2021: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Every manager and executive in a company strives to create added value. In daily practice, this implies continuously evaluating business risks to avoid unexpected situations. While this basic management principle seems obvious, too often it appears not to be the case for cyber security.

Research has shown that managers frequently have little or no knowledge of cyber security, and therefore cannot make a thorough assessment of the risks. "Executives underestimate the complexity of that responsibility," says Georges Ataya.

A continuous process of improving

This lack of knowledge starts with a clear fallacy concerning security. "Companies often think that a one-off investment is sufficient to guarantee cyber security. That is obviously not the case. There is no such thing as a one-size-fits-all solution. Because threats are constantly changing, cyber security must be understood as a continuous process of monitoring and improving," states Ataya.

Ideally, a company has a safety committee made up of several specialised technical profiles and board members. "With such a set-up, committee members can clearly inform each other and build mutual trust. In reality, however, many companies don't even have a safety officer. And if they do, he or she is mostly dependent on the IT department for the necessary expertise."

In terms of reporting, as well, the approach is often off the mark. "Security reports mainly emphasise what is going well, whereas the focus should be on what is going wrong," explains Ataya. "This is crucial, because an understanding of the specific vulnerabilities within a company is just as essential as knowledge about a threat."

A crucial part of corporate governance

In other words, while the pursuit of security should be closely linked with the company’s strategy and embedded in its structure, today it is mostly limited to the operational level. As a result, many companies are clearly at risk while they are going through a digital transformation. "They are sitting on a ticking time bomb without realising it," warns Georges Ataya.

Thus, it is crucial to increase awareness about cyber risks amongst managers and executives. "Today, a mature company should be putting in place a clear governance around cyber security, and seeing it as a critical part of wider corporate governance."

To achieve this, however, a great number of people need to improve their competencies in the short term. Now, interested professionals can turn to Skillsbeam. "This brand-new digital tool enables people to weigh up their own competences against the required expertise for cyber security positions. In this way, we hope to give an extra push to all those who are considering a career switch," concludes Georges Ataya. 

Security systems can no longer be based on identical products that are to be implemented in different contexts. They should be architectural structures by design, and thus specifically developed to suit the needs of a company or organisation. ‘If you think about the development of an application, security by design is about ensuring that security is taken into account at all stages’, explains Benoît Moreau, Enterprise Architect IT Risk & Security at ING Belgium.

‘Designing security systems is also about guaranteeing that you can explain how the security works. So-called security by obscurity, meaning that something is secured because no one actually understands its functioning, is something we absolutely aim to avoid.’

Paradigm shift

The goals of security architecture often aggregate in three categories called the CIA triad: Confidentiality, Integrity and Availability. ‘We aim to turn security architecture into a competitive advantage’, explains Moreau. This understanding has clearly given rise to a paradigm shift in recent years. ‘We see that more and more companies are finally getting rid of the idea that security is blocking their business. They see their security architecture as a means to create new business.’

In other words, this paradigm shift fundamentally changed how security architecture is being appraised. ‘I often make the comparison with the brakes of a car. These were not only created to slow down your vehicle but were primarily invented to allow the driver to go faster than before. So, translated into a business context, developing better brakes is a security investment that leads to better business results.’

Discussions are improving

In this vision, the Enterprise Security Architecture can be tailored to the specific structure of an entire company. However, this does not necessarily mean that security architects have to start from scratch when developing new security systems. Benoît Moreau: ‘We don’t have to reinvent the wheel every time. On top of the common standards we use, we can learn from big tech companies and reuse their innovations in our own specific contexts. This improves the overall security levels.’

Sharing experiences and expertise among cyber professionals is part of their culture. ‘For example, it is common practice for security algorithms to be made public’, says Moreau. ‘We share the modus operandi between different players in the same sector. This definitely is a big advantage in heavily regulated sectors, where regulators expect a formal demonstration of the security. It also helps to reduce the cost of security.’

Despite this unequivocal importance and the increasing level of awareness, the job of the enterprise security architect is often misunderstood and confused with other security-related jobs. ‘This is why the Enterprise Security Architecture Focus Group of the Cyber Security Coalition is currently working on a position paper that will explain the role and the benefits for the company’, concludes Benoît Moreau.

One of the most discussed cyber incidents in Belgium this past year was the DDoS attack on Belnet, the IT partner of Belgian colleges, universities, research centres, hospitals, and government institutions. On May 4th, attackers flooded the Belnet network with an immense volume of traffic, saturating it. The consequences of this attack were significant for almost all Belnet customers and end users.

Thanks to its clearly defined crisis management plan, Belnet successfully stabilised the situation within a few hours. Then, the organisation turned its full attention to the so-called ‘post-mortem analysis’. “During this inquiry, we assessed all of our actions very critically, and asked our customers where things could be improved”, says Dirk Haex, Co-General Director of Belnet.

Learn and improve

This assessment also served as the foundation for the improvement programme that Belnet subsequently designed. Haex explains, “The programme contains three sections: a technological component that focuses on stronger embedding in the digital landscape, a component that focuses on communication via various platforms, and a process component that revolves around faster detection and response to incidents."

Ziekenhuis Oost-Limburg (ZOL) was also hit by a cyber attack in 2021. "Through a theft at one of our suppliers, an attacker managed to get hold of the credentials of a number of our users", explains Kurt Gielen, IT manager at ZOL. "We were able to block the incident very quickly, but one of our privileged accounts was compromised for several minutes."

Just as for Belnet, this incident turned out to be a very instructive event for ZOL. Gielen says, "Based on the incident evaluation, we implemented many improvements in our defence system. For example, we are focussing much more on auditing; every action on our server is now recorded."

A long-term, positive impact

Looking back, Belnet emphasises that the attack demonstrated the strength of the existing crisis management plan. "We had already invested a lot in crisis management in the past, which proved to be crucial", stresses Dirk Haex.

"Without our existing crisis communication plan, we certainly would not have been able to react as we did," adds communication officer Davina Luyten. "That is the message we want to pass on to other organisations: draw up plans in advance, before you run into a crisis. Exploit all the expertise available for this in a digital ecosystem. Together, we are much stronger. By telling our story, we hope that the DDoS attack on Belnet will have a long-term, positive impact."

For ZOL too, the cyber attack was an eye-opener. "It has shown that cyber security in a hospital is no longer only a matter of IT; it impacts the entire organisation. That's why it's crucial for the healthcare sector to put much more effort into knowledge sharing and building overarching expertise. We cannot possibly master the cyber threats on our own," concludes Kurt Gielen.  

Research has shown that one in three organisations pays the ransom to get their data back. Unfortunately, paying the ransom never results in the recovery of all data. On average, only 65% can be recuperated.

The average ransom payment in Q3 of 2021 was 134,000 US dollars. A higher proportion of payments came from mid-market sized victims. Ransomware actors are clearly shifting from ‘Big Game Hunting’ to ‘Mid-Game Hunting’. So SMEs should remain vigilant. They do not only risk direct damage to themselves, but also indirect damage to their customers, by infecting their networks.

Moreover, a survey by Sophos in 30 countries revealed that the total remediation cost after an incident varies widely; the highest costs are seen in Austria, followed by Belgium in the number 2 spot. This reflects the considerable manual effort required to remediate an attack; the total cost can be up to 10 times the ransom payment itself.

A holistic cyber security approach is needed

Cyber criminals are continuously improving their tools and techniques, to be more effective and breach more victims. Finding and exploiting security weak spots is their core business. Fox-IT observed threats that specifically targeted the Benelux. Over the past months, organisations throughout the region have been hit by a spate of extremely rapid data breach extortion attacks. The attackers typically steal significant amounts of sensitive data within 30 minutes.

Increasingly, attackers are using vulnerability exploits, including those of commonly used protocols (e.g., remote access protocols such as RDP), amongst others. Clearly, applying anti-phishing security measures is not enough - a holistic cyber security approach is absolutely required.

More info:

• https://www.gartner.com/en/newsroom/press-releases/2021-10-21-gartner-says-threat-of-new-ransomware-models-is-the-top-emerging-risk-facing-organizations
• https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
• Ransomware attackers down shift to 'Mid-Game' hunting in Q3 (coveware.com)

Creating awareness is inextricably linked to making cyber threats tangible and personal. “Most people still don’t realise its their business as well”, explains Johanna Kinnari, the Finnish Information Security Manager at OP Financial Group. “If you cannot relate to the danger yourself, it will always remain too abstract”, adds Hungarian Sophie Kemenes, Security Education and Awareness Coordinator at Norsk Hydro.  

Unexpected career changes 

The personal stories of these two female security awareness professionals reflect how the concept of cyber security can be shifted from something far-fetched to a defining part of life. Before she landed as an information security content specialist for Norsk Hydro, Sophie Kemenes first started her career as a freelance content creator and marketeer in the advertising sector. “Norsk Hydro was looking for someone with writing and sales skills. So, even though I didn’t know a thing about cyber security, I was hired.” 

“Then, during my third week at the company, a ransomware attack hit Norsk Hydro. Suddenly, I found myself in the middle of an IT hub during an intense battle on all fronts, with an enemy we had yet to identify. With a communication profile, I felt like a war reporter at the battlefield. I was the one telling everyone what was happening”, Kemenes continues. “At this point, I realised what expertise I was missing. So, later on, I explored the field more deeply and got the necessary certificates and knowledge.”  

Johanna Kinnari also initially envisioned a very different career path: “My original education was in barbering and hairdressing. However, I quickly felt this was too basic for me and decided to change to IT. As I knew that I didn’t want to spend my career in coding, focussing on information security and corporate security management was a logical step.”  

Soft skills and subtility 

These stories show that awareness creation never solely is a matter of education and imposing rules. It should rather be considered as a step towards cultural change. Therefor the Awareness Focus Group organised a third edition of the Certified Cyber Security Awarenes & Culture Manager course, a peer-to-peer training. A new ‘Culture’ module was recently added to the programme. To support the Women4Cyber foundation they were invited to designate two participants. Sophie and Johanna were thus able to take part in this course.

“Awareness is about getting people to change their behaviour. Thus, soft skills and subtility are crucial”, clarifies Kinnari. “Explaining vulnerabilities can only be successful if it’s focused on a practical level. Therefore, former experiences of any kind can be a huge asset”, adds Kemenes.  

By sharing this insight, both hope to make cyber security more attractive to women. This also explains their Women4Cyber membership, a European non-profit organization with the objective to promote, encourage, and support female participation in the field of cyber security. Johanna Kinnari: “As a top-down approach will never be sufficient, women in this sector should take up their role as ambassadors.” 

In addition, the current pandemic clearly offers opportunities for speeding up this process. "On the one hand, people are more exposed to cyber risks because we are all working remotely most of the time. On the other hand, a lot of people have started questioning their jobs, making this a good time to shift careers. We now have to make sure that they know about the exciting opportunities in cyber security”, concludes Sophie Kemenes.  

In October, European Cyber Security Month, the European Union traditionally emphasises the importance of cyber security to all citizens. Promoting cyber security awareness is crucial. "We really need to create more awareness. During the past year, the number of phishing cases has been heavily increasing. We see a rising trend in cyber incidents, a logical consequence of the fact that remote working is the new normal. We do not always secure our home environment sufficiently. You may have the best firewall installed, hackers can always find a backdoor to penetrate", says Ann Mennens. 

Preventive action is the message because the impact of a cyber attack can be enormous. "By demonstrating the danger in advance, we can increase vigilance. Within the European Commission, for example, we do this by sending fake phishing emails. These tests show that we still fall into the trap too easily. But, on the other hand, we have noticed that people are taking action and are reporting suspicious mails more quickly than before. Which of course is a good evolution." 

Need for more women in the sector 

In order to detect suspicious cases faster, the IT and cyber teams of the European institutions are regularly tested and trained. "These exercises are essential to keep them alert, because criminals are becoming increasingly cunning, and European institutions are an interesting target for them. We really need to keep everyone on their toes at all times. But at the same time, we need extra professionals, with the right skills, who can identify the risks and mitigate them." 

Unfortunately, finding that cyber security talent is becoming increasingly difficult. "Moreover, the IT world is dominated by men. We noticed that adding woman experts to our cyber security teams creates added value. Therefore, we launched our inhouse Cyber Security Training Programme. The programme attracts colleagues from a variety of backgrounds who are interested in upskilling in cyber security, and many women follow the training. With the Women4Cyber initiative and registry we also created a platform to promote and connect female professionals working in cyber security. And it is catching on: more and more women are showing interest and joining." 

An inspiring network of professionals 

The European Union is also a source of inspiration for the Belgian Cyber Security Coalition. Ann Mennens has been closely involved since its inception and is one of the initiators and trainers of the ‘Cyber Security Awareness and Culture Manager' training programme. "Awareness for cyber security is not high on the agenda of many companies. We have therefore launched a unique four-month training programme for Coalition members, to help them build the capacity inhouse for organizing and running effective and efficient cyber security awareness raising activities. 27 participants, from various sectors, completed the course this autumn and obtained their certificate." 

Despite all her experience and expertise, Ann still learns from the Coalition. "For every member, the Coalition offers added value. The success depends on its members. Each meeting we exchange experiences and at times challenge each other, and this offers new insights every time. All is based on mutual respect and trust. After all, everyone realises that we must cooperate now if we want to be prepared to face the challenges of tomorrow", concludes Ann Mennens.