GENERAL NEWS / 14-06-2023
Question. Cybercrime has become one of the main external threats to companies. How has this phenomenon evolved in recent years?
Answer. Threats have increased exponentially, mainly for two reasons. On one hand, the proliferation of new digital infrastructures and technologies has targets for cybercriminals to multiply. For example, with the emergence of online shops, their goal was to obtain payment card data. Then, with the advent of social networks, the door was opened to the generation of fake news. Then working from home started with Covid and the risks multiplied as cybercriminals began to gain unauthorised access to companies. And now we are witnessing the emergence of technologies such as ChatGPT that further increase the risks, for example with online impersonation, among many others. The second reason for this increase is related to the organisation of the cybercriminals themselves. Attackers no longer have to be experts to create their own malware; they now turn to the Dark Web where they can find so-called "Malware As A Service (MAAS)" platforms and buy the resources they need to commit the crime, which are often ready-made kits that require no technical knowledge. This means the number of activist groups for these cyberattacks and the potential number of targets can increase.
"We have to demand the same cybersecurity requirements from our suppliers as we do in the Group, even if it is not easy".
Q. How has the fourth industrial revolution impacted this threat?
A. Industry 4.0 involves the incorporation of new technologies such as robotics, the cloud or the Internet of Things, and connects digital worlds with the physical world. The application of new technologies has obvious advantages such as increased manufacturing efficiency or improved process control management, but it also has its drawbacks, one being the increased risk of cybersecurity incidents. New threats arise due to the high number of devices connected to the internet and this forces us to protect communications and systems to keep equipment and information secure and guarantee business continuity. In addition, there are more and more suppliers that support these new systems and for this reason we must maintain the same cybersecurity requirements with them that we apply in the Group – in contractual terms – and this is not easy in many cases. Digitalisation must go hand in glove with cybersecurity from the very design phase, and suppliers often find it difficult to adapt to these changes when our systems are already in place.
"My job is to spread awareness from management to all the other people who are part of the Group's companies"
Q. How does Grupo Arania manage cybersecurity?
A. We do it with centralised management and a clear commitment from managers in the various group companies and those on the board of directors, who consider cybersecurity to be an investment, something that is very important.
Q. Is there the necessary awareness in the Group to be able to develop an effective cybersecurity policy?
A. Management, the top of the pyramid, is very supportive of this work, there is a lot of awareness, but my job is to spread it to everyone in all the companies. Although we are always working in this direction, there is no absolute guarantee of security and we must continue raising people's awareness. The creation of this new position in Grupo Arania is a strategic decision by senior management, who decided to separate IT from cybersecurity, and this shows the weight it carries. In addition, as part of this strategy, the Group also has a powerful IT team that streamlines and applies the technologies, and collaborates with specialised partners who carry out a key global task.
"Email is the main point of entry for malware and is the most common way in for the people who are part of the Group".
Q. Reaching the nearly 1,000 people who work in the Group must not be an easy task, but are there any basic rules that can be passed on in general to prevent attacks by cybercriminals?
A. Email is the main point of entry for malware (malicious software) and is mostly received by people working in the Group. Most of the attacks suffered by companies are targeted at the people who work there. Phishing or impersonation is still the biggest threat we face and awareness raising is essential in preventing it. This raising of awareness is one of the main actions we need to take – despite its difficulty – because there are so many of us and we are so spread out. But as Thomas Reid said in the 18th century, "a chain is only as strong as its weakest link", and in this case the people who are part of the company are the weakest link, which is why we must constantly work on cybersecurity awareness and training. It is very important to communicate well in this task, to demonstrate closeness and make people feel that they are part of the cybersecurity team. I am aware that it is difficult to implement the measures we have put in place and that we have to do it tactfully and by working together, but we do it for the good of everyone; it is not something we have invented.
"Backups and recovery plans are strategic for Grupo Arania, but we also have a disaster recovery plan"
Q. What are the main threats companies face?
A. Ransomware and phishing are the two most common threats used to extort money from companies. Ransomware is the worst because it can affect the continuity of a company as a business and is proliferating greatly. This malware can put organisations in a difficult dilemma: pay up or lose data. This is why Grupo Arania considers it strategic to perform system backups and develop a recovery plan for these backups to confirm they are working correctly. There is also a disaster recovery plan available in order to be prepared if needed. The second major threat is phishing and its variants, which are becoming more and more frequent, where cybercriminals try to steal sensitive information or install malware on computers.
"Although we have not yet seen misuse of ChatGPT, cybercriminals could use it to impersonate a manager"
Q. Are there any emerging threats in the business world that we need to be on the lookout for?
A. Grupo Arania hasn't yet seen any misuse of ChatGPT, but cybercriminals could use this tool to impersonate a manager's voice or even their image. Although we are starting to hear about these new variants of cybercrime, we have not yet seen a similar case. Attacks always come to us via email.
Q. How far could the ChatGPT threat go?
A. Although this technology is still in its infancy, we all need to start taking preventive measures because it could contribute to incidents. This technology, for example, allows you to use a person's voice to produce a fake message without the recipient being able to distinguish whether it is a real or fake message. Or it could allow you to generate code automatically, including malicious code; we need to analyse the extent of these risks and take the necessary preventive measures.
"Some companies have already started to take action to regulate and even ban the use of ChatGPT"
Q. It is said that technology and crime are always ahead of regulation; does this also apply to ChatGPT? Is there any regulation?
A. Not at the moment, no. Some companies have already started to take action to regulate and even ban the use of this technology or to warn of its risks. The problem is that technology progresses much faster than regulation and we all run that risk because that is when attackers take advantage.
Q. Would it be possible to achieve zero cybersecurity risk?
A. There is no such thing as 100% cybersecure and attackers will always find a way in to find vulnerabilties with technological advances. The only thing we can do is make it difficult for them and apply preventive measures to protect our infrastructures.
