It is necessary to keep a cool head, not to panic and to gather evidence. And be prepared.
Ensuring the continuity of your business without investing in cybersecurity is impossible in today’s online world. Yet companies rank it at the tail end of their investment priorities. Few executives realize that the reputational and financial consequences after attacks can take years to repair. Find out more in our interview with cybersecurity expert Lubomir Kopacek.
How do Slovak companies approach the issue of cybersecurity?
Most do not address this topic until it is too late. Most often when an organisation has already faced an attack, is subject to legal regulation, has a parent company abroad or needs to meet a cybersecurity requirement from its business partners. It has to be said that the situation is significantly better in companies with foreign involvement, where cybersecurity is taken seriously. This is particularly true in companies originating in Germany and France.
Is the situation similar in state institutions?
These overwhelmingly seek only to formally meet the requirements of the Cybersecurity Act. Since its enactment, they have been living under the delusion that the subject is closed to them after the audit. They do not realise that the audit will be repeated periodically and, therefore, that cybersecurity must be systematically managed.
Many executives lack insight into the issue of cyberattacks. What advice would you give them?
Moving from ground zero is often the hardest part. This is where you need to ask for help and assistance. First, it is important to know the extent of the threat, at least in broad outline. For this purpose, I recommend the simple tool “Data at Risk?“. You answer 10 short questions in 5 minutes and then get an assessment that shows you the way to think about the problem. Most importantly, it will direct you to the next steps to address the problem.
What is the motive of attackers when targeting companies and organizations?
There is no single motive, but the most common motives are money and damage to the organisation.
Is it possible to specify how many attacks Slovak companies and state institutions face on an annual average?
I can’t. Those affected are reluctant to admit to the attacks, seeing it as a reputational risk and fearing reputational damage. Government institutions and organizations that are regulated by the Cybersecurity Act have a legal obligation to report serious incidents to an authority, in this case the National Security Agency. However, such information is subject to confidentiality and therefore no one will know about it except the institution concerned and the NSA.
Are there entities that do not face cyber attacks?
If any company thinks that, it’s utopia and clear evidence that they have zero visibility. In reality, they do not know about any incidents because they are unable to identify them. Incidents are faced by every single company or government institution without exception. From what you say, it sounds like Slovak entities are not paying enough attention to cybersecurity. Although it is essential in today’s online world to ensure their business continuity. Mostly they consider it an unnecessary investment. They do not realize that they may lose valuable data, sensitive information, their production process may be compromised, and the loss of credibility in front of clients or suppliers, which they have been building for years, is also at stake. Capable executives know well how difficult it is to build a company, and they can certainly imagine that it would be even more difficult to repair their reputation after such an incident. Many companies even use a strategy where they calculate the damage in a worst-case scenario, compare that number to the amount they have invested in cybersecurity, and decide that the potential damage is acceptable on a one-time basis. This may make sense from a purely economic perspective. Yes, but it has beauty flaws. The worst-case scenario can happen again, and more than once. It will repeat itself until an organization begins to proactively manage cybersecurity in a way that can prevent attacks. This is where the economic view doesn’t make as much sense. Incidents can also be devastating to companies.
What needs to change for modern managers to be able to prevent incidents?
Ideally, organisations would have a genuine desire and interest in tackling cyber security without being told to do so. However, this is not happening. A change in mindset and education of managers is needed because no manager is just going to be enlightened and told: Let’s spend 5 percent of profits on cybersecurity. They need to know about both the threats and the protection options so that management doesn’t have to activate a Disaster Recovery (DR) plan, which then brings the organization’s operations back to normal. In short, it needs to get from a reactive approach to a proactive one.
You talked about the disaster recovery plan, which is an essential part of the Business Continuity Plan (BCP). But what does that mean in the context of cybersecurity?
It is necessary to have prepared and, in particular, regularly tested different scenarios that have an impact on the operation and survival of the organisation in the context of various “disasters”. A current example is mandatory teleworking. As the home office has been mandated by the state, it can be said to be a disaster from a business perspective. If an organisation has a plan to cope with, for example, a total and prolonged power outage, it can activate that same plan for mandatory homeworking, because it is exactly the same thing. When an organization loses power for an extended period of time, it can also just send most employees home. To survive this outage, the organization must have a scenario ready and tested to organize remote working. The good news is that there is no need to invent anything on your knees when it comes to cybersecurity, as there are norms and international standards that can give us step-by-step advice on how to draw up such plans when creating a BCP.
So what needs to be addressed in a business continuity plan?
Even a few dozen pages would not be enough for a detailed answer. The short summary: it is essential to have plans in place so that unmanaged cyber security does not become a means of amplifying the impact of a disaster. A concrete example is that companies should avoid having employees working from home on their home computers in the event of forced teleworking. The reason is simple. The organization does not control these computers and they could become a means for a cyber attack on it.
Do plans and levels of security against cyber attacks vary by size, type or focus of business?
Of course. They need to have security tailored to whether they are a financial institution, an online business, or are industry and manufacturing oriented. Not only does it vary by sector, but the level of security varies from company to company. It should be appropriate to the purpose and economic capabilities of the organisation. This can be clearly set. The art is to find the proportionality of the amount of investment to the potential damage. However, it is true for all that data is the most valuable and in this case it is irrelevant what sector is involved.
So what should preparing for a cyber-attack look like?
We must be able to react to an attack and ideally prevent it. One can get in line with something that is tried and tested, and if we stick to that, we are more likely to be able to respond to an attack. I am talking, for example, about ISO 27001, or Decree 362/2018, for example, other appropriate standards.
Is it possible to stop the attack in the end?
Only if we have the ability to identify it and have the people and the means to stop it, or at least mitigate its impact. In practice, I would advise managers in such a situation to keep a cool head, not to panic and to gather as much evidence as possible. If they can’t handle it themselves, they should ask a specialist firm to manage the whole event. It is certainly not advisable to handle it on your own.
What is your recommendation in conclusion?
Don’t wait for anything! I’ll repeat myself, but every single company is at risk, and there are few prepared. Taking a small step is better than doing nothing. For starters, I recommend the aforementioned simple “Data at Risk?” tool.
