Cybersecurity starts with basic IT hygiene

The key to cybersecurity is basic IT hygiene, which can be strengthened through staff training. In today's complex and evolving threat environment, WithSecure CEO Juhani Hintikka (JH) advises companies to team up with a partner to make the best use of their chosen tools and solutions and meet their cybersecurity needs.

In this interview with Nordea On Your Mind author Johan Trocmé (JT), the Finnish CEO also shares his thoughts on key cybercrime drivers, threats and basic defence.

JT: Cybercrime has grown, and unfortunately seems to continue to grow, very rapidly. What are the key drivers behind this?

JH: For starters, virtually all businesses have become much more digital today, and this has evolved very rapidly from ten years ago. We have all become very dependent on information technologies, and this applies to both new and older traditional industries. The world's existing data volumes have grown exponentially, and that data is vulnerable to crime. This gives you some context for the growth in cybercrime.

Another driver is that payment mechanisms have evolved, and the advent and spread of cryptocurrencies have facilitated the use of ransomware – a variety of cybercrime that has soared in recent years. The availability of an untraceable money transfer mechanism with a currency unit and a value that criminals can monitor and realise has contributed to making ransomware activity more 'industrial'. Indeed, we have seen the emergence of the first 'criminal unicorns'. These are criminal groups that are essentially run as enterprises, which unfortunately implies that they have the means and the ability to be the best at what they do. For such criminals, their cybercrimes are technoeconomic business cases.

There are other forms of online crime, too. After WikiLeaks rose to fame in 2006, a leaks culture became established. Money is a huge driver of cybercrime, but there is also a willingness to protest or influence online. Technology has made it possible to do so anonymously. This is not only a negative – I think it forces companies to be ethical and helps ensure that they have whistleblower channels and processes in place.

One worrying development is that we have started to see artificial intelligence (AI) used in cyberattacks. The challenge for defenders will be to create more automated response to AI-originated attacks. At WithSecure, we have invested in AI since many years, and built some familiarity with it. But the success and popularity of, for example, ChatGPT, has popularised the topic. And sadly, cybercrime will become another application for AI. It can be used to write malicious code. It can also help in devising ways to spread and mutate. In the execution of actual attacks, hackers can use AI to anticipate defenders' actions. With machine learning, attack algorithms can be trained on data for most common defensive responses.

Cyber criminals are becoming more professional. Like other corporations, they have customer service, a reputation and a brand. If you pay them after suffering a ransomware attack, they will typically release your data. If they don't, their criminal reputation will suffer, and their criminal brand will be tarnished.

JT: If you compare cybercrime today with the situation ten years ago, how would you say it has evolved?

JH: I would say there are two major types of cybercrime. There are the ransom Trojans. When ransomware is used, the attacker takes control of their target's data after a breach in the target's system. The data is then usually encrypted, but we have recently seen examples of the data being moved somewhere out of reach for the target. A ransom is demanded for the release of the data. These attacks are usually perpetrated by quite well-organised criminal groups, whose intent is to extort and make money. The consequences of ransomware attacks can be devastating, on the human, as well as the corporate operational and financial levels. This is illustrated well by the attack against the Finnish private psychotherapy service provider Vastaamo in 2020, in which confidential patient records were compromised. After a failed extortion attempt against the company, the attacker approached the patients whose records had been stolen directly, trying to extort them instead. It became the biggest criminal case in Finnish history, with some 30,000 victims. What really stood out was how the attacker cruelly and underhandedly targeted some of the most vulnerable targets imaginable. Many of us in the industry were stunned by the human suffering caused, and reminded of how the damage from cybercrime is not only about the money.

The second main type of cybercrime is the business email compromise (BEC) scam, in which attackers create authentic-looking emails with payment instructions. There have been several incidents reported, particularly by public companies required to disclose such information, about emails from CEOs with instructions to make a substantial payment to a specified account or recipient. Back when I was the CEO for a previous employer, before entering the cybersecurity industry, I had a personal experience with a BEC attack. Our head of external accounting received an email from me, the CEO, with instructions to pay a quite substantial sum of money. It all seemed legitimate, but she started thinking about the instruction and how it came about, so she walked into my office and asked if I had sent it. My reply was 'no', after which she rang the police. We were able to stop the payment, and did not suffer any financial damage on that occasion. But we could easily have faced financial repercussions.

JT: What types of actors would you say represent the biggest share of online criminal activity? Ideologically-driven hackers, state-sponsored players, organised crime, or others? What do the different cyber criminals want?

JH: If you imagine it as a pyramid, and split the cybercriminals and hackers into the different fractions, I think a reasonable estimate would be that about 70% of them fall into the unsophisticated category. They can cause some harm, but if you are a company with at least adequate defences, you should not have to worry much about them. The remaining 30% are the professionals, who are well organised and in it for the money. They are the ones about whom corporates should mainly worry.

And then there is the very tip of the professional 30%, maybe the top 1-2%, which is represented by the state-sponsored actors. It is usually very difficult to protect yourself against them, as they are technically very capable, have almost unlimited resources, and they are highly motivated. Perhaps with the exception of North Korea, their targets are rarely money. They typically focus on intelligence and industrial espionage. This is a potential major concern for corporates. In the US, for example, there is a lot of evidence of companies in certain strategic sectors having been targeted for intellectual property theft. If your business is in one of these sectors, you can be sure that you are of strategic interest to certain countries and parties.

Split of cybercriminals by category

JT: What are the most significant or obvious cybercrime threats to corporates today? Does the more tense geopolitical situation bring a risk of new large cyberattacks by state-sponsored players, such as NotPetya and WannaCry in 2017?

JH: The war in Ukraine is impacting our industry in many ways. There is a battle raging in Europe, and it already involves many countries, which each have their own political interests. The countries supporting Ukraine automatically become potential targets for cyberattacks. We have noted some such activities, but have not yet recorded any major state-sponsored attacks against Ukraine's supporters during the war.

Examples of incidents in which the timing has made it quite obvious who was behind the attack include denial-of-service attacks, when the Finnish Parliament was debating Finland's NATO membership, against the websites of both the Parliament and the Ministry of Defence. To my mind, these attacks are more about making a point or a statement than causing any significant or lasting damage. There have, however, been some more disruptive attacks against hospitals and airports, and against companies that have been particularly vocal in their support for Ukraine.

The NotPetya malware attack in 2017 was targeted against Ukraine, but unintentionally spread globally. It caused a lot of very expensive cyber damage, especially for logistics companies. Today, Russia is quite busy in Ukraine. This is likely the biggest reason why the country has less time and capacity to engage in malicious cyberactivity elsewhere. But, I think there is also a perceived benefit dimension. Russia might have seen a potential use in influencing Finland's NATO membership application process, but did it see any cyberactivities realistically being able to have a big enough impact to change the outcome? Without many such opportunities to likely move the needle in a meaningful way, what is left is mostly revenge-oriented or retaliatory actions. We have not seen so much of that, given the circumstances. I suspect in today's geopolitical environment, the focus of state-sponsored actors will be more on intelligence gathering, in preparation for potential future conflicts, and to ensure technological leadership.

JT: What would you say typically makes a company vulnerable to cybercrime? What is it such companies do or do not do that ends up making them victims?

JH: There is a saying that there are two types of companies – those who have been hacked, and those who do not know that they have been hacked. We can assume that everyone has been breached, and especially large blue-chip companies. The financial sector is probably the most attacked, since that is where the money is. Financial services is the biggest sector for WithSecure's consulting business. It requires using every conceivable software application, and has strong in-house security teams, but regulators require it to do regular external testing. Yet, many other sectors are prime targets, as well, offering useful intellectual property to successful attackers. These would be sectors expected to offer the technologies of the future, such as defence, space technology, satellites and many others.

In the enterprise world, the transition to cloud in information technology is by no means over. This changes the context of the threat landscape for everybody, as a cloudbased landscape is different. Cloud service providers will take care of some security issues for you, but not all. We are active in this field, offering solutions that scan all incoming data in the cloud for malicious content. Companies do not necessarily think about these kinds of threats when they are coming from an on-premise world.

JT: How can corporates best protect themselves against cybercrime? What tools, solutions or advice does WithSecure offer?

JH: The migration to cloud-based information technology means that we no longer look at cybersecurity as merely an access control issue. It is more complex now. Many of the things that improve your cybersecurity posture are not necessarily related to cybersecurity solutions per se. It is very much about good IT hygiene. Ensure that your software is updated. Have strong control over identity and access privileges. Do regular backups of your data. Train your employees in best practices, and update them regularly on, for example, new types of phishing emails from cybercriminals. I would call this security operations.

In our latest strategy update, we launched the term co-security. We are firmly of the belief that many companies cannot just continue to buy software and tools. This needs to be complemented by expertise in how to get the most benefit out of them. Cosecurity stands for us providing both software solutions and expertise and people, to enable customers to receive the full benefit. The people dimension can be consulting or a managed service, such as threat detection and response. This can be very helpful for companies not quite big enough to afford having threat hunters on their payrolls.

Mid-market companies will also find it difficult to attract the right calibre talent to be able to identify and neutralise today's cybercrime threats. Here, we can come in. On the one hand, we scale and industrialise software solutions, and on the other hand, we need to be able to help people efficiently and on a bespoke basis. This is what cosecurity is all about. The new landscape with lots of different cybersecurity threats, tools and solution vendors can be somewhat overwhelming. We therefore advocate outcome-based security, elevating these issues to the decision-making level as business-related issues to be decided on.

What are the company's business priorities? And how do they impact cybersecurity? And how do you then rank your priorities based on that? This brings the cybersecurity process very close to risk management. The reality is that companies will never be finished with cybersecurity. Cybersecurity is a process that must be evolved and improved. We estimate that cybersecurity represents 5-10% of total corporate IT spend, but we expect this share to grow, going forward. It is not getting any easier, and as we have seen, being a victim of an attack can be very disruptive and costly. We recommend companies to both exercise good basic IT hygiene and work with a partner to be able to meet their cybersecurity needs.

We have offensive capabilities, attackers on our payroll. But they are ethical hackers. They can tell us how attackers work, and what their mindset is like. We incorporate that insight into our software to offer best-in-class products for our customers. It is a very different approach to other players in our space, which do not have the touchpoint into the real world of cybercrime through their own services. Our red teaming service involves deploying our offensive capabilities at the request of the customer. Not everyone on the customer's side is aware of it. We aim to surprise them, and this can involve us breaching a data centre or data room, and continuing from there.

We have people who can pick locks and do clandestine work like this, it has a bit of a James Bond vibe to it. We are quite well known for this. When people ask us why we combine software and solutions with non-scalable consulting and advice, we respond that this red teaming gives us invaluable insights into what is going on, and into those areas which are probably going to be under attack from the most advanced attackers. We like to say that our cybersecurity solutions are built by attackers. They know what the customers need to defend against. Sometimes, customers can get upset when we show them that they were breached during red teaming. We can offer alternatives, such as purple teaming and joint exercises, to enable the customers' staff participating and learning from the exercise.

JT: If you were to recommend only one key thing for a typical large corporate to do to improve its ability to deal with cybercrime, what would it be? What is at the top of the list?

JH: In most cases, the human factor tends to be the weakest link, so I would start there. Consider basic IT hygiene training for everyone before deploying any single cybersecurity solution. Ensure people are aware of the basics, make them use multifactor authentication, password managers, and make sure they have the right level of suspicion towards incoming emails. If they receive an email from their CEO instructing them to make a big payment to someone, they should intuitively ask themselves why they were sent such an instruction in that way. And, more to the point, they should not hesitate to pick up the phone and call the CEO to double check that the payment instruction is authentic.