million years ago and humans (homo abilis) 2 million years ago, although more evolved humans are more recent: the Neanderthal Man appeared 400,000 years ago and Homo Sapiens 200,000 years ago.

The latter started to talk and use tools approx. 150,000 years ago and later started trading, including long distance commerce, approx. 140,000 years ago. 70,000 years ago, humans started leaving Africa to colonise Asia, Australia and Europe. 50,000 years ago, the evolution started to acquire a modern connotation, hunting techniques started to develop, as well as clothing, the cult of the dead and so on; the first written text dates back to 5,000 years ago.

Humans started to develop tools and use metals: a slow evolution followed, which resulted in the first industrial revolution (around 1700 A.D.), mainly centred around textiles and metals, and later in the second industrial revolution, around 1870 A.D, i.e. (only) 151 years ago, with the introduction of electricity, chemical products and oil.

From this moment onwards the evolution gained momentum. The first electromechanical calculator was, probably, the so-called Polish “Bomb”, devised and realised by the mathematician Marian Rejewski in 1938. There were various other examples in that period, for example the Z1 by Korrad Zuse, the first based on the binary method, and the various evolutions of the Bomb realised by Alan Turin and Max Newman in 1942. Many consider the latter as the first modern computer, realised 79 years ago, for others instead this record is held by ENIAC, which is surely the forerunner of the first commercial computer, i.e. UNIVAC.

This was back in 1951. The symbiosis between human and machine had begun and in 1960 there were already 6,000 computers, which increased to 20,000 in 1964 and to 63,000 in 1969, 52 years ago. Nowadays it is impossible to say how many computers are around, if we consider the interconnection with other devices, phones, televisions, vacuum cleaners, cars, industrial plants, etc.

The first personal computer was placed on the market by Olivetti in 1975, the same year in which Microsoft was born. Apple was born the following year and brought personal computers in households, with home computers. IT started to evolve rapidly.

Just to bring back memories to nostalgic ones, until the 70s punched cards were the primary medium for computers input. Magnetic disks were introduced in 1972, first 8-inch floppy disk, then 5.25-inch ones and later the more evolved 3.5-inch floppy disks. Nowadays, they no longer exist (and the more recent CDROMs are not in use anymore, either).

The history of computer networks evolved in parallel. Starting from a network first created for military purposes and later connected to universities, ARPANET was born in 1969 and became the Internet in 1980; it was introduced in Italy in 1986. In 1991, 30 years ago, the World Wide Web was born. Up to this moment, the focus of researchers had been on the functioning of systems. The climate of collaboration among university colleagues did not facilitate the development of information security.

In terms of applications, the first ERP system dates back to the 90s, Amazon was created in 1995, Facebook in 2004 and Whatsapp in 2009. We all know the recent developments. Corporate operations are supported by and depend on IT systems. Corporate systems are connected with those of clients and suppliers, often also exposed on the Internet.

And cybersecurity? Going back over the history of mankind, safety in general has always been a crucial factor for peoples which, depending on risks, saw to adequate defence measures, enclosures and fires for animals, fortifications and weapons against enemies, selection of the place where to build villages keeping into account natural events, etc. When risks occur, humans are naturally inclined to develop protection systems.

As far as IT systems are concerned, instead, there have been various factors which did not favour the evolution of cybersecurity: first of all - as mentioned above - the speed at which they evolved, secondly the spirit of collaboration among technicians for their development and lastly the extremely reduced number of attacks identified, at least until 2000.

Actually, up to then the interest of criminals in cybercrimes were not so high, given also the evolution of systems. Hackers were actually IT experts who violated and entered systems often just as a challenge or for fun (the term “hacker” actually means IT expert, and not cybercriminal). The absence of threats, or at least the perception of their absence, did not favour the development of protection systems, nor of a culture of safeguard.

In the last two decades, nonetheless, criminals realised the potential wealth of cyberattacks. Criminal networks have sprung up which have invested in cybercrimes, as well as auctions in which hacking services are offered and purchased. Nowadays it is possible, even for people with a relatively little experience, to hire the software needed for a cyberattack and also to benefit from services relevant to the negotiation and collection of cryptocurrencies. There is a network specialised in every malicious IT service. On the dark web, i.e. an area of the Internet not indexed by conventional search engines, it is possible to purchase all that is needed for an attack.

Just to mention a few global statistics, there have been over 800 million malware attacks in 2018 against 12 million in 2009 (see purplesec.us). One of the most serious threats nowadays are ransomwares. These are malwares which block users’ access to their files using encryption techniques. Usually, cybercriminals demand a ransom payment to decrypt them. Some attacks are generalised, i.e. aimed at the wider population, and ransoms are low (a malicious business based on lower amounts for high volumes).

This type of attacks normally causes few damages, or damages to small businesses. Other attacks are focussed, i.e. addressed to entities identified through an actual targeting process (high turnover, good economic position, good cash levels). In targeted attacks criminals take time to study their target, to undermine the most effective countermeasures (e.g. backups) and to launch coordinated attacks to all key systems.

The victim, who thought to be well protected, often discovers after the attach that it had some vulnerabilities. Indeed, a weak link in the chain is enough to make it useless, besides the fact that those who launch surprise attack always have an advantage on those who need to defend themselves.

Therefore, also well-structured companies are forced to pay large ransoms (malicious attacks based on low volumes of attacks in which very high ransoms are demanded). To give an idea of the phenomenon, the cost for ransomware attacks is estimated to have amounted to 5 billion dollars in 2017, to approx. 12 billion in 2019 and it is estimated that it could reach 20 billion dollars in 2021 (see cybersecurityventures.com).

And what about your company? Which is the level of maturity in the protection from cyberattacks? Being able to reply to this question is the first step to effectively organise the relevant safeguards.

For an effective protection it is necessary first of all to understand what to protect and identify the priorities. A total alignment between the heads of the business and the head of information security has to be granted. Which are the business objectives? How will they be pursued? Who are the stakeholders to be considered? Which is the organisational structure of security and which are the relevant roles? Which is the assets’ mapping and evaluation process? How are security strategies defined? Then, it is necessary to assess the status of one’s protection.

Which is the level of expertise of IT personnel on security? And that of users? Have all IT assets been identified and the adequate security measures defined for each of them? From a technical point of view, are security measures adequately applied? Are systems updated on an ongoing basis and those no longer supported by providers discontinued? Which security management processes are in place? Are vulnerability tests carried out? And simulations of phishing attacks to users? Is there a security incident response process in place? And a business continuity management process?

Once the status has been assessed, it is necessary to define a project to address vulnerabilities. This approach is also used to introduce additional protection measures to the existing ones. It is necessary to try and reverse the paradigm according to which those who attack have an advantage on those who defend themselves.

We need to remind ourselves that cybercriminals are no longer nostalgic hackers who violated systems as a challenge. They are pragmatic individuals who aim at maximise results. Even if they think to be able to violate a well defended target dedicating some time, they do not hesitate to change target and choose one with lower defences.

Which is your project portfolio management process? Do you dedicate an adequate budget to security? Which is your project management process? Are there project managers in your company? Which evaluation process do you use to assess progress of a project? Top management commitment is key for cybersecurity management. How is top management involved? Which is the communication and reporting process to the top management to inform about the status of cybersecurity processes and relevant risks?

The last element to consider is the management of the process and systems monitoring system. Have key performance indicators and key risk indicators been identified? Are automatic systems to calculate the level of such indicators in place? Have thresholds, warning systems and reporting systems been defined?

Would like to discuss these topics in detail or would you like to receive support in assessing the maturity of your company as for cybersecurity matters?