For all businesses, the most important thing is to develop their own security culture that continuously adapts to the threat landscape in their industry.
Olav Rasmussen, Head of Cyber Security Management, Cegal
- The security culture must be embedded throughout the organization, from top management to all employees, he emphasizes.
Rasmussen has worked with cyber threats and IT security at Cegal for many years. In this blog post, he discusses the most significant security threats and how businesses can best protect themselves from cyber threats and data breaches. The number one step in protecting oneself is to build an internal security culture where the primary focus is on reporting errors or potential security threats.
The IT security expert lists three threat categories:
- Economically motivated random attacks
- Targeted attacks against specific industries and companies
- Infiltration of the weakest links in complex supply chains
The most common cyber attacks are still economically motivated, random attacks against all types of employees and businesses. Ransomware attacks are an example of this. With ransomware, a company's access to information or systems is locked, and a ransom must be paid to regain access. It is not uncommon to be affected by ransomware, costing both individual businesses and society significant amounts.
Every time you pay to release kidnapped information, you fund ten new ransomware operations.
Ransomware attacks typically begin with a simple phishing email to steal usernames and passwords. - Once you have access to login information, most digital doors are often open to cybercriminals, emphasizes Rasmussen.
The second major threat Rasmussen highlights is targeted attacks against specific industries or individual companies. Such attacks can cause significant damage. The Norwegian National Security Authority (NSM) emphasizes that the energy industry is particularly vulnerable to cyber-attacks.
- Such attacks can disrupt parts of national infrastructure, such as power supply, payment solutions, internet access, and more, or block a company's business. Often, it's actors with significant resources behind such attacks, says Rasmussen.
The third threat Rasmussen highlights is related to complex supply chains:
- The security of a supply chain is no stronger than its weakest link. If you have close cooperation with a supplier or partner that lacks control over their security, it can be a security vulnerability that opens you up to an attack, says Rasmussen, who reminds us of the NSM's warning. Security authorities warn that all employees are real targets of intelligence, and companies must protect themselves from their employees.
- This means that you must have a conscious relationship with each individual. What role and function does the person have? All companies should conduct basic background checks that confirm that individuals are who they claim to be and have the competence they say they have. Those who have access to critical systems, can conduct financial transactions, or can make decisions or influence others should undergo an extended background check, recommends Rasmussen.
Employees coming from high-risk countries (as determined by security authorities) or having relationships with such countries require extra caution. Russia, China, North Korea, Iran, and Syria are some of the high-risk countries at the moment. Rasmussen suggests having security discussions with these individuals.
- Security discussions show that management is aware of the threat landscape. It's primarily about ensuring the safety of employees. It reassures these employees to know that the company is aware. It makes it easier for them to report when they've done something wrong, says Rasmussen.
It's not as if one wakes up one day and decides to become a spy. Most people are subject to pressure and lured into such roles.
In parts of the power industry, security is subject to strict laws. It's not allowed to employ people from certain countries due to security risks. This underscores the need to be proactive and have accurate information about employees and their relationships.
- How do you secure a business as effectively as possible? In addition to technological solutions, you need both a top-down and bottom-up approach. At the top, security management should be part of top management to ensure responsibility and funding. Then you need a security team with broad, interdisciplinary expertise and the right personal qualities among its members. Few are good at everything, so you must ensure that you have people who enjoy doing the tasks that need to be carried out, says Rasmussen.
- At Cegal, the team is composed of employees with different expertise, including experienced technicians, people knowledgeable in organization, psychology, and understanding human culture, Rasmussen explains.
Rasmussen points out that in all IT deliveries from Cegal, security is integrated. IT security work is not an afterthought but is integrated into everything they do. All Cegal employees work on security every day. In addition, Cegal has a dedicated team working on specific security products related to operations and networks.
- All companies should implement good cyber hygiene, consisting of well-known, good, and experience-based security practices, Rasmussen concludes.