Digital Threats in Companies: Cybersecurity Concerns Us All

Cybercrime has become the 21st century’s global specter – for both companies and governments. Only this past June, cybercriminals attacked more than one thousand enterprises in the US and Europe via the IT company Kaseya. President Biden has proposed a collaboration of 30 countries to jointly launch an initiative fighting cybercrime.

Attacks have also massively increased in Europe – and still, many companies are not up to par when it comes to cybersecurity. Against this backdrop, the WU Executive Academy organized a webinar on the topic of How to Successfully Prevent Cybercrime where MBA students and graduates could grill renowned experts on various aspects of cybersecurity, going beyond its IT aspects. “Cyberattacks pose a serious risk to all companies today. We organized this webinar for our MBA students and graduates to give them the opportunity to discuss this extremely relevant topic with experts from the field,” says Barbara Stöttinger, Dean of the WU Executive Academy.

A Digital Threat That Concerns Us All

Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy and CEO of Richard Knowlton Associates, pointed out that cyberattacks were frequently compared to criminal organizations: “The 2020s are confronting humanity with a variety of extremely challenging international threats, such as shifts in the international economic order, perils in connection with China and Russia, terrorism, conflicts in the Middle East, climate change, and refugee crises. The use of digital technologies by cybercriminals and countries can make all of these threats become even more dangerous.” While cyberattacks are often likened to criminal organizations, “in most cases, it’s not the ‘bad guys’ carrying out cyberattacks. Instead, it’s countries implementing so-called cyber operations, such as manipulating political opinion, espionage, or attacks on a country’s critical infrastructure. In other words, cyberattacks often serve national interests,” Knowlton said.

He mentioned how companies paid billions of euros to cybercriminals every year, for instance in the aftermath of a ransomware attack. However, zero-day exploits, i.e., vulnerabilities unknown to companies that cybercriminals use to infiltrate their systems, were also a huge problem.

The expert emphasized that no company could rule out that it was a potential target. “Sooner or later, all companies, big and small, will become the target of cybercriminals – or it has already happened,” Knowlton said. He also debunked the common misconception that only large companies were attractive targets for cyberattacks.

Thomas Stubbings, cybersecurity expert and CEO of CTS Cyber Trust Services, reported about the strong new trend of attacking companies’ supply chains via software updates. “Cyberattacks hit a society where it’s most sensitive; everyone could be affected,” Stubbings explained. In 2015, 200,000 people in the Ukraine experienced a blackout as a result of a cyberattack. Another example is NotPetya. Via a Ukrainian bookkeeping software, the malware exponentially spread throughout the world, causing great damage in various international corporations. The incident even disabled parts of the global value creation chain for some time. And cybercrime has also already caused a fatality: “A year ago, a female patient died due to a ransomware attack on a German hospital which had made it impossible for doctors to treat her in time,” Stubbings noted.

By now, leaders of many countries have realized that they must urgently address this topic: “More and more governments are discussing cybersecurity regulations,” Stubbings said. The US was a pioneer, passing an act concerning health institutions in 1996 and the Homeland Security Act in 2003. “Europe was relatively late when it passed its NIS (Network and Information Security) Directive in 2016.”

Richard Knowlton shared that various UN committees started talks on joint cybersecurity measures already in 2003. “In the past, we had to make do with gentlemen’s agreements among the various countries with regard to what’s acceptable and unacceptable behavior in cyberspace. But the line between cybercrime and state-funded cyber operations is becoming blurred. If cybercriminals do a government’s dirty jobs, the government will turn a blind eye to these perpetrators’ criminal activities in return.”

The Solution: Awareness and Responsibility

So how do you optimally achieve cybersecurity in a company? Maha Sounble, Cyber Security Information Officer at WU Vienna, compared it to driving a car: “Companies need to focus on three dimensions to ensure in-house cybersecurity. First, the technological dimension: we must be able to trust that apps and devices are safe, just as drivers need to be able to trust their vehicles’ technology. Second, the organizational dimension: we have to talk about regulations and organizational processes and roles related to cybersecurity within the company; these would correspond to the traffic rules in the car example. And third, the human dimension: an organization is only as secure as its people’s behaviors: this applies to driving a car as much as to data security and cyberattacks.”

Richard Knowlton emphasized the need to focus on humans as a risk factor: “More than half of all cyber incidents are caused by people. Cybercriminals exploit people’s lack of awareness, susceptibility to error, and inattentive behaviors.” He pointed to the developments in the past 18 months as proof: “In the course of the coronavirus pandemic and the massive increase in the number of people working from home, cyberattacks surged.”

This was why not only IT departments but also managers were called upon to comprehensively deal with the topic of cybersecurity, Richard Knowlton said: “Cybersecurity is a topic that concerns everybody in a company and also management must take it very seriously. The company’s fate depends on it.” He stressed that the role of people could not be overestimated: “In the past, we looked at security as something that people were granted. Today, security is actively shaped by people. Companies must analyze the work styles and workflows of their employees and base their security strategy on this knowledge.” He also recommended a broad discussion of this topic within companies and to regularly put it on meeting agendas as a strategic focus point.

Also for Thomas Stubbings, awareness was a key factor for ensuring security. “Everybody in an organization has to understand that they are crucial components of their organization’s cybersecurity culture. Only then will companies be able to implement truly secure protective measures.” He advised workshop participants to consider the 80:20 rule. “Eighty percent of attacks are unspecific: they are random. The human factor can be a perk here if everybody agrees to not click on fishy links or plug in a USB stick of unknown origin. Twenty percent of attacks require sophisticated technology and manpower. So one thing holds true regardless of whether baseline or advanced security is concerned: “Every company must take a good hard look at this topic and develop a suitable security concept based on its risk profile,” Thomas Stubbings emphasized.

For more information about the topic cybersecurity and cybercrime, please click here.