CYBERSECURITY: WHAT YOU ARE DOING AND WHAT YOU COULD DO

We have known for some time that there are no 100% secure IT systems.

In Italy, three particular situations overlapped, causing an important impact on cybersecurity:

• the pandemic, due to COVID-19, has led companies to strongly focus on mere health aspects and on maintenance of their core business, but it has also led to a general reduction of the investments in the ​​information security area;
• the smart working strategy (the Italian work from home) has produced an expansion of the perimeter of use of company information systems, but also an increase in the possibilities for hackers to attack the security of the systems;
• the methods of intervention, implemented by cybercrime companies, have evolved both at a methodological and technological level, also thanks to substantial funding from entities, having criminal and terrorist purposes, in addition to traditional profit-making objectives.

That said, now let’s try to make some brief considerations, taken from various researches and observatories, carried out by universities and consulting firms.

Good awareness, low investments: almost all companies, regardless of their size, are sensitive to the problem of cybersecurity. But, due to the reduction in investments and the difficult maintenance of their market positions, they were unable to invest significantly in cybersecurity. We remind you that only a small number of Italian companies claim to have suffered a cyber attack, leaving freedom to interpret this indication both as a way to avoid exposure and as a lack of adequate intrusion detection and / or data leak tools.

Measures taken and risk analysis: the vast majority of Italian companies have the most basic ICT security tools (antivirus, firewall and Intrusion Detection System) and about 80% perform or have performed IT risk analysis (even though strong doubts remain on the quality and update frequency of these analysis). In other words, Italian companies, particularly small and medium-sized ones, have generally adopted a self-made approach, both for methodologies and practices, while large companies, more sensitive to reputational problems, have opted for more professional approaches and for the use of industry best practices.

Internal security managers: the presence, within company staff, of IT security experts is certainly synonymous with corporate interest and sensitivity to the problem. Also in this case the percentages are increasing (from 25% to about 80%) depending on the size of the company. It is logical that medium to large companies can afford to keep figures dedicated to IT security, while small and medium-sized companies distribute these functions in the IT context, sporadically using external consulting services.

Low number of certifications: From the previous point, it follows that Italian companies invest little for the certification of their company in cybersecurity. The high costs of obtaining these certifications and the use of the time of expert people are the brakes that slow down and block the approach of Italian companies to these objectives. Elements that would favor these investments would be the need to achieve certification due to regulatory obligations or because asked by a specific supply chain, in which partners, customers and suppliers are all obliged to use high standards of IT security.

Cyber ​​insurance: another possibility has recently taken hold: using insurance policies to cover the residual risk which derives from damages generated by hacker attacks or data breaches. Given the current economic situation, these policies are designed for large companies and in any case cannot be considered as an alternative solution to the creation of an IT security infrastructure, but only as an opportunity to limit the economic damage caused by corporate data leaks.

The desired solution must be based on a holistic approach: a mentality that must involve both the internal structures of the company and its external environment (partners, customers, suppliers, public administrations must all be active subjects with the same goal). IT security must be experienced pervasively at all company levels (growing awareness of top management, growing awareness and guidelines for middle management and continuous education and training for all employees), but it must also be considered as a measure for the selection of partners and suppliers (certifications and use of common methodologies), as well as a tool for the creation of close exchanges with the vendors of the main enabling technologies.

Let’s say that Italian companies have set out on a road, certainly long and winding, with the common goal of achieving maximum ICT security. This security must be shared by all parties and necessarily based on a holistic approach.

ACTION ICT (March 2021)

ACTION ICT is a young, dynamic and innovative IT company. It operates, both nationally and internationally, offering professional skills and design solutions in the ICT field to medium and large businesses. Our highly skilled know-how is housed in three expertise specific departments: ACTION DATA (Big Data Analytics and Artificial Intelligence), ACTION APP (Web & Mobile Application) and ACTION IOT (Internet of Things and Robotics).