In addition to the pandemic the 2020 is memorable as the year or record growth in cybercrime. According to the FBI the US companies have reported a 400% growth in cyber-attacks and 68% more companies reported of fraud.
In October 2020 Europol warned that COVID-19 had sparked an upward trend in cybercrime. In September 2020 Estonian State Information Board (RIA) reported that the cybercriminals caused 1 million euros worth of damage to Estonian companies. The largest single case being 100 000 euros.
Inadequate cybersecurity is a hidden threat in a company as all too frequently the cyber risked are not included in a company’s general risk assessment. But should a cybersec risk materialise the damage is very real and considerable.
In addition to cyberattacks, fraud and malware poor cyberhygiene, i.e. employee’s knowledge of cyberthreats and what to do with them is insufficient, or the employer’s instructions how to protect company’s intellectual capital and information assets is lacking. More often than not companies are lagging behind with the use of up to date cybersecurity technologies. A good example here is Charlot OÜ e-shop’s cyberincident where data of 14,000 clients was breached because the shop failed to use appropriate cybersecurity technologies.
The remote working that COVID-19 brought along in 2020 added additional layer of cybersecurity challenges and risks. Remote work became a reality for most companies and often there weren’t enough secure connections to companies’ servers available which caused unexpected expenses and delays as the equipment had to be purchased and time was wasted.
The most popular way to spread malware is with the help of phishing which in recent years have become increasingly sophisticated and look very real at a first glance. On the closer inspection one can see that a letter in company’s name has changed or wording of the letter is somewhat off style. It only takes one employee to fall victim to a phishing letter to open a door to company’s intellectual property and confidential materials to cybercriminals. In ransomware attack a company’s files are encrypted by criminals who require ransom for the decryption key and safe return of all files. But for company this is already too late, the information system is breached, the data is stolen and the company can no longer control where their data ends up.
Regular training of employees, infrastructure and information security check and up to date business continuity and disaster recovery plans together with regular testing of those plans should be inseparable part of company’s business strategy. This ensures operational readiness to combat ever evolving cyberthreats.
Here information security audit that maps cybersecurity risks and gives risk mitigation advise, can assist a company to achieve a good cybersecurity level. We will observe and test information security needs of various information assets, conduct interviews with the management and employees, and inspect relevant evidence (e.g. internal policies, computer settings, server room setup). Based on the observations we will give recommendations how to mitigate cybersecurity risks. Our information security audits are based on ISO 27001 standard which is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. Also, audit will help if your company’s partners, investors or clients require a proof that you are compliant with the information security requirements.