Cyber threats against critical infrastructure are rising with the emergence of the Internet of Things, Operational Technologies, and the evolution of malware. This development introduces new vulnerabilities to organizations, and thus, taking measures to prevent cyber-attacks is more critical than ever before. But what are the actions we need to take? And how to keep up with the increasing number of attacks? We kicked off 2023 by addressing these topics at the annual Microsoft Security Day on January 18.
Kelly Bissel, CVP for the Microsoft Security Service Line in the US, was the first speaker to share his knowledge of the current state of cyber security. Kelly Bissell laid the foundation for the event by saying “Everyone is at risk. 46% of attacks on commercial organizations are aimed at small businesses. So, you really need to think about what an attacker might want from you”, he told the physical and virtual crowd, that consisted of cyber security professionals from Danish and international organizations.
Having worked with this topic for over 25 years, Kelly today observes more attacks than ever before. “In the 15 minutes, I am up here on stage, there are hundreds of thousands of cyber-attacks worldwide. So, we need to solve this problem in a different way than before.”
To transform the market and approach, Microsoft is working to make the cyber world safer, blocking registrations, taking down attacker groups, and collaborating with law enforcement and cyber agencies to reduce cybercrime.
Collaborating across borders
From the global perspective presented by Kelly Bissell, Cecilia Bonefeld–Dahl zoomed into the European point of view. Cecilia Bonefeld-Dahl is the Director-General of DIGITALEUROPE, one of the most prominent tech organizations in the world, representing more than 45.000 companies across Europe.
The Director-General believes that we are entering an age where digital resilience will be key in defining the safety and security of the future. She sees international cooperation as an important part of being resilient, saying, “We have a tradition of nation states taking care of their own security. But this is not how the future works”. Elaborating on this, Cecilia Bonefeld-Dahl explained that cyber-attacks happen across governments, countries, and continents, which is why there is a need for a common cyber security governance model.
One of the good, bad guys
Oliver Nordestgaard is the Captain of the Danish National Cyber Team that won gold at the European Cyber Security Championships in 2022. He talked about how he taught himself to code at a young age and now works as a consultant, helping companies to understand where their systems are vulnerable.
He believes that the industry must get more young people interested in cyber security, and he credits the European Championships for driving attention and competence to the field. “We need the companies to help show the youth what they can work with within cyber security. Introducing these talents to how they can keep enjoying cyber security is a very important part,” he said.
Learning the hard way
In August 2022, news broke that the Technical University of Denmark (DTU) had been hit by a cyber-attack. The severity of the attack, once fully investigated, came as a shock to Anders Fosgerau, Head of the IT Security Office at the Technical University of Denmark.
“In a situation like this, you have more questions than answers,” Anders Fosgerau stressed, as he recalled the intensifying impatience he experienced as he realized the system had been hacked but still didn’t fully understand the problem.
“But just like at the doctors: you need proper examination before taking action,” Anders Fosgerau explained. Something he learned from Hasan Rahman, the Chief Security Advisor at the Microsoft CSU team, who supported Anders and his team. Hasan Rahman joined Anders Fosgerau to talk about takeaways from the experience. “You should never waste a good crisis, and the attack ended up being a perfect storm coming from a bad situation, as it helped us upgrade our security as well as brought our team closer together,” explained Anders Fosgerau. Working together as a team was something Hasan Rahman also highlighted: “The team at DTU didn’t play the blame game. You rolled your sleeves up and worked together as one united team, which was a game-changer that allowed you to kick out the adversaries swiftly without downtime.”
What are the biggest threats?
Exploring different perspectives on the landscape of cyber security is essential, but driving real change and strategic direction comes from engaging in discussions and learning from each other. For this purpose, the moderator of the event, Karin Cruz Forsstrøm invited four cyber security experts to the stage for a panel discussion.
Malene Stidsen, the Programme Manager for Cyber Security at The Danish Industry Foundation, mentioned supply chain attacks when asked about the biggest threat right now. “The number of supply chain attacks is increasing immensely. That’s an issue, especially as most companies are making their security investments internally, even though many of the incidents happen externally on the supply chain.”
When asked the same question, Mads Nørgaard Madsen, Partner & Head of Consulting – Technology & Security at PwC Denmark, pointed toward malware.
“7-8 years ago, ransomware was one of the biggest threats to cyber security – and it still is today. If you are hit by a ransomware attack, your entire business is down. And hackers keep evolving ransomware technology, so we are in a race to keep up with them.”
Kelly Bissell – who had returned to the stage – elaborated on this topic: “The broader cyber marketplace hasn’t done well when it comes to keeping up with our own internal innovation. In this arms race, we must be faster and better than the attackers.”
The fourth member of the panel was Mark Fiedel, Head of Cyber Analysis at the Danish Centre for Cyber Security. He pointed out how understanding the attackers is key to knowing how to protect yourself: “I think it’s important to remember that hackers are lazy. They are using what’s most straightforward and efficient for them. So, we don’t necessarily need to be brilliant but just good enough at the basics.”
The cultural aspects
The participants also emphasized the importance of the business aspects of handling cyber threats. On this topic, Malene Stidsen stated, “We need to remember the cultural part of this. When it comes to the culture, the governance, and the routines, we’re lacking behind. We need to up-skill employees and top management. We can’t have a strong cyber culture without involving management.”
Mark Fiedel also expressed hope that cyber security will become an even more significant part of the agenda in the boardrooms.
More collaboration is needed to push this agenda globally, as pointed out by Mads Nørgaard Madsen. “We need to get a sharing mechanism to work between the different sectors in play. We all want the same thing, so there’s no competition. We should collaborate even more.” All participants agreed on this, and Kelly Bissell stated that times have changed, “We used to be in an era where people focused on blaming the victims of cyber-attacks but were not there anymore. We are now more focused on learning and becoming more resilient together.”
Preventing an attack in 9 minutes
“There are no silver bullets to preventing a cyber-attack,” Hasan Rahman stated in his and Rebecca Jensen’s masterclass on how to prevent an attack in 9 minutes. Rebecca Jensen, Customer Success Account Manager at Microsoft, talked about the importance of going from a reactive to a proactive mindset: “In our experience, customers who invest in the basics tend to have a much stronger security posture.”
They underlined the importance of having a security incident response plan in place – comparing it to a fire drill: “In a fire drill, it’s not enough to know where your exits are; you also need to know who’s responsible for gathering you. Who is responsible for leading you out? What path are you supposed to take? The main lesson we want you to take away is that it is crucial you invest the time and effort on people, processes, and technology to strengthen your security posture.”
A day of strong cases
Rounding off the event, hosts Kristoffer Rosenmeier and Jurate Beniulyte from Microsoft Denmark took the stage to express their excitement for the honest dialogue and open-minded discussions among the speakers.
“The most important thing for me today was the width of the perspectives we have seen today. I think we all felt the pain of Anders Fosgerau from DTU, who was brave enough to get on stage and talk about the attack they were hit by last year. And personally, I feel honored to have shared the stage with a European champion,” concluded Kristoffer Rosenmeier.