On June 27th, 2017, employees in over 80 global companies turned on their computers only to face a screen reading “Your important files have been encrypted”. The announcement was followed by a demand for bitcoin payment, and only then would the inaccessible files be decrypted. As the day rolled on, the C-suite began to realise the breadth and impact of the situation affecting their companies. The malware had infected central servers to such an extent that global operations had come to a standstill, crippling communication between enterprise hubs, access to work documents and connections with industrial control systems.
This sums up what happened as a result of the NotPetya cyber attack, a worm that propagated thanks to the update of a software package popular in Eastern Europe. It caused economic damage worldwide in excess of US$ 10 billion in sectors including transportation, energy, pharma, food production and other processing industries.
However, despite examples of devastating cyber attacks of great scale and reach, and an increasing reliance on digital operations, there’s evidence that many large companies remain unconcerned about cyber security. Although their leadership may recognise cyber security as an important IT issue, they do not appreciate its broad and strategic importance, nor the need for it to be discussed at Board level.
On the other hand, executives who have managed to successfully handle the impacts of cyber attack, do understand that cyber security is both a high-level strategic priority and an opportunity and not just a threat. Importantly, they have also recognised that their greatest mistake prior to attack was treating cyber security as an exclusively technical/operational matter and not a strategic one.
Experience shows that the best way to mitigate inherent risk from cyber attack is to maximize corporate preparation across the entire organisation, as every aspect of the business can be critically affected by an attack; including a company’s reputation which can lead to a bad turn on its stock market value.
So, we need a change in mind-set: cyber security must be treated as a strategic matter, not just an operational one. It must be seen as an opportunity, not just as an expenditure.
When seen as an opportunity, the outcome is a solid cyber security strategy, focused on identifying the risks associated with assets critical to business procedures and most importantly, on how to handle and mitigate such risks. A strategic approach will also lead to the identification of other benefits, including new insights into the organisation’s key strengths and weaknesses, and improved operational resilience.
Cyber security has evolved from being a predominantly technical issue, centred on the protection of networks and technology, to something of wider significance impacting customers, clients, and society as a whole. Security in cyber space is increasingly essential for the maintenance of a resilient digital society and for the preservation of the integrity of the social processes and interconnected businesses, which sit at the heart of complex modern social ecosystems. Cyber security is growing in importance, and cyber attacks are now seen as one of the greatest risks presently faced by the global economy.
THE CONTEXT
The pandemic has seen a much wider take up and use of digital technology, and many commentators have warned that cyber attacks will become more frequent and complex, more sophisticated, and far-reaching. In addition, there is an increasing threat from disinformation, due to a mixture of enhanced data analysis, machine learning algorithms and deep fakes, all of which can lead to entirely skewed perceptions of reality by unwary consumers.
The European Union Agency for Cybersecurity (ENISA) lists the 15 greatest threats {Fig. 1) in its latest overview1, many of which have been bolstered by the pandemic we are living through, as exposure to cyber attacks has increased due to the extensive use of digital platforms to run our daily business. In Portugal, according to figures published last summer by the official cyber security watchdog, Observatório de Cibersegurança, 2 (developed under co-ordination by the National Center of Cibersecurity (in the original CNCS)) malware infections under Risk and Conflict3 accounted for 16% of incidents making them the second most reported incident after phishing, at 36%. This is a rise on the 2019 statistics, which showed malware incidents at 14% and phishing at 31%. In this regard it is important to note that phishing is often a delivery channel for malware; it is less visible and may impact victims more insidiously, taking their compromised devices hostage and making them vulnerable to all kinds of illegal exploitation.
CHALLENGES AND OPPORTUNITIES FOR PORTUGAL
To address the challenges arising from technological evolution and the growing number and sophistication of cyber attacks, Portugal has, through the CNCS and other national partners, deployed a number of initiatives. These are all aligned with the relevant European Union directives designed to ensure harmonised public policy that is also adaptable to each member state’s national context.
According to the Digital Economy and Society Index (DESI 20204), Portugal ranks 19th overall among member states. The indicators where Portugal diverges the most from the European average is in digital literacy (Fig.3), which is why one of the most important ongoing initiatives in Portugal is focused on increasing knowledge and awareness of digital safety and security.
This ongoing activity translates into a number of general cyber security competitions and thematic workshops, not to mention wide-ranging participation in conferences and seminars. In that context one should highlight the CDAYS20205 conference, where presenters dealt with security in cyber space as a theme that cuts across all aspects of society and highlighted the need to build societal capacity in digital, and cyber, security.
The work of the CNCS has a wide impact and its activity is aligned with structural initiatives stemming from the EU Cybersecurity Act da EU,6 and the NIS (Network and Information Security) directive7, designed to guarantee shared high levels of security for networks and information. The NIS directive has been incorporated into Portuguese law, through the Portuguese Legal Framework for Cyberspace Security8, and a number of cyber security schemes, with counterparts in the Union, have been put in place in order to help identify key service providers and their respective cyber security obligations.
At the same time as the EU Cybersecurity Act came into force on June 27th, 2019, development began on a national cyber security certification system for products and services that would be valid across the EU. The aim was to embrace the concept of "security by design” and improve the security of connected products, Internet of Things devices and consumer-critical infrastructure. The Cybersecurity Act is designed to generate trust in the digital market and the devices we all use every day, ensuring compliance with high levels of cyber security through rigorous assessments conducted by an independent certification body.
For SMEs, this system presents a number of opportunities to certify their innovative products and make significant savings as they will no longer have to pursue certification beyond national borders. A single certification valid across the EU will also remove barriers to market entry and provide real incentives for companies to invest in cyber security for their products. This is also a way for the EU to bolster its low-profile digital sovereignty. It is taking the same approach as it did with regulations for the protection of private user data and intends to impose the new obligations on all device builders and IT service providers, regardless of their national origin.
CONCLUSION
In the near future, companies that prioritise cyber security risks will enjoy a significant competitive edge as vendors and partners factor in cyber security capabilities to their decision making. Equally, potential customers will also increasingly look to select companies that rate best on digital resilience, as they seek out to buy from trustworthy businesses.
Cyber security really is a strategic opportunity for companies.
Improving cyber security ratings and closing vulnerability gaps in society that stem from increasing digitalisation will only however be achieved through continual awareness-raising and capacity building, combined with regulations that demand that companies apply security measures that guarantee a high tier of cyber security in the services they provide. To make that happen we need committed leadership that understands the strategic value of cyber security for both organisations and society at large and to demystify and normalise cyber security in the day-to- day affairs of us all.
References
1 https://www.enisa.europa.eu/publications/year-in-review
2 https://www.cncs.gov.pt/observatorio/
3 https://www.cncs.gov.pt/observatorio/relatorios/
5 https://ec.europa.eu/digital-single-market/en/desi
6 https://www.c-days.cncs.gov.pt/
7 https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act
8 https://www.cncs.gov.pt/transposicao-da-diretiva-nissri/
9 https://dre.pt/application/conteudo/116029384
Rear Admiral António Gameiro Marques has a degree in Naval Military Science, Navy Class. He has served on several national fleet vessels and, having attended a specialist naval communications course, completed his Master’s in Electrical and Computer Engineering at the Naval Postgraduate School, Monterey, California. He was part of a project team working on the Portuguese Navy’s Vasco da Gamaclas frigate combat systems and a member of the international certification team for the same vessels in the UK. Having attended the NATO Defence College in Rome in 2003, he was naval military advisor to the Portuguese Ambassador with the Atlantic Alliance, NATO Headquarters, Brussels, from October 2004 to October 2007. He also represented Portugal on the NATO Consultation Command and Control Board, the organisation managing all information and communication technology issues. He was promoted to rank of Rear Admiral on November 27, 2008 and served as the Portuguese Navy’s Chief Information Officer for four years. He was Assistant Secretary-General to the Minister for National Defence for the following three years and, since September 2016, has been Director-General of the National Security Office (GNS), part of the National Security Authority. The National Centre for Cybersecurity sits within the GNS structure. In 2013, he attended the 39th senior corporate management programme run by AESE/IESE, and further sessions in 2016 and 2017.
Lino Santos has a Master’s degree in Law and Security from the Law School, Nova University of Lisbon, and a degree in Informatics and Systems Engineering from the University of Minho, is a coordinator at the National Cybersecurity Centre and a member of the board at the European Union Agency for Network and Information Security (ENISA). He was director of Community Security and Services at the (National Foundation for Scientific Computation), director of IT security incident response CERT.PT, national liaison officer with ENISA and a member of the founding committee of the National Cybersecurity Centre (CNCS), Portugal.
