Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth and I'm the Director of the Practice Identity and Access Management, here at KuppingerCole Analysts. My guest today is for the first time Marina Iantorno. She is a research analyst with KuppingerCole Analysts working out of Stuttgart. Hi, Marina. Great to have you.
Hi, Matthias. Thanks for having me here. It's a pleasure.
Great. And I'm really looking forward to this conversation. We want to talk about the risks of cybercrime and what they mean for organizations of all kind. When we talk about cybercrime, what is happening nowadays, that the cybercrime is increasing and that is actually increasing, we can see that.
Well, it is true that cyber attacks increased in the last ten years, but we saw a very big spike after the COVID 19 outbreak. I would say the main issue here is that the pandemic changed the way that we conduct our life. And for instance, many workforces migrated from working on-site where the cybersecurity environment was controled to work from home, where the risk increases, especially due to the possibility of human errors along the way. And it gives space to the increase of the cybercrime.
Is this pure coincidence that it's just the last three years, or would you really blame the global lockdown to be responsible for the increase of cybercrime?
No, I would say that it is not a coincidence. The thing is, like most of the companies as well needed to change and to use digital transformation. Of course it gives a lot of advantage, but at the same time, the transition is likely to present vulnerabilities. And hackers identify these vulnerabilities and break into the system. This is actually the main problem. And, you know, the attacks could come on different ways, like phishing emails, phishing text messages, ransomware. And the main issue is that the attack is a silent enemy because the companies know about an attack or that they were the target of an attack when it is already very late. And this is why there are several damages around this, and there are side effects that are very hard to revert.
Understood. So as you are an expert in dealing with numbers, so when we come to statistics, what is the most common attack that organizations are currently facing? You've mentioned ransomware. Is the still the main thing?
Yes, absolutely. Because the ransomware could come encrypted in an email, for example. So if let's say that an employee opens an email that contains some attachment. You know, some mails are coming in name of someone of the company. And if the attachment is opened, so there is a ransomware that is inside the system already. And this is something that the companies don't really know that this is happening until, you know, the hackers give information or steal some data or hold some data and ask for a ransom in exchange of this. And this is actually the main issue. So we need to understand that while security professionals work in increasing the cybersecurity, especially working online using different tools like, for example, a VPN or something like that, there are, on the other hand, hackers who are actually improving as well and sophisticating the techniques that they are using to attack. So, yes, ransomware is more than 50% of the attacks that companies present. And we conducted some surveys where we see that this is actually something that is worrying a lot of companies, the ransomware is the main attack that is worrying the companies nowadays.
Okay. Paying ransom means usually that the target should be private companies that do their business for profit. Are they the only targets or where are ransomware attacks also focused at?
No, not at all. You know, the attacks, cybercrime is affecting every organization, even governments could be the target of a cyber attack. So the problem here is affecting everyone who is online. It is not just private companies.
Right. Can you can you give a few examples for where these cyber attacks really surfaced, and really made the news?
Yes. There are some cases that are affected, in the entire society nationwide. For example, in 2021, there were two main attacks that I could mention. One of them was the Colonial Pipeline. You know, the ransomware in the U.S. that forced President Biden to declare a state emergency in Virginia because more than 70% of the fuel filling stations went out of fuel for several days. The hackers took control over these. And, of course, it affected the supply chain of the entire state. And the government paid a ransom monitored by the FBI because there was no other choice. And it was the only way to actually get the control back. Now, later on, the company could recover some of the ransom, but there was a considerable loss on the way. And another attack that was affecting as well the entire nation was in Ireland in 2021 as well because the health system was attacked and it put the entire medical system of the country down and the hospitals, private clinics, private doctors, GBs, were forced to use pen and paper again, and maybe there were different machines that were not able at that moment to use. And of course, it affected the patient. And as well, the hackers were claiming 20 million U.S. dollars, which is actually a lot of money and the Irish government didn't want to pay or negotiate with the hackers. And they publish information, private information and sensitive information of five hundred patients, which is actually very bad. And if we go to a more recent attack, Costa Rica is as well under this club. The country is in an state of emergency because, as of May of this year, there was a ransomware that is affecting the entire economy. The customs system was affected and they are still processing important export taxes, for example. Of course, it reduces the income of the country and the salary of public employees was suspended for a month. The government is not negotiating with the hackers. So it's the same situation. And so far, they have spent $9 million to face the consequences. So, yes, ransomware could actually affect not just a company, but an entire country, as you can see.
Absolutely. And you said Costa Rica, Ireland, the U.S., it seems like everyone can be the target of a cyber attack. I'm afraid if I ask that question, who can be the target, you will say everybody, right?
Yes, exactly, anyone. We can talk from small, medium companies, enterprises, government. And there are no borders because it is happening globally. It is not only in one continent or a specific country. It can happen everywhere. The only thing we need to be to be a target, is to be online and the digital transformation is coming with a lot of benefits, but as well with a lot of risks. So I would say any organization of any kind could be feasible to be hacked.
Okay. Now that we’ve shown the threats, the risks and the dangers, now get to the more positive side if possible - can we prevent it?
We can mitigate the risk, but we cannot eliminate it. So there is no way, there is no possible way to be 100% safe. The key here is to be prepared for the worst. So unfortunately, this is the only thing that we can do. The companies need to have a plan to survive against this crisis. There are different ways to do so. Of course, knowing the vulnerabilities is, it is actually better in terms of seeing how we are standing against this risk. On the other hand, there are also cyber insurabilities nowadays that will help us actually to minimize the negative impact, especially in terms of financial situation. So, yes, we cannot really eliminate the risk, but we can mitigate it and we can do things to actually reduce the impact.
Right. And from what you've mentioned in your examples and you've just mentioned insurance, we both are not lawyers, and so it's a bit of dangerous ground, but from your opinion, when you are subject to a ransomware attack, is it advised to pay the ransom?
Well, from the moral and ethical perspective, I would say no, because we need to think that the hackers are usually organizations that work in a very professional way. So they have different responsibilities. And you have even like a kind of customer service attention or something like that, sort of speak. And the problem is that if we pay the ransom, we are giving a space to these mafias to keep growing. Now, the main issue is that sometimes we really have no choice but to pay. And and in those cases, I would say, how do we know that the information that they actually held for a while was not shared, let's say, in the dark web? So there is no way to actually prove it. And this situation is actually creating secondary effects. For example, in Ireland, where the agency system was hacked. So the hackers, they held information and then this information contained, let's say, phone numbers of these people, maybe emails etc etc, and it created the possibility of different attacks that were coming later on, let's say phishing attacks. So, you know, we have like two very negative effects. One of them is allowing or giving a space to these mafias to keep growing. And on the other hand we are not really sure that this information is not in their own hands. So even though they give us the access back, we don't know what they did with the information that they had for a while. And, I would say no, it is not really advice. And if you actually do this, so do this under the control of the authorities as it happened with the Colonial Pipeline, that they actually pay the ransom but monitored by the FBI.
Right. Okay. This episode is about the risk of cybercrime. And we've been talking a lot about money right now. So, of course, this is the most visible danger that, of course, can occur. And this is maybe one of the driving forces for these cyber criminals to actually do this. But are there other risks, other than just monetary risks for organizations?
Yes, of course. The obvious damage is related to compliance data and operational disruption. But there are other aspects in place. For example, what happens with the reputation of the company? So the brand is one of the most important assets of a company. And if you are a target of a cyber attack, of course your image will be damaged. So probably, there are many contracts that are not renewable afterwards or, gaining, again, a good image in the face of new customers. It is also hard. On the other hand, what happened with the intellectual property loss? So there are many documents that are under copyright. And if those documents are published, well, of course it would make it very hard to repair the image that we have with our associates in terms of business or with the customers. So it is not only about money, but there are other things that, of course, in the end we represent loss of profits for the company, but they are related to something else.
Right. This episode is part of... we are in October, it's part of the Cybersecurity Awareness Month. And we are running very closely to our Cybersecurity Leadership Summit event that will take place in Berlin in early November from the 8th to the 10th of November in Berlin. So we've raised, I think, a lot of awareness just with pointing out, or what you just pointed out, with regards to the risks that can occur through cybercrime. Where would you suggest to learn more about cybercrime prevention, or at least mitigation, as you've mentioned?
Well, Matthias, we are really looking forward to the event in November, on Wednesday 9th November there are several tracks talking about the building of resilience and the importance of reporting the risk. One of the major issues that we see is that many companies do not feel comfortable admitting that they were the target of a cyber attack. And this is a big error I would say, because if the authorities know that there was a cybercrime in place and we register it, it will help professionals to actually track the hackers and prevent and avoid issues or avoid future incidents. And we will be talking about these on the 9th of November at CSLS.
Great. And I think that's really of importance. So beyond the tracks that we do, just getting in touch with your peers, with organizations that face the same challenges. I think that is one of the beauties of such an event. Just to be beyond listening to interesting talks and there will be great talks and great speakers, but also to get in touch in person or virtually with organization and their representatives that really can give more insight into such a such a difficult topic and talk to each other. So for today, thank you very much, Marina, for being my guest today, for laying out the risks of cybercrime and for hinting at the Cybersecurity Leadership Summit in Berlin. I'm also very much looking forward to being there in person, to talking to people and to learn more from organizations that are out there in the field doing the daily work. So any final words that you want to add, Marina, before we close down?
Thank you Matthias, for having me here. It was a pleasure to discuss about this topic. And the final thing that they would like to say is that we are looking forward to meeting you at the CSLS event. And as you said, there will be great speakers and it is always very good to hear the voice of professionals to actually build a better cybersecurity strategy for our organizations.
Great. Thank you very much. Looking forward to see you there. Bye.
Bye bye. Thank you.