Has Covid-19 changed the cybersecurity risk? If so, how and why?
A Covid-19 pandemic has substantially impacted the cyber environment by forcing businesses and governmental institutions into remote work, thus causing the following ramifications: a remote work infrastructure being set up in a hurry without proper security considerations, poorly configured computers connected to the internet directly, a loose protection of corporate perimeter defences, and privately owned computers without appropriate security measures which have been repurposed for work and are being connected to the corporate infrastructure.
The deployment of insecure connections (e.g. no VPN) could cause information leaks, while the use of weak passwords (e.g. for RDP) as well as lack of a firewall or antivirus could lead to the comptonization of devices and systems. Outside the corporate network, it is much harder to control employees’ actions on devices as well as much harder to ensure protection. More generally speaking, since much of our activities happen in cyber space, the attack surface has increased and there is more room for different kinds of phishing, malware, and extortion campaigns.
What are the biggest cybersecurity risks in Latvia and the Baltic states?
Cyberspace is global and similar risks apply no matter where you are located. Specific attacks can be observed targeting certain industries, but those attacks are not country- or even region-specific. DDoS (Distributed Denial of Service) attacks can be used as an example. Since last September, they have been aimed at the banks and large companies throughout Europe with the attempt to extort money.
During the past year, cybercriminals demonstrated several predispositions. They tried to exploit people’s confusion regarding two-factor authentication. Users got tricked into forwarding security codes, entering PINs and disclosing sensitive information, as they lacked a proper understanding of how those security measures work, when something is being asked and why.
A move towards social networks has been observed. Cybercriminals targeted users (WhatsApp, Facebook etc.) and sought to take over their accounts in order to access social media pages and business accounts they were managing for the purpose of spreading ads.
A new trend emerged regarding extortion. Ransom was demanded not only to prevent DDoS attacks and regain access to encrypted data, but data was also stolen before encryption and a ransom demanded to prevent a leak of customer data and other sensitive information online.
The Baltic states are less appealing as a target of cybercriminals because of the small market size, comparatively low level of income, and a large amount of the population who communicate solely in their local language. Many global campaigns reach Baltic citizens with a delay, as they have to be translated and adapted.
Another advantage of the Baltic states is a lack of legacy payment methods and technologies that could be used for scamming people, such as payment checks and SMS banking. There are also geopolitical aspects of the activities in cyberspace. State sponsored attacks have been observed but are mostly targeting governmental institutions and large enterprises.
How many cybersecurity incidents did we (in Latvia and the Baltic states) have in 2020, compared to 2019?
The general trend in 2020 was that the number of different campaigns was on the rise everywhere, including Latvia. Compared with 2019, for example, denial of service (DDoS) incidents were on the rise, though this was not specific to Latvia or the Baltics. Financial institutions, internet service providers and large enterprises were targeted by cyber criminals in demand for a ransom, or the company would suffer a massive attack that would paralyze the operation of their website or other important online resources.
Were previous investments (in money, time, understanding) in cybersecurity technologies in Latvia and the Baltic states sufficient?
It is vital to understand that cyber security is not a state but a process. Though Latvia has not experienced national level cyber-attacks or crises caused by them, the annual national budget allocated to cybersecurity is steadily growing (the Covid-19 pandemic will have an impact on expenditure in all the sectors). The globalization of the workforce market has an impact on Latvia too, while a shortage of cybersecurity experts has also been felt in the public sector especially.
Isn't it the case that readiness for and understanding of cybersecurity only comes after an incident?
There is a saying in the current cybersecurity environment: it’s not a question of if you will be a target of a cyberattack, but when? So, it is smart to be prepared. Three groups of organizations are distinguishable: those who learn from others, those who learn from their own experience, and those who never learn. There have been organizations who have fallen for the same attack at least twice, though usually the second time is enough for the lessons to be learned and appropriate actions taken.
What are the most important things a company should do to minimise cybersecurity risks?
There are several things a company must do to ensure adequate level of cybersecurity. When implementing new technology or evolving existing systems, a component of cybersecurity should not be forgotten. In many cases it has been observed that during the planning and development phase of a new product, only functionality-related matters have been of concern, and security has been regarded as something that can be added later if there is enough time and resources left. But you cannot make a decision about building a house underground and decide to add a window later.
Employees have to undergo regular cybersecurity training to be able to recognize and prevent cyberattacks. Security solutions are becoming increasingly complex and harder to break through using only technical means, thus attackers try using social engineering methods to make employees disregard the internal security processes and procedures, and provide access to the system or give away valuable information. Unsuspecting employees might be the weakest link, but well-trained employees could become your strongest protection. Security measures must be adapted for business processes – otherwise employees will circumvent the security solutions, thus jeopardizing the whole system and ending up with an even lower level
of security than before.
It is important to have cyber security professionals in the team. For SMEs, outsourcing and/or cloud-based solutions should be considered as a cheaper or more viable solution, as in-house expertise is expensive and its focus is usually too narrow.
This feature appears in the latest edition of the Baltic Business Quarterly magazine prduced by the German-Baltic Chamber of Commerce in Estonia, Latvia and Lithuania, and is reproduced here by kind permission. Find out more at the official website and read the rest of Baltic Business Quarterly magazine here: https://www.ahk-balt.org/lv/publikacijas/zurnals.