Every security system has its weakness
A talk with cyber expert Marco Di Filippo
Mr. Di Filippo, what do you think constitutes the greatest threat to a company’s cyber security – is it staff?
Marco Di Filippo: No, staff are not a threat per se. They are just the weakest links in the cyber-security chain, so that hackers target them to get inside access to companies. The real threat is the sheer amount of malware available to criminals on the market today, and which the staff are then confronted with. Every now and again there is a real spike in development, which leads to events with enormous consequences – for example the Petya and WannaCry ransomware attacks last year. Another real danger is the exploits traded on the internet or the darknet. Exploits are malware that take advantage of unknown vulnerabilities in software applications, and are then used for widespread hacks. In other words, if a hacker intends to target a given company, it is very, very difficult for that company to successfully defend itself. There is always a loophole somewhere – especially since almost every employee also uses their company device for personal e-mail, surfing, etc.
How important is training for staff?
Di Filippo: Very important! Everyone working for a company should be sensitised to cyber risks. Awareness campaigns and training are therefore essential; they need to be mandatory and adapted to all staff – from the janitor all the way to the board. The goal should also not be to just learn about the latest phishing trends. On the contrary, staff should develop an awareness for potential dangers and be motivated to take action immediately; i.e. by contacting IT. That is the only way that the experts can react quickly enough when a hack occurs, which is key.
Is government able or even in a position to help companies better protect themselves in future – or is that a job for the private sector?
Di Filippo: How can we expect governments to effectively regulate hacking, when state intelligence agencies themselves develop and buy exploits, for example to breach people’s IT systems to investigate crimes? So for me, as long as the state continues to pay money for software exploits and information, that’s an unrealistic prospect. Besides, any prohibition by an individual country would be ineffective anyway: exploits can be simply e-mailed around worldwide; there is no possible way to control their import or export. Moreover, choosing the right IT safeguards also depends on a company’s specific circumstances.
It is therefore up to the private sector to protect itself. The main thing is for companies to isolate and cluster their IT systems, so that a successful hack cannot quickly spread and cripple the entire business. The security measures chosen by a company must be technically comprehensive and continually updated – especially with regard to authorised access from outside.
What do you see as the insurance industry’s role in this respect?
Di Filippo: Insurance cover is an important element, though at the same time, you have to ask a lot of questions. For example, how is a given insurance product designed, and what are its main features? Will the scope be sufficient for your particular company, and does it even offer the right kind of protection? The product has to be the right fit for you, just like with shoes: there’s no point in buying the most expensive pair in the store if they are too small, or the wrong style for the way you walk. That is why a holistic approach is so essential. This even means running a special preliminary audit, which asks questions like: where is the company most vulnerable, and what are its security goals? Insurance is often appropriate only for very specific areas of a company’s IT infrastructure, like its R&D department, for example. These issues have to be examined very carefully.
Should insurers be involved as well and offer corresponding advice?
Di Filippo: Definitely. If you ask me, you cannot insure a company just on the basis of its responses to a standard questionnaire! On the contrary, cyber insurers need to offer appropriate advice and service with their products. I also think that insurers need to move towards terms stipulating that the staff at insured companies be qualified, just like what happened in motor insurance. Just compare the two: nowadays, if a car runs into a tree, the first question that gets asked is whether the driver was qualified and fit to drive, not whether the car suffered a technical malfunction. That’s the direction we should be moving in with cyber risks; i.e. that we train the people who use the IT systems.
Marco Di Filippo has been a computer enthusiast since he was a child, and has worked in IT consulting since 1996 – of which more than 15 years were spent in cyber and IT security, both from the attacking and the defending sides. He specialises in organisational and technical IT security checks and concepts. He has held senior management positions at IT security providers such as VisuKom, Compass Security and KORAMIS.
Marco Di Filippo has been warning companies about the vulnerability of their industrial control systems (ICS) long before cyber attacks became a regular occurrence.
He has therefore played a key role in sensitising people about cyber threats, and in spreading corresponding cyber security strategies.
Mr. Di Filippo is the author of numerous publications and has co-authored several books. In the trade press and on his blog, he regularly writes about weaknesses and breaches in IT security, as well as about the latest developments in the industry.