Cybersecurity has now become a genuine emergency for Italian companies and businesses; according to CLUSIT data (2021), there has been a 78% increase in cyberattacks in just four years.
So what solutions can companies implement to protect themselves? What are the risks, challenges, and opportunities in terms of cybersecurity? And finally, what role do people play in this process?
We discussed this with Tamara Zancan, Senior Product Marketing Manager for Modern Work, Cybersecurity, and Compliance at Microsoft.
Hi Tamara, can you give us an overview of cybersecurity for businesses? What is the situation like in Italy and Europe?
Protecting an organization has never been easy. But in 2021, we’ve seen significant changes in the cyberthreat landscape that are having a major impact on organizations of all sizes and in every industry; cybercrime has become more sophisticated, widespread, and relentless. The frequency of attacks has increased significantly; in fact, every day we read in the newspapers about companies falling victim to phishing and/or ransomware attacks, and even healthcare organizations and critical infrastructure—once considered “off-limits”—are increasingly being targeted.
In October, we published the 2021 Microsoft Digital Defense Report (MDDR). Drawing on more than 24 trillion daily security signals, we analyzed and studied threats with the goal of helping organizations understand how cybercriminals are constantly changing their attack methods and determining the best ways to combat these attacks.
Just to give you an idea of the scale of what's happening: hackers launch an average of 50 million attack attempts every day—579 per second!
We have seen cybercrime evolve into a threat to national security driven largely by financial gain; cyberattackers do not discriminate: small businesses are just as vulnerable as large ones. Based on our research, nearly 60% of small and medium-sized businesses reported that they do not feel equipped to manage their cybersecurity, due to a lack of resources and staff with specialized skills.
However, there are also some positive trends: victims of cybercrime are coming forward to share their stories, which is leading to greater awareness and transparency. Governments are also passing new laws and allocating more resources as they recognize cybercrime as a threat to national security.
This picture remains the same at the European and Italian levels; in fact, according to the 2021 Clusit Report on ICT Security in Italy, attacks on organizations based in Europe increased significantly in the first half of 2021: from 15% to 25%.
In the first half of 2021, a 24% increase in serious cyberattacks was observed globally (including Italy) compared to the previous year (affecting various aspects of society, politics, the economy, and geopolitics); furthermore, incidents with “very significant” and “critical” effects accounted for 74% of the total (compared to 49% in 2020). Attacks aimed at extorting money rose to 88%.
In addition, the Postal and Communications Police has just published its 2021 security report: over the past year, there were 126 cyberattacks on the financial systems of large and medium-sized companies, resulting in a total of over 36 million euros being illegally stolen through complex cyber fraud schemes.
In your opinion, how aware are Italian companies of cybersecurity issues? What steps are Italian professionals and managers taking to best address the daily challenges posed by cybersecurity?
According to an IDC study, 46% of Italian companies plan to increase their security technology budgets for 2021 compared to 2020, but this is not enough; in Italy, we still spend less than other economically advanced countries.
IT managers are reluctant to openly present the risks to top management, as a recent study by Trend Micro also shows.
A recent survey conducted by EY reveals that only 20% of Italian cybersecurity experts feel very or extremely confident in the cybersecurity and risk mitigation strategies adopted by their organizations.
We see that Italian companies do not yet fully grasp the extent of the risk; security spending is often viewed as a purely “unjustified” cost and secondary to other investments. However, failing to invest in security often leads to incidents and data loss, resulting in enormous costs and negative impacts on a company’s reputation. Investing in security means investing in the future.
In fact, as organizations increasingly pursue digital transformation, managers and corporate executives must tackle new types of challenges, including cybersecurity: for example, every business process must be “secure by design.”
Building trust through investments in security technologies can help boards of directors enhance their organization’s brand value, stakeholder loyalty, and investor confidence. Now is the time for organizations to prepare for the future and foster a culture of cybersecurity awareness.
We hope that the PNRR (National Recovery and Resilience Plan), which allocates a total of approximately 45 billion euros for the “digital transition,” will provide Italy with an opportunity to catch up and address its shortcomings, including in the area of cybersecurity.
What are the cybersecurity priorities for businesses?
We are experiencing unprecedented growth in digital interactions. In this borderless digital ecosystem, trust between parties must be established in real time. Yet trust is a rare commodity on the Internet. In this new world where digital “handshakes” are more common than their analog counterparts, user identity is the first thing that needs to be protected.
The vast majority of breaches involve the theft of credentials and compromised passwords: these are the weakest link in most security strategies; therefore, protecting identities is more important than ever—protecting users’ identities means protecting corporate data and resources. We have seen a 300% increase in identity attacks over the past year, which is why it is essential to adopt, for example, the principle of advanced authentication: one of our studies shows that requiring two-factor authentication (Multi-Factor Authentication) can protect against 99% of attacks.
Furthermore, it is essential to protect not only users but also devices, and to ensure that every device accessing corporate resources is properly managed. A comprehensive and modern proactive approach to security is needed to manage the complexity of today’s organizations. That is why we recommend the“Zero Trust”model: instead of assuming that everything behind the corporate firewall is secure, we assume that a breach may have occurred, and therefore every request is verified as if it came from an untrusted network. Regardless of where the request originates or which resource it accesses, Zero Trust teaches us to never trust, always verify: verify and protect every identity, validate device integrity, apply end-to-end encryption, enforce least privilege—that is, limit access using JIT/JEA (just-in-time and just-enough-access) policies—and collect and analyze telemetry to better understand and protect the digital environment.
Amid all this, companies must not forget to follow the “basic rules” of a security policy—such as applying patches and ensuring that their infrastructure and applications are up to date and properly configured: basic security hygiene still protects against 98% of attacks.
Organizations are often unaware that they can take the first step toward this approach simply by implementing passwordless technologies such as Windows Hello for desktop or the Microsoft Authenticator app for mobile devices. In addition, many customers can already adopt certain built-in security and protection features, such as Microsoft Defender for Office 365, which are already included in the Microsoft 365 solution they have purchased.
Microsoft is investing heavily to simplify device management and create features that improve IT productivity and mitigate the risk of cybersecurity threats. Currently, Microsoft employs 3,700 security experts and spends more than $1 billion a year on security, but it has made an additional commitment for the future: Microsoft will invest $20 billion over the next five years to accelerate efforts to build cybersecurity into products from the ground up and to provide advanced security solutions. This includes $150 million in technical services to help federal, state, and local governments improve their protection and ensure they deploy the best and most up-to-date security tools. Our technology has been recognized as best-in-class by many influential analysts: over the past year, Microsoft has been named a leader in 5 Gartner Magic Quadrant™ reports and has been recognized by Forrester as a leader in 8 Forrester Wave and New Wave reports
Useful resources:
Assess your maturity level with our Zero Trust Maturity Assessment: Microsoft Zero Trust Maturity Assessment Quiz | Microsoft Security
For a repository of technical resources, check out the Zero Trust Guidance Center: Zero Trust Guidance Center | Microsoft Docs
Looking Beyond Technology: How Important Is the "Human Factor" in Cybersecurity? In your opinion, to what extent can individuals' behaviors and habits contribute to a company's security? Can we say that behavioral change is the main challenge we need to overcome?
When the pandemic began, companies had to go digital overnight, with employees even using their personal devices to get their work done. In the near future, hybrid work will become the norm for many companies across all industries. This will lead to an exponential increase in the “digital attack surfaces” available to cybercriminals.
85% of data breaches involve “human behavior” (Verizon Data Breach Investigations Report 2021); often, the risk of an attack or data theft stems from employees’ lack of awareness.
Research by IDC shows that companies’ new security priorities are now focused on the skills and training of employees, who are a crucial part of any organization’s digital value chain. Therefore, greater expertise is needed, and it is important to train and empower users at all levels of the organization: we have seen a 50% year-over-year reduction in employees’ susceptibility to phishing after proper training. Microsoft also offers a series of free courses and programs for organizations, through which IT professionals can enhance and expand their skills.
In this context, however, let’s not forget that training alone isn’t enough. In fact, there’s often the idea that simply collecting metrics or data is sufficient, but all that tells us is what people are doing—not why they’re doing it. Understanding the “why” is absolutely crucial; it’s the key to changing behavior! The “why” helps us understand the underlying assumptions and determine what can be done if there are gaps between what the security team wants and what people are actually doing.
In fact, there are many challenges surrounding the culture of security: rapid digital transformation and growth could encourage people to behave in less secure ways by prioritizing productivity; or, at times, there is a lack of clear communication about why certain security controls are in place. Helping the security team better communicate the “why” helps address these issues.
It’s also very difficult to change behavior if the security leadership or the organizational leadership team isn’t on board. Another consideration is the perception of a just culture. If someone clicks on a malicious link or makes a mistake, do they feel they can raise their hand and report it without being unduly blamed? If people perceive the culture as one focused on punishment and “pointing fingers,” this is detrimental to the security culture.
Furthermore, the biggest mistake organizations make when trying to build and promote a security culture is that it isn’t aligned with the corporate culture. For example, if an organization is very positive and people-centered and always tries to say “Yes” within the broader organizational culture, but the security team pushes for a culture that says “No” very often, that could be a problem—because if you try to force a security culture that runs counter to the broader organization, it won’t work. Change takes patience.
So, the first step is to understand the organizational culture, mission, and values, and to review the cultural symbols within the organization, including branding and training. It is then important to conduct surveys, focus groups, and individual interviews to encourage conversation, facilitate discussion, and understand what is happening on a daily basis—and, above all, why.
It takes a certain level of maturity—and often organizations that strive to be people-centered—to help their workforce become more safety-conscious.
This topic, too, is essentially a change management issue… a topic that Digital Attitude knows very well 😊
At Microsoft, we believe this goes beyond simply providing end-to-end solutions; it’s about constantly innovating to best meet our customers’ needs and address the challenges we all face. It’s about delivering an integrated and simplified experience, empowering people and organizations to do more—safely. Learn more about how to take advantage of Microsoft Security’s comprehensive protection.
In short, a culture of safety must become a priority for business leaders; it must be at the top of the board of directors’ agenda.
Cybersecurity is a mission of great importance and true urgency. Today’s landscape calls for a comprehensive approach that includes security, compliance management, identity management, and privacy management. But perhaps, above all, it calls for a more human-centered approach, focused on individual habits and a shift in the mindset of the entire organization!
.svg)
.png)