"Know your enemy, know yourself and you will win every battle”. With this quote from the 'Art of War' by Sun Tzu, the fifth-century BC Chinese warlord, the Cybercrime event was opened. In other words, a good understanding of cybercrime and your own cyber situation is essential in developing a robust cyber strategy. This is precisely why CIONET brought together a unique team of professionals and experts to share their experiences and insights with around 100 CIOs and CISOs in the Salons van Edel in Wilrijk.
Stéphane Duguin, former top executive at Europol and today CEO of the Cyber Peace Institute, bit the bullet. "Cybercrime has become the biggest threat in the world," according to Stéphane. Cybercrime has evolved dramatically over the past 10 years from isolated initiatives to a global industry, a supply chain of providers of "cybercrime- as- a- service": malware- as a- service, ransomware- as- a- service, phishing ... as- a- service: you name it. On the darknet, anyone can buy or sell any technology, services or data needed to mount a cyber-attack. At discount prices, moreover: Spam campaigns for just USD 15 an hour, Crypto ransomware for USD 39.... Today, cybercrime organisations are organised like real companies, with a board of directors, an HR department, their own call centre... Nevertheless, they remain difficult to identify as the perpetrators as each of them only accounts for one part of the cybercrime chain. A first actor discovers weaknesses in an organisation's network, a second party plants bits of malware, and a third party pays for that information to possibly launch an attack and get hold of data that is then put up for sale... In short, a complex chain of suppliers of criminal services and components ensures that the smallest vulnerability in an organisation can remain untouched for years but suddenly be the backroad through which cybercriminals penetrate the organisation.
A rather alarming development, as Stéphane pointed out, is that sometimes criminals decide not to attack the organisation whose data has been stolen, especially when they realise there is not a significant financial gain to be had, but instead turn to its customers, citizens or even patients. Stéphane illustrated this with the story of Vastaamo, a psychiatric institution in Finland that was hacked, where the cybercriminals blackmailed individual patients, threatening to expose their records. Furthermore, the rapid advancements of technologies like AI and Deepfakes are becoming commonplace thus leading to increasingly sophisticated ways of scamming people.
A global threat requires global action. Legislative and regulatory bodies have been particularly prolific for some years now: the EU and the UN in the lead, alongside global platforms where international actors join in trying to regularise the digital world and agree on setting game rules. This is undoubtedly a good thing that gives organisations a foothold to build or strengthen their cybersecurity strategy. Stéphane does warn however against a sham situation where organisations invest mainly in being compliant with the regulations in question, rather than focusing on the effective optimal security measures for their organisation.
Geert Baudewijns, CEO of Secutec, which specialises in dark web investigations, then took us on the obscure paths of the darknet. He effectively showed us webpages where you can buy a driving licence for 200 USD, sites where up to 40,000 stolen credit cards are offered every day, or others where - like on Amazon - reviews are made of providers of cybercrime services.
He showed us the marketplace that showcases stolen data from companies worldwide. Apparently, a common technique is to install password stealers on the networks of companies and organisations. The latter are usually unaware that their IDs and passwords are constantly being read and offered for sale on the darknet for next to nothing. Other parties investigate the financial strength of the companies in question and then strike where their "return on investment" is likely to be greatest. The moral of the story: start anyway with the basics like MFA to close off that - too obvious - route already.
During the second part of the event, we zoomed in on the Cybersecurity maturity of our Belgian companies and organisations. According to Hans Hujoel, Sr cybersecurity consultant at INNOCOM, a survey conducted by INNOCOM in collaboration with CIONET clearly revealed an increasing cybersecurity awareness at the board level, resulting among others in higher budgets. For a security team, the key to gaining management attention undoubtedly lies in demonstrating the value and risks at stake. The shortage of security skills in the market combined with increasing technological complexity clearly poses a significant challenge. To meet this challenge, automation is being adopted, security responsibility is being pushed to other parts of the company for instance by making the teams ‘responsible’ for the products they develop. Third parties are being called upon to staff and run security operations. At the same time, a risk-based approach is applied to select the cyber security concerns to deal with, based on their overall impact.
A somewhat ironic observation was made that the perception of the security team by the other collaborators within the company shows a strong positive nod once there has been a serious security incident that was successfully dealt with. When asked what security teams are prioritising, we see at the front (still) the implementation of Identity and Access Management systems, followed by OT security, awareness training, and finally, cyber resilience programmes. The latter should enable the survival of the organisation in the event of a serious cyber incident. The full report with eight recommendations for a successful cyber strategy can of course be found on CIONET's website through this link.
Miguel De Bruycker, Managing Director General of the Centre for Cyber Security Belgium (CCB), immediately picked up on the previous presentations showing that a lot of organisations still feel lost, trying to find their way amid the forest of standards and regulations. "If you compare it to the way we deal with fire safety or the safety of cars, lifts or food, there is still a lack of generally accepted norms and standards or certification bodies. In cyber security, every company has to start from scratch. It is really a domain where the business world needs to make a quantum leap to stay ahead in this arms race." Precisely to meet this need, the CCB is publishing a guide to help organisations improve their cyber security maturity and work on their compliance with new regulations such as NIS2. Indeed, the latter stipulates that - compared to NIS1 - many more sectors and companies (more than 2400) will be affected, which means, among other things, that their governing bodies must assume their responsibilities in managing cyber security risks. The organisations under scrutiny must identify and register as such by January 17, 2025 (on Safeonweb.be) and demonstrate that they have conducted a full-fledged risk assessment exercise. The CCB comes to offer them the fundamentals framework specifically for this purpose on Cyfun.be.
Miguel gave us another scoop For dessert: from October 16, 2023, , Safeonweb will offer a browser extension to verify the identity of a website's publisher (domain owner). Truly, a great initiative that could help to restore some confidence in the Internet among citizens/users.
The third part of the evening had a surprising impact on the audience: Thierry Driesens, CIO of TVH, told the story of the ransomware attack on TVH on 19 March this year, in such a particularly original and personal way that empathy could be felt in the room. After all, the company came to a complete standstill that day: no mail, no chat, no internet, no reservation systems... Uncertainty, anxiety and stress peaked. And everyone looked at the CIO and his team.
Above all, they had to remain cool, not let themselves be thrown off balance, and then put a plan on the table to get out of the impasse: a task force was set up, external specialists were contacted, contacts were made with the authorities and the police... According to Thierry, during such an incident one goes through a cycle of emotions, from denial, through panic, frustration and depression, until you reach a point of acceptance. Only then do you become efficient again and your motivation to take the bull by the horns returns.
Nevertheless, the recovery process should not be underestimated either: after all, the systems must be restored to their pre-incident state, measures must be taken to prevent further infections and all data must be carefully 'disinfected' before being used again. Not a matter of days but rather weeks. But says Thierry "The internal solidarity and decisiveness of the employees was overwhelming. Everyone rolled up their sleeves and helped each other without questions." Lessons learned for Thierry: you are never prepared for something like this but it is best to make provisions just in case: have a plan for days 1 and 2; the rest will follow. The best things to provide are alternative communication channels, adequate insurance, keeping the details of a cyber expert to hand, having a plan for setting up a crisis team and ensuring support from critical suppliers such as your bank. In addition, of course, make sure you have a solid backup system and that basic security hygiene measures (such as MFA) are in place. Thierry concluded, "It was a thriller, a personal nightmare, but we came out of it stronger and better".
The event concluded with a panel discussion with all the above speakers, complemented by Caroline Frère, head ad interim of the Federal Computer Crime Unit. This also provided an opportunity to discuss cooperation with the authorities and the police during a cyber incident. Caroline: "Amidst the extremely stressful situation of a cyberattack, it is understandable that the priority goes to a quick resumption of the activities, and that people fear that filing a complaint might delay that recovery. However, the truth is that quick recovery and filing a complaint are not necessarily in conflict. The police are well aware of this dilemma and strive to help as efficiently as possible. Any unreported crime and certainly the act of making a ransom payment only make the cyber criminals stronger. It sustains the criminal industry. The task of the police - with the help of victims - is to gather as much information as possible to effectively combat cybercrime. The challenge lies in striking a balance between individual priorities and the wider security of the community."
Thanks for joining us and see you next time!