We have marked International Safer Internet Day with the opinion of three specialists from Galp. Luís Morais, CISO (Chief Information Security Officer), Edgar Oliveira, Head of Cyber Security, and Jorge Afonso, CDO (Chief Data Officer), who have answered four questions on the use of the Internet, including tips to provide everyone with greater protection.
Luís Morais
CISO (Chief Information Security Officer), Galp
Is the Internet safer?
The stark reality of the official figures published by the different legal authorities and specialist observatories is clear and unequivocal - cybercrime continues to grow on a global basis. In Portugal, the latest internal security report (for 2019) reveals a 42.7% increase in the occurrence of computer crimes and, although there is still no final data for 2020, an interim report issued by the Public Prosecutor´s Office shows a 139% increase in this type of crime at the end of May 2020 when compared to the whole of 2019. The vast majority of these cases are related to online fraud, the dissemination of messages using malware, phishing campaigns designed to steal access credentials and attempts at digital extortion (ransomware, for example), all of which comprises a global trend and not just a Portuguese phenomenon.
In 2020, Galp (like many other companies) saw its image used in fraudulent and malicious campaigns, forcing the company to issue alerts to both clients and the general public. There is a clear, concise explanation for these cold facts - cybercrime has become more professional in recent years and is now a highly profitable economy. Whereas in the past cybercriminals acted alone, nowadays they are part of extremely well structured and trained organisations, operating beyond the reach of the law in “legal havens” and selling their services to other criminals on a cybercrime as-a-service (turnkey) basis. For example, someone wishing to obtain valid credit card data or access credentials to homebanking services to commit financial fraud can acquire this data on the Internet (in an area known as the darkweb) from a group of cybercriminals focused entirely on stealing such data. To put this economy in perspective, the World Economic Forum estimates that the global amount of damage caused by cyber crime will amount to 6 trillion dollars (5 billion euros) in 2021, equivalent to the gross domestic product of the third biggest economy in the world.
Indeed, a perfect example of the extent of the organisation and competence of cybercriminals was the manner in which they rapidly readjusted in order to exploit weaknesses in citizens and organisations which became far more dependent on digital media in the wake of the global outbreak of the Covid-19 pandemic and the subsequent changes in ways of working and living in 2020. However, it's not all bad news. Personally (and because I´m an optimist by vocation), I think there is now a far greater awareness and perception of this risk both at companies and in society as a whole, which is the first step in ensuring we are all better prepared in order to protect ourselves as individuals and as organisations.
How should we protect ourselves?
The key message is to ensure you are alert with regard to everything that appears on the different digital channels you use - or, as our grandparents used to say, “prudence is the mother of all virtues”. As citizens, it is of paramount importance to ensure that the person on the other side of the screen really is who you think it is, regardless of whether this involves an e-mail, an SMS message, a phone call or an Internet website to which you have been directed, and to always confirm the address.
Even if you know the person with whom you are interacting, always remember it could be a cybercriminal who has taken possession of your contact´s digital entity. In the event you receive an unusual request or the person uses unusual expressions, you should never be too embarrassed to confirm the veracity of the request. Just pick up the phone and call the person.
I also recommend people take the free online courses offered by the National Cyber Security Centre - Cyber-Secure Citizen and Cyber-Informed Citizen. These excellent tools prepare you for the risks inherent to the digital world, a kind of “study of the environment and citizenship" classes for a digital society.
How should organisations protect themselves?
Cybercrime is here to stay in the life of organisations and cybercriminals don´t choose sectors, geographic regions, size or other attenuating factors to “spare” one company or another. Criminals view organisations as a potential source of profit and as organic elements containing different risks capable of being exploited. Moreover, they are not merely looking for technological weaknesses, but also those of the people and processes involved in the operations in question. As such, companies should approach the issue in a pragmatic manner geared to the risk to which they are exposed in order to guarantee their cyber resilience. Unfortunately, the idea that investing in solution A or B is enough to protect and prevent exposure to risks is still prevalent in the cybersecurity sector. This is a misconception and needs to be demystified. There are no 100% safe technological solutions. Just like humans beings, they will make mistakes and just like the organisation´s processes they will not always be tolerant of cyber risks (due to the fact cybercriminals are always inventing new ways of hacking into them). Thus, companies need to invest in the protection of three areas: technology, people (through training and awareness) and processes. But it doesn´t stop there, they need to invest in the ability to foresee cyber risks (for example, through the regular testing and assessment of protection mechanisms) and, equally important, through the creation of the ability to respond to and recover from cyber security incidents in order to ensure the organisation is resilient and manages to resist and recover from the different cyber attacks suffered on the day the protection mechanisms fail.
What should everyone´s priority be?
At a time when everyone (individuals and companies) is increasingly dependent on digital means in their lives (and which significantly simplify it), it is important to understand that risks come together with these opportunities and developments. Nevertheless, if we implement a series of basic precautions as citizens and prepare for this risk as organisations, we can significantly reduce the impact of cybercrime and cyber threats and help create a more digitally resilient society.
Edgar Oliveira
Head of Cyber Security, Galp
Is the Internet safer?
We are all increasingly aware of fraudulent schemes and attempts to steal information, for example through social engineering, and how to avoid falling into the traps set by cybercriminals.
Malicious activity on the Internet has been increasing due to how easy it has become to execute this type of attack, in addition to the low cost and high returns involved. A good example of this and of the adaptability and creativity of cybercriminals is how they are taking advantage of the current pandemic crisis to exploit people's fears, weaknesses and insecurities by launching large-scale malicious campaigns. It is up to each and every one of us to comply with certain principles, putting the lessons learned into practice and thereby rendering the use of the Internet safe.
How should we protect ourselves?
One of the main recommendations for protecting yourself on the Internet is to heed the famous expression “there's no such thing as a free lunch”. Cybercriminals are aware of human vulnerabilities, people who can't resist a prize, a trip, a vaccine or a cure for covid-19, sharing information in exchange for a temporary subscription to a service, and they use this “bait” to attract and compromise you, thereby achieving their goals. You need to think, analyse and weigh things up before making a decision in order to avoid any unpleasant consequences. If something seems too good to be true, the expression “If something is free, you´re the product” applies.
How should organisations protect themselves?
On the one hand, organisations need to have comprehensive knowledge of their entire digital ecosystem, identifying risks associated with exposure and reducing weaknesses susceptible to exploitation by attackers in order to compromise systems and information. Furthermore, they need to implement protection mechanisms against the main means of attack used by cybercriminals, such as employees´ e-mail accounts and access to websites. Equally important is the training of employees in cybersecurity issues to ensure they are aware of the dangers and capable of protecting both themselves and the company, thereby serving as an extension of the cybersecurity teams.
What should everyone's priority be?
If everyone plays their part and succeeds in being a vehicle for the disclosure of the best cybersecurity practices, at the end of the day we will have contributed to this collective effort to increase Internet security. Educational institutions and organisations also play a key role in incorporating cybersecurity issues into their programmes, training and strengthening the cybersecurity industry for the one-sided fight against cybercriminals.
Jorge Afonso
CDO (Chief Data Officer), Galp
Is the Internet safer?
Digital intensification and acceleration and the ongoing need to reinvent business place data at the heart of an organisation's value cycle. Data enables us to implement intelligence in the way in which we interact with the outside world, how we work and use resources, how we make informed and high-impact decisions.
To the extent data assumes an increasingly vital role in the subsistence of the business fabric, it is also an attractive source that is highly susceptible to violations, due to external attacks, loss or even improper use or “involuntary” disclosure. But whatever the reason, the need to protect data and to guarantee the confidentiality, availability and integrity of the same is undeniable.
Even in a corporate (and apparently secure) environment, it is easy to expose data and increase the risks associated with using it, be it through the use of the Internet to conduct research to support the activity in question, or through applications for the management of contacts and documents. Or even situations where employees use the same credentials for both professional and personal purposes. All of these “digital traces” can turn “against the sorcerer” and be used in an improper manner in an attempt to obtain sensitive information that could cause severe (and often irreversible) damage to organisations in multiple ways. And this, largely due to the massification of the Internet, creates even greater challenges in the field of data protection. The boundary between professional and personal worlds is increasingly blurred. And this reality is extremely hard to control, as people end up sharing or disseminating data on the Internet, on platforms, or accessing gaming sites and social networks, for example, which, in principle, collect every user´s data. And in these situations it is very difficult to find out what happens to this data and for what purposes it is used.
How should we protect ourselves?
The current social and economic circumstances have sped up the entire digital transformation process throughout the world, and led to an exponential increase in online data transactions. And this matter entails an extremely valuable asset, indisputable for any organisation: their clients´ data. The use of data for commercial and marketing purposes has never been more important than now, where significant competitive advantage is based on the differentiating knowledge that can be obtained from such information.
The potential value of data, combined with sophisticated methods for the analysis and management of information enables organisations to constantly innovate and generate unique insights on their clients. These insights enable companies to foresee trends, observe behaviour and obtain comprehensive, personalised knowledge of each individual´s potential, thereby providing business activities with a high likelihood of success. Information management technologies assume a crucial role, and are one of the cornerstones in the activation of these capacities, accelerating and automating all the processes for the analysis and extraction of inherent knowledge.
How should organisations protect themselves?
The use of multiple devices, social networks and the Internet to disseminate and promote more assertive products and services and to direct messages to target audiences, thereby enriching the organisation's CRM base, are good examples of how a company´s boundaries between internal and external worlds quickly disappear. And in a world with no physical boundaries, where threats to capture or misrepresent this data multiply, it is essential that organisations implement mechanisms to safeguard their clients' information, both with regard to storage and disclosure to the outside world.
In this sense, we need to consider the use of platforms and processes that guarantee security, encryption, anonymisation and several other factors related to data protection. The legislation has also been strengthened in this regard with the entry into force of the GDPR, which has provided greater transparency and given clients the option of deciding which information may and may not be used. But all of this is just a part of the equation.
What should everyone's priority be?
Today is Safer Internet Day, and I should remind you that the preventive measures and levels of responsibility of each organisation, employee, individual and client are the greatest allies in combating cybercrime. This is a key factor. The security of sensitive data and the boundaries of the use of such data between devices over the Internet have never been subject to more heated debate than now. And it will certainly continue to be one of the central topics on the strategic agenda of any data-driven digital organisation. However, it also considerably depends on each and every one of us. We need to behave and act in a responsible manner when using data, with greater awareness of the associated risks and limits, becoming active agents in the area of data prevention and safety.