No matter which generation you belong to, our parents have always adapted their teachings to warn us against the most significant risks that could cause us harm. We can all probably remember when we were little, our parents teaching us to look both ways before crossing the street. The lessons and the risks have evolved as we have grown, and they are very different when you are the one behind the wheel, not the one crossing the avenue.
There is always a common denominator: based on our current routines, our parents look for what can cause us the most harm and try to create awareness of that risk so we can prevent it.
Today, we are increasingly dependent on technology in all aspects of our daily routine, so the risks associated with technology have also increased exponentially. 30 years ago, very few people had a digital identity. Today, especially with the pandemic, many children as young as Kindergarten already have access to videoconferencing technology, own a device, and have at least one digital identity.
How was Cybercrime born? A bit of history.
The challenge of penetrating a physical installation or computer system without authorization was interesting for teenagers who were hungry to learn and demonstrate their technological skills; it was like a game of skill for them. Some people will probably remember the 1983 film “WarGames,” directed by John Badham. In this film, we see how Social Engineering is used to obtain privileged information and thus penetrate the military control system. At that time, it was seen as Science Fiction; however, over the years and with the importance of technology in our daily routine, the motives, the financial gain, and the type of people interested in these actions have changed.
This is how we unfortunately arrived at cybercrime, which seeks the theft of digital assets, such as: intellectual property, customer information, bank accounts, damaging a corporate image, and hijacking data from individuals or companies, among other things. Ultimately, the goal is financial gain or activism when opposing a government. In another article, we will talk about the types of Cybercrime.
How do I raise awareness in my organization about the importance of Cybercrime?
In these lines, I want to highlight the importance of the growth of Cybercrime driven by the COVID-19 crisis and, above all, how to implement a self-assessment of my organization’s Cybersecurity controls to identify, protect, detect, respond, and recover from a Cybersecurity incident, regardless of my company’s size. We usually think these types of controls are only for large or global companies that handle a lot of money or national security installations, but our reality is different.
Mexico suffered more than 2.1 billion cyberattack attempts in the first quarter of 2020, considering all types of threats: viruses/malware, exploits, and botnets. This contributed to a total of 9.7 billion in Latin America and the Caribbean (Source: Fortinet, May 2020).
Interpol, in its COVID-19 impact analysis report, mentioned they detected 907,000 phishing messages, 737 malware incidents, and the creation of 48,000 malicious URLs (Uniform Resource Locator), which is simply the number of new malicious websites, used for selling clinical instruments or COVID-19 treatments, among other traps to scam people and/or companies.
Is our company prepared to identify, protect, detect, respond to, and recover from a Cybercrime incident?
This question may unsettle us and force us to worry about having an answer that allows us to protect and minimize the risk of a cyberattack.
The first step is to determine the most important assets (risks) for the business, what controls I have to minimize an incident, and what recovery plans I must execute if an incident occurs.
The second step is to build a Cybersecurity strategy that is aligned with the business objectives, where the organization’s executive team is involved in its creation and execution.
There are international methodologies and frameworks we can use in our organization to answer this unsettling question and develop a Cybersecurity strategy based on best practices. An international Cybersecurity standard is ISO 27032:2012. On this occasion, we will talk about the National Institute of Standards and Technology of the United States (NIST), which developed a framework based on a global vision: People, Processes, and Technology—the Cybersecurity Framework. It considers controls in these three axes that must be implemented in an organization. They developed it by compiling best practices from standards such as the International Organization for Standardization (ISO) and the International Telecommunication Union (ITU). This framework allows any organization to:
-
Describe their current Cybersecurity posture
-
Describe their target (desired) Cybersecurity posture
-
Identify and prioritize areas of opportunity for Cybersecurity
-
Assess progress toward the desired Cybersecurity maturity model
-
Establish the communication process for different stakeholders
The Cybersecurity Framework has 5 functions: Identify, Protect, Detect, Respond, and Recover; each function, in turn, has categories and subcategories. It includes a self-assessment tool (questionnaire) to determine the current Cybersecurity situation in our organization. The evaluation results are analyzed to determine areas of opportunity and establish action plans to reach the desired maturity level based on business objectives and a timeline. It involves all areas interested in preventing Cybersecurity problems.
The growth of Cybercrime is ever-increasing. Criminal organizations are joining the new digital economy model to commit cyberattacks that harm companies through the loss of assets, sales, and reputation with their customers. Therefore, it is important to design Cybersecurity strategies based on the best practices of international organizations. COVID-19 accelerated the digital transformation process for all types of companies of any size, and with it, inherently brought the risk of a cyberattack, for which most are not prepared. We must react proactively to design a strategic Cybersecurity plan and effectively execute its implementation.