The question is not whether it will happen, but when. The consequences also depend on the ability to manage the crisis. This could be a summary of the subject of cyber-attacks, a threat that concerns everyone: individuals, public and private companies, governments. Today, because of the conflict in Ukraine, the risk has become more serious.
The war ‘factor’
“Cyber warfare did not start yesterday, but the international tension caused by the current geo-political scenario exacerbates the risk and increases the frequency of cyber-attacks” says Damiano Taurino, head of Drones and advanced air mobility area at Deep Blue and cyber security expert. “It is now clear that, alongside the war fought on the ground, a cyberwar is underway aimed at striking critical infrastructure such as airports and railways, power plants, but also aqueducts, production and distribution chains for medical goods and food”.
During Cyber Europe 2022, a two-year programme coordinated by ENISA (the European Agency for Cybersecurity) to strengthen European countries’ cyber-attack management mechanisms, the Agency’s Executive Director Juhan Lepassaar warned member states about not lowering their guard. Since the outbreak of the Russia-Ukraine war, ENISA has counted some 300 cyber-attacks (here is an accurate report by the European Parliament), 100 of which spilled over, i.e. affecting third countries. And although no episode has had disastrous consequences – with the exception of the attack on the Viasat satellite network, which disabled satellite Internet connections in Ukraine with effects also felt in the rest of Europe – the war is not over yet and the risk of an escalation of cyber incidents, also in scope, persists.
We are all potential victims of cybercrime
“War is a risk factor, but cybercriminals are also active in times of peace, mainly in the field of industrial espionage and counter-espionage, blocking services, stealing or disclosing sensitive data with the aim of undermining the credibility of an entity or company or demanding a ransom (in 2021 over 2,000 serious cyber-attacks were recorded, an increase of 10% compared to 2020, and they caused 6 trillion dollars in damage globally to companies and people, ed.)”.
Aside from organised cybercrime, there are a number of ‘mavericks’ targeting ordinary people with, for example, online scams or phishing campaigns. “It is important to get the message across, namely that we are all potential victims of a cyber-attack: individuals, public administration, governments, large utilities, industries and companies, the latter either for political reasons, such as to weaken a country’s production sector, or for economic reasons, for personal gain”.
If we are all potential targets, a basic but widespread culture of cybersecurity would help lower the risks. “Cyber-attacks are possible not only because of technical vulnerabilities: 70 to 95% of cybersecurity breaches depend on human error. Thus we must intervene at the human factor level (we talked about it here, ed.): informing citizens, training managers and employees, rethinking organisational and procedural systems”, Taurino explains, recalling the recent incident in which the Twitter profile of the Ministry of Ecological Transition was hacked (actually not for the first time), which for some demonstrates the need to train public officials on the subject of cybersecurity.
However, the problem is also related to a lack of skills: companies struggle to find experts in this field (in Italy there is an estimated shortage of over 90,000 cybersecurity experts, and of almost 3 million worldwide). “Moreover, an IT system that is always up-to-date and in line with security requirements is expensive and does not provide immediate returns on investment. This is why people often prefer to ‘plug the holes’ (even taking out insurance, something we talked about here, ed.) rather than take proactive measures and plan ahead”.
If zero risk is not realistic, it’s better to have a plan in place to manage the crisis
Culture, skills, responsibility: these are keywords in the fight against cybercrime. That said, it is worth remembering that zero risk does not exist for a number of objective reasons. Starting with the globalised capitalist economic system which relies on long supply chains and therefore numerous tiers open to vulnerability, each a possible point of risk. “The main issue, however, is that everything is now connected to the internet, so the risk is inherent in the system. Not to mention that nowadays it is easy and inexpensive to launch an attack: before, a hacker had to write his own hacking programme aimed at the specific person or company targeted, whereas now tools already developed to impact unknown or little-known vulnerabilities can be accessed at ridiculously low prices on the dark web”.
If a cyber-attack is likely to happen sooner or later, it’s best to be prepared not only from a technical point of view, in order to solve the breach as quickly as possible, but also from a communication perspective, both internal and external. In other words, we need a crisis communication plan ready to be up and running (we have also discussed this here), because the reputation of a company or organisation depends on it.
“When I ask companies if they have an emergency communication plan in place”, says Giorgio Sestili, head of marketing and communications at Deep Blue, “typically the answer I get is ‘no’ (but this is more than an intuition: a 2016 survey conducted by the MIT Technology Review Custom revealed that 44% of the 225 managers interviewed admitted they did not have a cyber crisis management plan, and 15% weren’t sure if they did, ed.). This prompted the idea of combining the cyber security and Human Factors training and consultancy services that we already provide to companies with a crisis communication service (the first edition was held as part of the high-level cyber security training course organised by the STASA Study Centre in collaboration with Deep Blue, ed.). Our strength lies in combining vertical, diversified and in-depth expertise on specific sectors such as aviation, industry or energy, with cross-cutting expertise on risk communication”.
How to build a cyber-risk communication plan
The keyword is planning: you cannot manage cyber-attack communication by improvising. “You have to work in advance, and for a company there are two possibilities: if it is large and has a solid communications department, you train the staff working within it; otherwise, you train your top management staff by pairing them with a risk communication consultant if a cyber crisis occurs”.
Regardless of the type of business organisation, the drafting of a crisis communication plan starts by identifying possible scenarios: what does the company do? What type of business does it run? Does it work with external customers? Does it possess sensitive user data? “You have to build a picture of the company or organisation to understand what kind of attack it might suffer and what the consequences might be, and on the basis of the different scenarios you proceed to prepare a communication plan, a strategy identifying the possible stakeholders, i.e. the target audience to communicate to, and define the most appropriate messages and channels of communication”.
An IT incident should first of all be communicated internally, to employees, in order to avoid leaks. “It would be good to have internal procedures or an automated system that, in the case of an attack, sends an alert message to all employees with precise guidelines on what to do, for example instructing them not to talk publicly about the attack. Then we move on to external communication, which may involve different actors depending on the type of company and the type of attack: business partners, end customers, politicians or local administrators, citizens, the media”.
The key messages to deliver, defined in advance, are simple: “We are aware of what happened, we are working on the following problems and looking for a solution, we are taking the situation seriously, we apologise for the incident, we will give you more information as soon as possible” (a good example is UBER’s communication, when the company was hit, only a few days ago, by a cyber attack). “In the meantime, all the organisational steps to collect information, including technical information, are taken in order to identify the access gap, to assess any leaks of sensitive data, for calibrating the next communications” says Sestili, recalling that it is also important to identify in advance a communication spokesperson: an empathetic and totally transparent figure, who speaks the most comprehensible language even to non-experts.
“Finally, in the post-crisis phase, it is very important to produce material for analysing and illustrating what happened (on the other hand, the data protection authority obliges anyone handling personal data to produce public reports in the event of a data breach, ed.), to share experiences and lessons learnt inside and outside the organisation so as to raise the level of security”, Sestili concludes. “Only then can we think about promotional, marketing initiatives for customers and partners such as compensation, promotions, gifts”.
In short, the prevention of cybercrime is a complex matter, but the approach is now codified: training and awareness-raising to enhance the level of cyber security culture within organisations; timely and transparent action during a crisis with the implementation of a communication plan already put in place; sharing information to improve internal cyber security systems and avert new attacks; and rebuilding the trust of one’s customers, partners, and stakeholders.