At the end of March, Trenitalia suffered a cyber attack. Train timetable boards and ticket machines were out of order in several stations because of a cryptolocker, a type of ransomware that encrypts data and requires payment to ‘free’ them. The case is being investigated by the Postal Police and by Rome’s Public Prosecutor’s Office: the Russian gang Hive may be behind the attack, despite there being no geopolitical motivations linked to the war in Ukraine. Rather, it is an economic motive, given the demand for ten million dollars to decrypt the data (a figure doubled by the cyber criminals after the publication on Telegram of the credentials to access the chat with Trenitalia in which the terms of the ransom were discussed). Hive hacked the system taking advantage of a human error; in fact, we are not talking about extremely sophisticated computer engineering, but of a cryptolocker, one of the ‘oldest’ and best known types of ransomware. Nothing that cannot be avoided with a little attention and a culture of computer security, which especially in Italy is lacking in institutions and in businesses, be they large, medium or small.
MANY PROBLEMS, SOME GOOD NEWS
According to Andrea Capaccioli, IT security and Human Factors (HF) expert at Deep Blue, “The Trenitalia case shows to what degree IT security is underestimated by companies; not only the smallest ones, which might not have the budget necessary to hire dedicated data protection staff, rely on external providers or take out cyber insurance, but also the largest and most structured ones.” Also, “Cyber breaches have huge consequences, in terms of economic effects (in 2020, globally, cybercrime cost $945 billion, a figure that has more than tripled since 2013, ed.), reputation and competitiveness.” In this regard, the Hermeneut project, fully funded by Europe under Horizon 2020 with Deep Blue among the consortium partners, has developed a tool that supports companies in predicting the type and possible origin of cyber attacks, identifying assets at risk, and range of economic consequences. With the aim of putting in place customised cyber prevention and protection strategies.
There have been some positive developments, also because of the two-year pandemic: the massive use of teleworking made necessary by the emergency and the reduction in office security, in fact, have caused cyber attacks to rise by 238%. In 2021, according to a study conducted by the Cybersecurity & Data Protection Observatory of the School of Management of the Politecnico of Milan, the cybersecurity market in Italy was worth EUR 1.55 billion, an increase of 13% over the previous year. Italy is still the last country among the G7 countries in terms of the ratio of cybersecurity expenditure to GDP (0.08%), but it is among the very few that have not cut the funds dedicated to the sector in the last year. Cybersecurity is also foreseen by PNRR, which envisages an investment of EUR 623 million to “strengthen Italy’s defences against risks arising from cybercrime, starting with the implementation of a National Cyber Security Perimeter (PSNC) through the strengthening of national technical cyber defence capabilities in the area of continuous risk assessment and audit.” As part of the mission, the National Cybersecurity Agency (ACN) was established a year ago, still not fully operational in truth, an analogue of the European Union Agency for Cyber Security (ENISA), which monitors and implements cyber security and telecommunications networks.
THE HUMAN FACTOR, FROM PROBLEM TO RESOURCE: PREVENTING RISKY BEHAVIOUR BY CHANGING ORGANISATIONAL CULTURE
In this ‘springtime’ of cyber security, one figure is particularly interesting: 54% of companies believe it is necessary to train staff on the behaviour to be adopted in order to reduce cyber risk (Cybersecurity & Data Protection Observatory). On this topic, together with a group of colleagues, Andrea Capaccioli drafted the white paper Human Affected Cyber Security (HACS) Framework published by the Chartered Institute of Ergonomics & Human Factors, dedicated to the promotion of Human Factors also in the field of cybersecurity. Capaccioli explains that “Technique and technology are certainly pillars of cybersecurity, but let us not forget that humans are ultimately in charge of the system and are responsible for the mistakes that, whether or not intentional, can create a breach in the defence system, regardless of how sophisticated the whole technological apparatus is.” Also, “We need to intervene in the human factor, appropriately training employees, rethinking organisational and procedural systems, for example by simplifying and making rules and processes clear. Without integrating Human Factors into IT security management, we will get nowhere, the data says this clearly: 95 per cent of breaches originate precisely from human error.”
Like the one that probably allowed hackers to attack the Ministry of Ecological Transition. Precursor malware appears to have been used, spread inside the organisation as early as March with a malspam campaign (sending SPAM emails to spread malware through e-mail). Precursor malware are programmes that infiltrate the system to ‘study it from the inside’ and gather information, such as where sensitive data is and what the security vulnerabilities are, before launching the real ransomware attack.
“Cyber attacks are never instantaneous,” Capaccioli continues, “hackers do not immediately exploit an open breach, they take time to position themselves, study the infrastructure and then, after analysing risks and security systems, they attack. This means that the company or public body has time to discover the intrusion and neutralise the attack before data is compromised.” Opening links from suspicious e-mails or downloading attachments from unknown senders (as seems to have been the case with the Ministry of Ecological Transition) are risky behaviours related to the misuse of technology, so individual mistakes (e.g. not knowing how to recognise suspicious e-mails) and organisational mistakes (e.g. too many e-mails to read or ineffective anti-virus protection). Another very common risky behaviour concerns the choice of passwords, as Capaccioli says: “In Great Britain, at the height of the pandemic, many health and medical research facilities were targeted by a massive campaign of password spraying, a computer attack that uses common passwords to try and access several accounts in the same domain. A technique that is not particularly sophisticated but is successful, which demonstrates the vulnerability of passwords, often chosen by people to be easily remembered and are therefore ‘weak’; this also points to the need to implement additional authentication methods, such as biometric ones.”
“Risky behaviour is always due to individual causes such as personality, lack of knowledge of cyber risks, and poor decision-making skills,” the HF and cybersecurity expert concludes, “But often the root of these causes lies in the organisational culture of the body or company, which does not put employees in a position to recognise cyber risks, perhaps because they have not been properly trained, or because the procedures to be followed are complex and encourage ‘shortcuts’ such as exchanging passwords between colleagues or downloading data on personal devices, or because individual productivity is rewarded even at the expense of cyber security. The Human Affected Cyber Security (HACS) Framework that we present in the paper does exactly this, it links human risk behaviour to organisational, procedural and corporate culture causes, explaining that by acting on the latter, human errors can be prevented. For example, monitoring and managing cyber incidents, instead of keeping them hidden, also from employees, as is sometimes the case, helps to manage future crises and respond effectively to an ongoing breach; this is what so-called resilience is.”
Also, cyber attacks deliberately launched from within can be prevented with appropriate strategies. In 2020 it was reported that in the course of two years two Leonardo employees (including a former head of cybersecurity) had stolen military secrets: 100,000 administrative-accounting management files and designs for civil aircraft components and military aircraft intended for the Italian and international markets. “A company must have security procedures that limit internal malicious behaviour,” Capaccioli explains, “for example, fostering an organisational culture in which suspicious activities are reported, also anonymously, or developing technological models that allow for different levels of access to data, because if an employee does not need access to certain information, he or she should not technically be able to do so.”
REGULATIONS AND CERTIFICATIONS
It is true that there are no legal obligations for cybersecurity, although organisations such as ENISA offer risk assessment models and recommendations (especially technical ones) to increase the cybersecurity of organisations and companies. There is, however, the GDPR (General Data Protection Regulation) that came into force in 2018 to protect citizens, which forces companies and public administrations to manage the personal data of their customers, users and employees with consent for use, and provides a whole series of procedures to be followed in the event of a data breach, and considerable financial penalties. The GDPR requires the adoption of technical and organisational measures to protect the data processed (without, however, specifying which ones), thus making it necessary to adapt one’s data and information security management system to the risks identified. “For security controls, one of the main standards is ISO/IEC 27001 on information systems. It is a recognised standard, and in many cases companies also request its implementation and certification from the suppliers they work with,” Capaccioli adds. “The certification includes a long list of controls, to be evaluated and chosen according to the company’s profile, to be introduced or optimised to improve information and data security management. At Deep Blue, we organise courses for Lead Implementer certification, which allow those who receive it to work towards an information security management system that complies with the ISO/IEC 27001 standard. We are also active with an advanced training course on cybersecurity culture under the patronage of the Centre for Cyber Security and International Relations Studies at the University of Florence.”
All in all, the tools and strategies for managing and increasing cybersecurity are available; what is perhaps missing is the full awareness of how important and necessary it is to start implementing them. Not only in companies, but also in public bodies and institutions, as unfortunately the pandemic showed (with the countless attacks on universities, research centres and health facilities involved in the fight against Covid-19) and now the war in Ukraine.