Today’s economy is becoming more and more centred on digital technology, with innovation coming at a faster pace than ever before. How conscious would you say people are of the new risks and dangers of cyber-crime?
With the economy, as you rightly say, being based more on digital technology, enterprises are basing their operations on the digital aspects. The more the economy goes digital, the more threats there are and the more complicated they are: it’s a vicious circle. Unfortunately, the awareness of the impact is not that profound in small and medium-sized enterprises and firms; they think it will not happen to them but that it will hit large organisations and hence do not invest much on security. Similarly, large organisations think that it will hit elsewhere and delude themselves into thinking that they are investing enough in security. However, large organisations have a larger surface of attack: they have more employees, more transactions and more entry points in general – making them targets. Make no mistake – the threats are there for both.
What is the extent of cyber-crime in this day and age and what is its economic impact?
It is on the increase. Internationally, there is an attack – not necessarily a successful one – every 39 seconds. It is also estimated that 43 per cent of cyber attacks target small businesses. The percentage is increasing, and it will continue to do so as things become more complicated and sophisticated.
Photos Alenka Falzon
What forms can cyber-crime come in and can everyone be affected by it?
Basically, there are two forms. The most common one, strangely enough, is attacking the weakness of the person. This is done through social engineering: an email is sent, the recipient thinks it is a genuine email, when in fact it isn’t, and clicks the link that downloads malware. The malware can be many different things: it can lock the PC and ask for a ransom, it can delete files and it can transmit information. Social engineering can also take place through a simple telephone call: someone can call and simply say that they are from the IT section of the company, ask for the person’s credentials, and the person passes them on.
Then there is a second method: the weakness of the system. A system can be developed with a weakness in it so a person can attack through that weakness. It is like trying to find the weakest window in a house.
In the case of hacker, however, it is social engineering that is used most. Statistics show that 95 per cent of the attacks are carried out through social engineering.
What would these attacks be aiming to gain from obtaining the credentials of an employee, or gaining access to a company?
There are various motives and it depends on the organisation being targeted. For instance, if it is a bank, the aim could be to disrupt its services or get money out of it. In the case of an individual being a victim, then that person could be asked for ransom money to unlock a computer. If the attack is on the government, then it could be the disruption of government operations or even political, and if it is military then, again, it is different, so it depends on the organisation. What is happening today is that the attackers are changing; they are becoming more sophisticated, working in groups from several countries attacking at the same time, developing their own tools or even stealing them, and maybe even sometimes being state-financed.
How many businesses fall victim to cyber-attacks in Malta?
The number is very similar to the statistics we have internationally. Last year, Cyber Security Malta held several focus discussions with businesses operating in various sectors and a survey was also carried out. The outcome was that 40 per cent of local businesses have been a victim of cyber attacks. The attack vectors were mainly fraudulent emails and scam calls, the unknowing installation of malicious software and ransom-ware. That’s why we need to encourage cyber security awareness, so that the 40 per cent success rate of hackers will eventually fall.
What is that success rate at the moment?
Some of the organisations will not reveal whether or not the cyber attacks they have suffered were successful or not; they would rather just say that they have been attacked. What we are proud to say is that, with regard to MITA and the government, we have attacks almost every day and they are never successful.
How important is it for businesses to invest in proper cyber security systems, and why?
It is important for various reasons. As we said, most operations are based on IT systems, so if most of them are down, then your operations are down and so are your profits. And it is not just the balance sheet that is important; it’s the reputation, and I think the reputation is actually more important actually than the balance sheet. If an important organisation is hit, they may lose money or service, but it is much, much more important to get their reputation back, both for the organisation and for the country. Then there is the extreme: if an attack is on a health system or on electricity supply, then it may cause physical and/or health problems.
MITA is the leading entity on the implementation of the National Cyber Security Awareness and Education campaign as part of the National Cyber Security Strategy. What work is being undertaken by MITA to educate businesses and the general public in this respect?
MITA hosts all government data that must be protected and we have invested a great deal in that. We have done so in respect of the skills of our human resources who are being trained locally and abroad: we have one of the highest skill levels in cyber security in Malta – people who can look eye-to-eye with security experts across the world. We have invested in server security tools as well with most of them having artificial intelligence built into them. We also have a security operations centre that is always watching and monitoring, and we are planning to increase all this investment next year.
Externally, we have been commissioned to increase awareness across Malta – if possible to everyone. Where children are concerned, we have done some theatre style drama at Esplora, which was attended by 3,000 students from different state, independent and church schools. We have a laboratory that academics and students can use, and we have coordinated hackathons for the professionals as well, to try and fly the flag. We are now planning sessions with the public sector as from next year, and are starting a new scheme to train people in the private sector and make them more aware of what is going on.
What is the B-Secure Scheme and how can people take advantage of it?
It is a scheme that we are launching next Wednesday – 23rd October – with the intention of improving the cyber security posture of local businesses. It is based on three pillars: providing training to executives and industry professionals, testing the network and wireless infrastructures and web application solutions, and assessing the external hosts against known vulnerabilities. This investment of €250,000 is being translated into 330 hours of industry-certified training and 123 hours of risk assessment conducted by cyber specialists.
Next Wednesday will see the organisation of the first Cyber Security Summit in Malta – what is the aim of this summit and what can attendees expect from it?
As you said, it is the first of its kind in Malta – and I can assure you that it won’t be the last. The main objective is to create awareness: to attract the attention of the private sector. It is the right fora for businesses to come together to listen to experts, local and international speakers, to assist panels discussing the perils and the ways in which they can protect their systems, and also provides the opportunity to apply for the aforementioned B-Secure Scheme. The very fact that we are organising this national summit is to show that our commitment to the private sector is part of our firm commitment to address cyber security issues proactively and on a wider national level.