Discuss cyber security at board level, appeals expert following string of scam attacks

The rise of cyber crime in Malta has generated headlines, lost companies millions, and prompted a strong public and private institutional response to raise awareness on the threat posed by criminals, but most enterprises have yet to tackle the matter rigorously, according to a leading cyber security expert.

Claire Cassar, managing director of D4n6, a data security firm that provides a comprehensive service to companies wishing to test or beef up their defences, describes the attitude of some businesses to cyber security as “ironic”.

“Some companies get defrauded hundreds of thousands of euro in one or two transactions, but remain unwilling to invest a small percentage of that to make sure their core systems are as foolproof as possible and protect their perimeter.”

She says this lack of motivation, even after suffering the severe consequences of falling victim to cyber criminals, is “quite challenging to comprehend”.

Dr Cassar, a lawyer by profession, calls for “maturity” in the way businesses treat the growing threats in the online sphere, and insists on the need to raise the discussion to boardroom level.

“It has to stop being solely an IT function responsibility,” she says. “Cyber security needs to have proper endorsement by every stakeholder, from staff to management to shareholders. Otherwise vulnerabilities cannot be addressed appropriately.”

With her long experience in data privacy and ICT, Dr Cassar understands that certain companies with reputations on the line do not feel comfortable admitting they had fallen victim to an online scam, despite GDPR requirements to notify of such instances, but warns that such incidences are becoming more frequent, especially among smaller companies.

“D4n6 was set up since 2014,” she says. “in our early years of operation, speaking to prospects about cyber security, a common reaction would be: ‘We’re Malta. We’re small. Why should this happen to us?’”

“Gone are the days of saying ‘we’re too small, who knows about us’. Malta and its businesses are on the radar of criminals, and the attacks will continue to happen, and they will continue to get more sophisticated.”

The threat is certainly not limited to Malta, Dr Cassar, says, noting that the World Economic Forum had listed cyber attacks as the top technological hazard facing the global economy for the past two years in a row.

“Cyber security incidents have been increasing year on year, the more digital and global our economies become,” she explains. “And the mindset of cyber criminals is always looking for vulnerabilities to exploit. Every new technology or evolution in technology, while beneficial, is a new opportunity for criminals to exploit.”

Where Malta might be more particular, Dr Cassar believes, is that the country has largely escaped previous attention from cyber criminals, making us less prepared or proficient in dealing with these threats.

“Typically, these were things we heard about in the US and very large markets. But cyber criminals nowadays don’t work in isolation. They operate as large global outfits. So when you have high profile attacks, like ones we had on prominent local institutions last year, generating considerable media coverage, it definitely positions us as a target.”

“Meanwhile,” she continues, “data breaches, like those suffered by certain institutions in 2018, provide ample resources for criminals to work with. Not to mention a more recent cyber attack that took down another institution’s online systems for five days.”

The scenario painted by Dr Cassar is one where each data breach builds on another, as criminals use information gained from previous successful attacks to make their next one more sophisticated.

In the face of such threats, simply raising awareness may seem trite, but Dr Cassar insists that it is the first and most important step in a solid cyber defence system, lauding the Malta Police Force’s Cyber Crime Unit quick response in setting up an SMS threat notification system.

“We don’t realise that people remain the weakest link,” she says. “So we need awareness and education to people, particularly employees within organisations. Because it only takes one person in the organisation clicking on one link to open a window for a cyber attacker to start roaming in your network.”

She explains that D4n6 now focuses its work with clients ranging from policy developments to actually helping them with penetration testing, testing their systems, helping them plan how to better protect their network and their different elements, and educating the workforce.

“For example, we run simulations for phishing emails to make sure that employees remain vigilant. And then we can take upstream after that.

“So we do a variety of things in the cyber space from a preventative point of view.”

Whether it’s by picking up the phone to verify the information when a supplier claims to have updated their banking details, or by being a little slower, a little less trusting, a little more prudent, and a little more vigilant, every individual is responsible for protecting themselves, their families and their companies from the threat of cyber crime.

“We believe that if we focus 80 per cent of our efforts on helping companies identify and close the gaps on vulnerabilities they might have, with awareness and training, we can raise the level of vigilance in our organisations and the country much more than if we actually investigate post events,” explains Dr Cassar.

“Because once the event is done and dusted, it’s more difficult to actually do something about it. Sure, you can learn and protect yourself for the future, but you’re already scarred.”

However, Dr Cassar again turns to business owners and managers as we close our interview, saying that cyber security is an area that needs to be given its due importance in terms of the company’s strategy for the coming years.

“This requires a discussion at board level,” she says, “because it has implications across the board.”

“D4n6 is here to help you focus on things is from a data security point of view. We combine the data privacy with the cybersecurity elements.”