The prevalence of small and medium-sized businesses in Malta is a strength, not a weakness, in the country’s preparedness to deal with cybercrime, according to Lisa Forte, Co-Founder of Red Goat Cyber Security and a known leader and speaker in the field.
Although each individual company may be more likely to fall victim to cybercrime due to the lack of resources available to be allocated to shore up its defences, on a system-wide level any one failure is unlikely to have a major impact.
Countries with a concentration of larger companies, often deeply embedded in the economy, may be less likely to suffer a major successful attack due to these large organisations’ deeper pockets and willingness to invest in cybersecurity, but any vulnerability would have far greater economic repercussions.
Ms Forte made the point during a roundtable discussion with media representatives organised by BMIT, a company largely known for its data centres but which is increasingly positioning itself as a major player in the local cybersecurity field.
Joining Mr Forte was Nikola Begović, a Security Specialist at Microsoft.
Ms Forte explained that businesses should put in place plans to be ready for any eventuality.
“All it takes is one small mistake,” she said. “At that stage, knowing what to do can make all the difference.”
Several plans should be formulated, depending on the kind of breach – a ransomware attack requires a different response to a website takedown, or to data loss.
Preparations should include things like identifying how the business can continue operating until the situation is brought under control, which authorities need to be informed, at what point, and by who.
Ms Forte also suggested establishing a relationship with a law firm and a public relations firm that can be of assistance in case the worst happens.
“The truth is that once you are hit, you lose all negotiating power. At that point, firms know that you need them, and can charge whatever they want. So it is best to set up relationship in advance – it might get you better rates,” advised Ms Forte.
One important takeaway for businesses of all shapes and sizes is that a culture of acceptance and support is imperative.
“Everyone can make a mistake,” she stressed. “And every kind of business is vulnerable – from a two-person operation to a large multinational bank.”
The most successful type of attack may be packaged in several ways, but ultimately amounts to an email with a link that steals one’s personal login details and gives the criminals access to the company’s system.
“Criminals have a playbook,” Ms Forte said, adding that one common feature is that the victim is usually sent a legitimate-looking thank you email or other form of acknowledgement after giving up their details.
“This is done to avoid raising suspicion, giving attackers time on your network to decide what they want to do.”
Time to report, Mr Begović agreed, can be a make or break factor.
“If anyone has even the slightest suspicion that something is not right, they should report the issue immediately. A few minutes can make the difference between an attack that is successful and one that fails.”
The Microsoft professional added that cybercrime is an ever-growing field in constant development.
“You can buy a licence for cybercrime, as if for software, for as little as €200. It’s gotten cheaper over the years, and now we see the concept of cybercrime-as-a-service taking hold.”
He noted that Microsoft monitors around 300 cybercriminal networks around the world, with over half of these being supported by nation-state actors.
“All businesses should adopt a zero-trust framework,” said Mr Begović, meaning that users and devices are assigned the lowest level of access required to perform any particular digital task – in other words, trusting nothing and no one.
Although it is widely accepted that people are often the weakest link in any security setup, this does not mean that businesses can abandon investment in their tech capabilities.
Ms Forte drew an analogy to a car thief in a car park.
“Criminals are presented with many opportunities. Obviously, a car with a handbag on the front seat and unlocked doors is a far more tantalising prospect. It’s the same in the digital world.”
In order for businesses to take more effective action, she continued, there must be an element of fear along with a sense that their actions can make a difference.
“Coming back to the car example – moving the bag from the front seat into the booth and making sure that the car is locked. It’s about the simply things one feel empowered to do that make life difficult for potential attackers.”
Mr Begović meanwhile urged businesses to undertake simulated phishing campaigns to determine their organisations relative strength or weakness.
“If an employee falls victim to the hoax, there ca be a gentle message making it clear that this is a company cybersecurity initiative. It is not about a ‘gotcha’ moment. It’s about taking stock of where you’re at and creating a culture that gives cybersecurity its due importance. Educational campaigns, unfortunately, are not enough – creating that practical element, giving people that experience, can make a big difference.”
Main Image: