Thierry van Delden has served as Compliance & Privacy Officer at Infoland for over three years. In his role, he deals with technology, privacy, and data protection on a daily basis. He understands better than anyone how crucial it is to take cybersecurity seriously as an organisation – no matter its size. This goes further than acquiring good software, especially when considering that 88% of cybersecurity incidents arise from human actions. How do you ensure information security behavior in your organisation? And what expectations do you have from suppliers regarding security? In this interview, Thierry discusses the four most significant cybersecurity trends of the moment and provides tips on how to involve employees and suppliers in this as an organisation.
“Establishing security awareness poses challenges for managers. After all, employees are already busy enough with their own tasks, and they often assume that security is something ‘the IT department will take care of.’ How do you ensure that secure behaviour becomes standard practice? It is essential to engage employees and open up the dialogue.”
– Thierry van Delden, Compliance & Privacy Officer at Infoland
In a ransomware attack, a company or individual’s ICT systems are infected with malware that encrypts the data in the system. Unfortunately, ransomware remains the preferred choice of hackers. Why? It is relatively simple as well as effective. Between 2021 and 2022, there was an 70% increase in the number of ransomware attacks. Globally, 37% of all companies were affected last year. Thierry: “Ransomware is nothing new, but these figures show that organisations need to take it seriously. These figures are expected to rise every year.”
If, as an organisation, you become a victim of ransomware, the consequences can be disastrous. This is because you will only retrieve your business data by paying a ransom, but even that is no guarantee. Although 31% of victims pay the ransom, on average, they only recover 65% of their data. “Yet, we often see news reports in the media where large organisations pay the ransom,” says Thierry.
In addition to this form of extortion, other costs can be substantial if you become a victim of a ransomware attack, such as replacing ICT systems or hiring ICT specialists to mitigate the damage. Also, a ransomware attack often leads to a loss of turnover, as you are temporarily unable to work at your full capacity. Thierry: “Prevention is therefore better than cure. 74% of ransomware attacks are triggered by human actions. Your security measures can be as good as they are… If you don’t create awareness among employees, sooner or later things will go wrong.”
Which brings us straight to the second major security trend: awareness. “The most important ‘trend’ of all,” says Thierry. “Cybercriminals know that people are the weakest link. They successfully apply techniques such as phishing or social engineering. In social engineering, for example, you receive an email from your boss asking you to make a bank transfer. It can all seem very realistic.” Cybercriminals exploit increasingly sophisticated techniques.
Numerous studies also show that the risk is increasing due to mass home working. Thierry: “Because during the corona period many companies had to take hasty measures to switch to working online, the number of security incidents increased by 238%.” Remote working is risky because of the ‘cross-pollination’ from personal to business devices and vice versa. In particular, the security level of the endpoints that employees work with is a critical factor – for example, 70% of office workers use work devices for personal tasks, and 37% use their personal computers to access work applications.
By making employees aware of the dangers, you can prevent many human incidents. Creating awareness can range from understanding the importance of information security to knowing what to do in suspicious situations and especially what not to do. “Creating awareness brings challenges for managers,” Thierry explains. “After all, employees are busy enough with their own tasks, and they often assume that security is something ‘the IT department will take care of’. How do you ensure that secure behaviour becomes standard practice?”
In this article, you can read more about creating security awareness and the above tips are described in more detail.
Imagine: your employees are now well trained around security awareness, your security is in order… and then? What about the companies you work with in Europe? You will also need to understand your supplier chain’s cybersecurity measures. This is one of the things described in the new European NIS2 guideline that comes into effect on 17 October 2024. Thierry explains: “The European Union introduced the Network and Information Security Directive in 2016. Now there will be a renewed directive – the NIS2 guideline – to protect and improve the cyber security and resilience of key businesses and services in the EU.” Are you a UK based company with partnerships in Europe? This then also applies to you!
The NIS2 guideline tightens security requirements for organisations that are essential or important to society. “So while the old directive only focused on essential sectors, such as healthcare, more sectors are now being added. Think internet service providers and government agencies,” says Thierry. If your organisation falls under the ‘essential’ or ‘important’ category, not only do you have to comply with the NIS2 guideline, but you also have to identify supplier security risks.
An example: if you are an energy producer, your organisation is essential to society. If you order wind turbines from an external supplier and it is hit by a ransomware attack, you, as an essential service, cannot expand your capacity. So you should also check what security measures that supplier takes. Thierry: “What do you expect from suppliers? Do you just request their ISO 27001 certificate annually, and then it’s good? Or do you visit them yourself annually to audit? Do you send a questionnaire twice a year and thus query the security policy? With a smart audit management system, such as Zenya CHECK, you secure this process. You can focus on a specific standard, such as the NIS2 guideline, and thus be optimally compliant.
Do you conduct business with European companies, and are you interested in learning more about NIS2? Find out what you need to do to comply. Read all about it here.
AI and security… How about that, really? Thierry: “Artificial Intelligence (AI) is a topic that cannot be avoided, although it is not a security trend. If your organisation only occasionally uses AI tools like ChatGPT for inspiration, the built-in security of such a tool is often sufficient. You have to assess that for yourself and determine whether it is sufficient for your organisation. If AI is genuinely your company’s core business, it is, of course, a different story. For example, if you develop AI yourself and it involves personal data, then legally sharp security measures are expected.”
If AI becomes a crucial part of your business operations, then the adequate security of your AI-related tools should also be a significant aspect of your security strategy. A new European law on AI is also on the horizon: the AI Act. It will establish the ground rules for developing and using AI. Be sure to keep an eye on this if your organisation is involved in AI!