Fuggetta, Cefriel: "Cybersecurity is not a product to buy"

In Italy + 58% of compromised servers in the two-year period 2020-2021. The IT Innovation Center has produced a white paper for companies and PAs that outlines the strategy to face the emergency by leveraging skills, technologies and processes 19 May 2022

Faced with a cybersecurity alarm for Italy (+58% servers attacked in our country according to the latest Clusit report) the key is the sustainability of cybersecurity in terms of technologies, processes, people and skills. A guideline for organizations is offered by Cefriel, the Italian Digital Innovation Center founded by the Politecnico di Milano, in the new white paper "Sustainable cybersecurity: how to make cybersecurity sustainable over time", edited by Massimiliano Colombo, Enrico Frumento, Andrea Guerini and Mauro Lomazzi. The study aims to provide organizations with the essential scenario elements and propose a strategic line, the Sustainable cybersecurity playbook, as a set of best practices and methodologies that guide companies and PAs on a case-by-case basis in reducing cyber risk. "Cybersecurity is not a product to be purchased, but a process that involves numerous business areas and no longer just the specific area of Information Security," explains Alfonso Fuggetta, CEO and scientific director of the Cefriel digital innovation center. It is not, therefore, simply a matter of acquiring and making operational a defense IT tool, but of balancing security with the real operational capacity of companies and PAs; skills that emerge from factors of time, staff preparation, resources and technologies available". Index of topics • Cyber incidents: +33% worldwide from 2020 to 2021 • Targeted attacks. In Italy +58% of compromised servers • The TCO of cybersecurity between strategies, technology and skills • Cefriel's Sustainable Cybersecurity Playbook Cyber incidents: +33% worldwide from 2020 to 2021 According to the Threat Intelligence Index Report 2022, published by IBM X-Force, there has been a 33% increase in the number of incidents related to cybersecurity flaws from 2020 to 2021, in ways that demonstrate how cyber criminals have reached new heights of sophistication and are able to network with organized crime. Attacks can affect anyone, from large multinationals to small businesses to public administrations, on any device.

Two recent events have helped to change the terms of reference in the cybersecurity landscape: on the one hand the Covid-19 pandemic, which has seen an increase in vulnerable targets such as workers in smart working, and on the other the Russian-Ukrainian conflict, which has also impacted on the international collaboration of police forces. With the acceleration of the digital transformation agenda of companies and public administrations, the techniques, tactics and procedures (TTP) used by cyber crime have also been refined. Targeted attacks. In Italy +58% of compromised servers According to the Clusit report, while the majority of attacks occur in the United States (45%), cases in Europe and Asia are the fastest growing. Our continent has gone from 16% in 2020 to 21% in 2021. We are not only talking about the quantity, but also the severity of the attacks: 79% of these had a high impact in 2021, compared to 50% the previous year. And while in past years "multiple targets" were predominantly targeted – multiple targets hit in an undifferentiated manner – now the targets are very precise, with a strong growth in attacks on government/military targets and the IT sector in second place. In Italy, in particular, the growth of malware and botnets is observed, with compromised servers increasing by 58%. Mobile does not escape, with malware that is distributed through phishing links shared through SMS or messaging apps. In Italy, the sectors most affected are Finance/insurance and public administration, which account for about 50% of cases. Next comes the industry, which presented the most significant increase, from 7 to 18% in a year. The TCO of cybersecurity between strategies, technology and skills Organizations have to act on three different fronts: continuous security, i.e. the identification of threats, old and new, and the limitation of risks related to the adoption of new technologies; the sustainable reduction of risks and the containment of residual risk below a tolerance threshold; the promotion of cyber culture with the dissemination of "Key Facts" " of cybersecurity to non-specialists. So how can you optimize your resources to respond to these challenges in a sustainable way? Cybersecurity is sustainable, Cefriel points out, if it is possible to balance the security measures and processes related to the real operational capabilities of the organization, dependent on the preparation of personnel and on the resources and technologies available. The sustainability of cybersecurity requires a holistic vision with respect to all its dimensions which, although apparently heterogeneous, are linked by the concept of Total cost of ownership of cybersecurity, a model that provides processes adapted to needs, organizational rationalization, management and integration of human resources, enhancement and acquisition of skills, reasoned allocation of resources. Cefriel's Sustainable Cybersecurity Playbook According to Cefriel, the overall strategic vision is to be preferred to the pursuit of individual objectives in the short term. To respond to these needs, the institute has systematized its experience within the Sustainable cybersecurity playbook, a set of best practices and methodologies that guide companies and PAs on a case-by-case basis in reducing cyber risk. Cybersecurity processes are divided into three macro-actions: • Enable, accompany and accelerate the digital innovation processes of companies and public administrations with the implementation of customized techniques to maintain business integrity, built around existing processes. • Promote the growth of companies and their human capital through the sharing and transfer of interdisciplinary skills, thus protecting themselves at different levels. • Make innovation a concrete and repeatable process, which produces a valuable and continuous impact over time. Cybercrime shows increasing levels of complexity and aggression, requiring organizations to be farsighted and insighted. For this reason, a reactive approach is not only practicable, but the development of an overall strategy and constant monitoring of processes is vital. At the same time, models and best practices must be tailored to different organizational contexts, to maximize results, minimize losses and risks and optimize resources. Cefriel tackles this issue by focusing on three distinctive elements: its authority as an institution with a non-profit institutional constitution, the close connection between innovation and research and interdisciplinarity, the result of the synergy between skills and experiences.