Cybersecurity in companies
Cybersecurity is a topic that is gaining the attention of more and more individuals and, above all, companies. The risk of cyber attacks has increased year on year, given the growth in networked processes. In this sense, ensuring greater protection and anticipation of incidents is a crucial factor in avoiding damage.
In this field, small and medium-sized companies occupy a prominent place, both because they make up the majority of the Portuguese business fabric (97%), but also because, as they relate to various suppliers and communicate with customers, they have increasingly larger network mechanisms, which make them very attractive to cybercriminals.
But how do you know if companies are protected? This was the motto of the first talk in the MEO Empresas Talks cycle, an initiative in partnership with ECO, which explored the challenges of cybersecurity and shared security solutions that are simple to implement and manage, suited to the size of each company.
The challenge for SMEs
"Today's topic is dedicated to cybersecurity, more geared towards SMEs. We know that business is changing. All our companies have an increasingly digital business and, therefore, SMEs have the challenge of, in addition to being in a very competitive market (I remind you that our business market has approximately 1.4 million companies and 97% SMEs), today they use collaborative platforms, such as Teams, such as Mail, they use the laptop, the desktop, they use the mobile, therefore, a TV show of devices that allows them to access the company anytime, anywhere, and this raises security issues", said Nuno Nunes, Chief Sales Officer B2B of Altice Portugal, at the opening of the event.
"The issue that I would say is most pertinent for SMEs is the investment they have to make in cybersecurity. They have to understand what the right investment is in cybersecurity, which functions are best suited to protecting themselves, hiring resources that are not always available, and many of them expensive, and, most importantly, the knowledge to keep the functions up to date," he added.
Inequality between SMEs and large companies
In this regard, Pedro Xavier Mendonça, head of the CNCS Cybersecurity Observatory, stressed the importance of SMEs really becoming aware of the need to be protected before anything else, and then gave some suggestions on how they can do this: "If we compare SMEs with large companies, they are in an unequal situation from the point of view of their capacity, which doesn't mean that they are less of a target for cyberattacks. In quantitative terms, we know that individuals, citizens in general, users of digital technologies in general, and SMEs, are the main targets of cyberattacks."
"Often, not only individuals, but also those responsible for SMEs, may think that cybersecurity has nothing to do with them. But we always have something that may be of interest to others, even if it's our privacy. And, in the case of companies, data that is fundamental to the functioning of the organization," he continued. Pedro Xavier Mendonça presented some clear data on this subject, which concerned a survey of around 120 executives at international level, carried out by the World Economic Forum, in which 90% of these executives, in the last survey they carried out, referring to 2023, consider that the inequality between the capacity that SMEs have for cybersecurity and large companies "is an urgent problem to solve".
In the same presentation, the CNCS head also shared Eurostat data for 2022, which shows that 80% of large companies in Portugal have ICT security policies in place, while only 48% of SMEs do. And with regard to awareness-raising among employees, there are 89% in large companies and 63% in SMEs.
"Portugal, like other EU countries, has its economic fabric based on SMEs. With regard to the cybersecurity economy, data from a report that the CNCS published in 2022, with data from 2021, shows aspects relating to supply and others relating to demand. We were able to identify that at least 144 companies offer cybersecurity services in Portugal, that cybersecurity professionals are relatively new and highly trained, and that there is an increase in cooperation between companies with the creation of more Cybersecurity Communities," he said.
However, there are still problems: "Just over a third of SMEs have a cybersecurity budget of less than three thousand euros a year; at least one in six SMEs has difficulties finding cybersecurity professionals, and the main reasons are the shortage of professionals (for 78%) and their high cost (for 57%)."
Main cyberattacks
With regard to incidents, Pedro Xavier Mendonça referred to the increase that has taken place every year and gave some reasons for this. "The human factor is very important in cybersecurity and this is visible in some cybersecurity incidents. In 2022, at least 51% of the incidents recorded by CERT.PT directly involve the human factor. SMEs continue to be one of the main targets of cybercriminals who aim to make economic gains through extortion and fraud. Ransomware is also a concern, particularly because of its impact. Cases of compromised corporate email, phishing, CEO Fraud, among others, are worrying."
For SMEs, he highlighted ransomware and CEO Fraud as the most relevant and detailed them: "Ransomware has a very strong technical component. It's malware that decrypts information, but often it enters the organization through the human factor, for example by compromising an email account. This compromise can occur in a number of ways - the attacker has found a password for this account on sale or available on the dark web; or the attacker has collected this information through a phishing attack; or even through brute force, i.e. using software that manages, by trial and error, to discover the password. Through this account compromise, the attacker manages to escalate privileges and ends up installing ransomware on the systems himself."
"Another case that deserves attention is CEO Fraud (BEC), which concerns corporate emails that are compromised. They are sent to key figures within the organization, linked to the financial component, so that suppliers' IBANs are changed, for example, and then bank transfers are made to these fraudulent IBANs," he continued.
Some of the solutions presented to avoid these cases were the exploitation of technical vulnerabilities that are not resolved, "in other words, it is important that organizations keep their systems up to date, precisely to resolve these vulnerabilities"; the compromise of remote access or even simply emails that contain attachments or links with malware; the impersonation of a supplier and customers - typosquatting; the impersonation of an employee to change the destination of their salary; and the impersonation of a superior requesting gift cards.
Cybersecurity solutions available on the market
The presentation was followed by the talk, which was also attended by Pedro Xavier Mendonça, as well as Vitor Mota, IS/IT director at the JAP Group, and Jorge Rodrigues, pre-sales coordinator for cybersecurity at MEO Empresas.
"Cybersecurity applies to all companies and is a challenge for any organization, whether public or private, small or large. What we see is that there is more capacity to address cybersecurity issues in large companies, but since SMEs are the most representative group of companies in Portugal, it is also a major concern that these companies have good cybersecurity practices and that they themselves are secure in terms of their processes and systems. Many of them think that they are not an attractive target for a possible attack, but nowadays the attack surface is huge, these companies have relationships with other companies too, and so the whole chain has to be part of this ecosystem, which has to be protected," Jorge Rodrigues began.
However, the question of how little SMEs invest in cybersecurity is an obstacle to this protection, even though there are more accessible solutions: "The three thousand euros that SMEs have on average to invest in cybersecurity is very low. But MEO Empresas makes huge investments in platforms and specialized technicians and can thus provide services and help these SMEs, which, without having to make very large investments, have at their disposal a set of very advanced services in terms of cybersecurity, which can be made available as a service. We have several examples of this, including relatively simple things like backups, firewall as a service solutions, endpoint protection solutions, remote access solutions via VPN for employees who need to be mobile."
The same opinion was shared by Vitor Mota, from the JAP Group, which is customer from MEO Empresas: "I think that nowadays any company, be it small or large, has to change the paradigm it used in the past, because in the past security was only reactive and perimeter-based. Nowadays, companies are completely networked. In our case, for example, we work in six countries, we have dozens of facilities, we have more than three thousand employees, who today don't just use the PCs we provide with our rules, they use other types of devices, at home, in the café, remotely, so for us, security today is something that has to happen on a day-to-day basis."
To this end, the head of the JAP Group believes it is of great importance to "convince the top management of any company that security has to have a budget", but warned that this budget "can't just be for IT", since the process of hiring employees has to be different, as well as outsourcing cybersecurity issues when necessary.
Outsourcing cybersecurity services - AI as an ally or a threat?
In the case of the JAP Group, this outsourcing happened, according to Vitor Mota, when they started "dealing with all the alarming on all the network assets, whether network equipment, PCs, mobile devices, servers, firewalls". "The amount of alarms and false positives we get doesn't give us time to react. And then we don't have the internal knowledge to deal with all those situations. That's why we had to surround ourselves with manufacturers and specialists and we took two very important steps. One was to outsource the data centers so that we can rest assured that the power, etc., is working and that we are protected, in order to focus more on value-added activities. Another very important point was that we decided that we had to have multifactory authentication, because it's easy to find users and passwords on the darkweb."
Even so, despite the need to outsource cybersecurity services to various companies, Pedro Xavier Mendonça once again mentioned the lack of professionals in the field as a problem affecting supply. In addition, the lack of resources in SMEs and the lack of awareness among managers doesn't help either. "There's a preconception that cybersecurity is just a computer science thing and that doesn't work in our favor. Cybercrime is also growing a lot on an as-a-service basis, i.e. organizations that have a technological structure that they make available to people who don't have technical knowledge, but who then operationalize its implementation."
In this regard, the head of the CNCS Cybersecurity Observatory brought up the subject of Generative AI as an ally in cybersecurity, but also as a major threat. "Generative AI creates content which, for human factor cases, is terrible. We foresee difficulties and we have to watch out for them. Of course, AI is also a mechanism to help defend, protect and detect threats, anomalies in systems, and it can even replace a lot of the painstaking work of incident response teams. But in terms of threats, what seems worrying is the creation of content, calling into question the trust we have in our visual and auditory perception. It's no longer enough to see to believe. So we have to have zero trust in terms of processes. We have to have double confirmation mechanisms, guarantee that processes can only be changed in certain ways. It's not a lack of trust, we have to say that it's a mechanism that has to be in place," he concluded.