Following the launch of the Cyber Risk Clinic last May, we give the floor to several cyber experts, active within this new structure. In this series of “cyber news”, they decipher for you the issues related to these particular risks and share concrete cases of cyberattacks, encountered in their professional practice.
Employee training is the last defence when technology has been unable to stop certain attacks.
Is there a typology of clients who call on you for cyber security issues?
The clients who use our services are, unfortunately and too often, those who have already been affected by an attack. This ranges from a small company with 2 employees to companies with several dozen employees, who already have specific training needs. In summary, we can say that everyone is affected by the theme, but it still seems far from the concrete priorities that may have been, in particular, COVID or the increase in energy costs.
Businesses have not yet sufficiently realised the value that stored data can have when it is cross-referenced with other sources.
What are the current attacks and what are their financial impacts?
The two types of attacks for which we currently help and support the majority of our clients are:
- Phishing: a method that aims to steal connection information and embezzle money by pretending to be an organisation, client or supplier that you know.
- System cryptolocking by malicious software (malware): an attack that encrypts files on computers and then demands a ransom in exchange for the decryption key.
In the first case, the financial consequences can range from the embezzlement of simple funds by transfer to the establishment of more complex systems, linked to the so-called “man-in-the-middle” technique, which in some cases has made it possible to divert several tens of thousands of Swiss francs as demonstrated in the practical case below.
How to prevent these cyberattacks?
The most important thing is to avoid the “beginning” of the attack by keeping your systems up to date and protecting your network and data with all available best practices. These can range from technical solutions, which eliminate the most common fraudulent behaviours, to more complex attack detection and 24/7 active monitoring systems. The last of the defences that can benefit the user is training. This is why the Silicom Academy invests a lot of time in building staff awareness courses to make them the last bastion when technology has not been able to stop certain attacks.
Concrete case of cyberattack
A company spied on by a hacker for months for an unlawful gain of CHF 60,000.
A hacker managed to break into the systems of a company of around thirty employees active in Switzerland and internationally with European suppliers that does not use two-factor authentication. The person hacked and observed Outlook email exchanges for 3 months. Incoming and outgoing emails were intercepted by passing through a subfolder, then were rewritten to give confidence to the interlocutors. Here is the diagram of the attack below.
After months of work and observation, the hacker intercepted an invoice issued by a recognised Spanish supplier and claimed a change of IBAN on a new account in Switzerland at UBS. The payment, which amounted to more than CHF 60,000, was validated by the company’s fiduciary department as well as by two other people authorised to validate and make payments internally.
The money was transferred by the company to an account which was closed immediately after the transaction, with a loss of CHF 60,000 having no cyber coverage. Following this, the client filed a complaint which unfortunately had no impact, except to feed the statistics and protect potential victims who do not have insurance.
What could have been done to avoid these dramatic sequences?
- The implementation of two-factor authentication;
- Geo-blocking for connection to the bank account (geofencing);
- A call back before payment of the invoice with the supplier;
- Raising employee awareness would have aroused suspicion and certainly led to a call back with the supplier.
We are very happy to be able to count on Silicom Group as a partner of the Cyber Risk Clinic. Specialised in raising awareness among users of all types (executives, employees), their approach is orientated towards “positive” and non-anxiety-provoking training to enable employees to make the right decision with full confidence with the skills acquired during their training course or workshops.
As a reminder, the “Training” pack of the Cyber Risk Clinic consists of components:
- Access to e-learning content for learning that allows everyone to progress at their own pace;
- Organisation of workshops, seminars or internships in small groups for all your employees in order to encourage interactions and times for questions and answers.
The following concepts are, among others, covered:
- Issues, risks, costs, concrete examples;
- Assessment of types of risk;
- Governance information;
- Business continuity;
- Security policy and charter;
- Identification, prevention and crisis management scenario.
Lionel Ducommun: firstname.lastname@example.org / +41 78 805 16 13