SOFIA (Bulgaria), November 10 (SeeNews) – The ongoing use of unsupported software or operating systems (OS) is leaving a number of companies in Central and Eastern Europe (CEE) vulnerable to cyber attacks, an executive security advisor at Microsoft told SeeNews.
“The bad guys are leveraging this, they know where they can find those vulnerabilities,” Daniel Grabski, executive security advisor, Enterprise Cybersecurity Group, Microsoft EMEA, told SeeNews on the sidelines of the Fourth South East European Regional Forum on Cybersecurity and Cybercrime organised by market intelligence company IDC in Sofia last week.
“It is a very simple game. If you have the newest OS and the right patch management, and they see that they have to invest more to get into your environment because you have a good defence, then they will move to someone who has poor patch management or is still using obsolete software or OS,” Grabski commented.
The level of adoption of cloud services is another factor that impacts the companies' cyber protection, alongside the existing national regulations and recommended standards.
“You might somehow think that the West European companies which are more mature would get much more attention at the moment from some bad guys [...] but this region [CEE] is in even greater danger because if you are staying mostly on-prem, it is more difficult for you to defend if you are not leveraging the power of cloud,” Grabski said. On-prem, or on-premises, is the software installed and running on hardware located within the premises of a company as opposed to running remotely in the cloud.
Grabski's words are backed by the findings of the latest Microsoft Security Intelligence Report.
Ransomware - a type of malicious software that threatens to publish the victim's data or block access to it unless a ransom is paid - disproportionately targeted computers in Europe in the first quarter of 2017, as Romania and Croatia were among the six countries to see the highest encounter rates, according to data contained in the report.
Ransomware was among the most common type of cyber attacks in Bulgaria in 2016, alongside business e-mail compromise, Sofia-based hosting company ICN.bg said earlier this week, quoting data from the country's Directorate General for Combatting Organized Crime. Cyber crimes accounted for 24% of all economic crimes committed in Bulgaria in 2016, compared to 10% in 2014, ICN.bg said.
Tech giants like Microsoft are usually better prepared to face a cyber attack as, being an all time favourite target for hackers, they can draw on their vast experience to continuously upgrade the protection of their products and services, according to Grabski.
The Miscrosoft Cyber Defense Operations Center reports some 1.5 million security incidents daily.
“We are trying to learn from them - we are analysing the data, we are putting a lot of machine leaning and artificial intelligence to learn what is going on and then we are fitting our products,” Grabski said.
Technology, however, is only one element of an organisation's cyber protection, he added.
“We still see a lot of misunderstanding […] It is no longer about my PC and my server in my room. The data is flying over to different places to the cloud services, to our customers, to our partners, […] and we have to have the right mechanisms in place to control what is going on with this data.”
Aiming to create a harmonised data protection law framework across the EU and ensure that end-users have control over their personal data, while imposing strict rules on those hosting and processing this data, the bloc has prepared a set of rules. The General Data Protection Regulation (GDPR) will be enforceable from May 2018 after a two-year transition period and is directly binding for all member states.
“A company has to know which data is confidential, which data is sensitive, which data is public. This is the basis [of GDPR]. Then you have to have on every document the right classification and label and if the data is sent to the cloud service, you have to have the mechanism to manage what is going on with the data, to allow the customer or partner to access the data or revoke the access,” Grabski said.
He added that in case of data security breaches, companies need to inform the authorities. Penalties for non-compliance with the GDPR may reach up to 4% of a company's revenue.
Like elsewhere in Europe, companies in CEE are only just starting to prepare for the introduction of the new legislation, Grabski said.
“Companies are still putting a lot of investment on the protection side which is not the best practice because you cannot stop all the attacks. You have to have the right set of tools to detect that someone is trying to compromise the whole environment and then, if you have an accident you should have the right people and processes and capabilities to respond,” he said.
“Cyber security is still being perceived as an IT issue, and if this is the case it won't be successful. You have to have the c-level people - CEO, CTO - and they should be driving the whole culture top-down. It won't work the other way round.”