Cyber-attacks and how can businesses protect themselves

By Antonis Theofanous,

The Russian invasion in Ukraine was not only the first severe military conflict in Europe after World War II, but also the first full-scale cyberwar in history.

On the first day of Russia’s invasion, Russian hackers infiltrated the satellite network of Viasat aiming to block the flow of information.

Since then, there have been daily reports of cyberattacks which are causing problems with electricity, internet and day-to-day operations both in the public and private sector.

But exactly how dangerous are these cyberattacks for businesses and what actions can be taken to prevent them?

The total cost of cyber-attacks for 2021, globally, is estimated to surpass $6 million according to the reliable CyberCrime Magazine. This amount is 25% higher than the GDP of Japan, the third biggest economy in the world.

With the introduction of article 83 for GDPR, the situation has become even more difficult for European businesses. Their inability or refusal to apply personal data protection policies can result in fines amounting up to 4% of their total revenue for the last fiscal year.

Cyber-attacks against businesses usually comprise of:

• Ransomware – hackers block access to a company’s systems and then ask for ransom (usually in cryptocurrencies) in order to revert it back to normal.
• Cyber extortion – they intercept sensitive information and threaten to disclose it (e.g. to tax authorities or to the public) in case they do not receive ransom.
• Malware – illegal installation of malicious software programmes (viruses) in a company’s network, aiming to cause damage.
• Selling of personal data – hackers are intercepting important information via different techniques (e.g. phishing, installation of malicious software) which is either sold to competitors or used to extort money.
• Industrial espionage – hackers are intercepting data related to strategies, products, or the R&D of a company and sell them to their competitors.
• Identity fraud – hackers gain access to the personal accounts of a company’s employees in order to extort money.

Keeping in mind the catastrophic impact of such incidents, companies should carry out a series of actions in order to protect themselves:

Companies should request assistance from an authorized Data Protection Officer (DPO) who will analyze how a company operates and suggest solutions on how to comply with the GDPR guidelines. The DPO will report to the Commissioner for Personal Data Protection and may also train the permanent staff of a company to replace them.

Training of employees for cyber-security issues. Employees must be able to avoid the most common pitfalls of cyber-attacks (e.g. phishing, identity fraud, inserting of non-authorised external hard disks and USB drives of clients into the company’s infrastructure).

• Limit employees’ user permissions so they do not have access to information that does not relate to their tasks.
• Add passwords to all computers and change them periodically.
• Install a reliable antivirus software, which will be updated automatically.
• Create a guest wifi so the visitors of a company do not have access to the company’s main network.
• Modify the CRMs to not save sensitive information the company does not need or to automatically delete this kind of information after a certain period of time.
• Finally, since no action can guarantee that companies will be 100% protected, especially those handling sensitive data, they are encouraged to get cyber insurance. This product can cover the cost for: determining the damage, restoring the data, notifying the affected customers and paying demands for ransom as well as fines.

Antonis Theofanous is a Director at Pitsas Insurances