By Lino Santos
– CNCS cyberincident response team – responded to more than twice as many incidents when compared to the previous year. The cases of identity theft, commonly known as phishing, stood out using the image of banking entities, but presenting innovations such as the use of the image of streaming services or postal service providers. The same was observed across Europe, with even more expressive numbers.
But it was not only in the amount that cybercrime increased in 2020. The degree of sophistication of these threatening agents has also increased. As opposed to the traditional sending of messages to an indeterminate set of potential victims, there was a growth in attacks directed at high profile companies, where the level of demand for success is great, but the redemption premium is much higher. There was also a growing trend in indirect attacks, via the supply chain. This was the recent case of the commitment of SolarWinds, a software provider for 425 of the 500 companies on the Fortune 500 list, already considered one of the most successful ever and whose real impact on the economy and national security of many states remains to be assessed.
2020 also probably brought us the first human victim of a computer attack. A computerized extortion attack on a hospital in Dusseldorf prevented the admission of a woman in critical condition and forced her to move to another hospital, where she never arrived.
As a common element to the incidents described here we have the use of social engineering techniques that exploit the human factor, as a result of the difficulty in using increasingly complex and opaque technologies. In a context of increasing digitization, the low digital literacy of the population causes substantial damage to themselves or their organizations.
Improving this situation means strengthening public policies for training people and organizations, and 2021 will be a particularly interesting year in this regard. The improvement of cybersecurity indices and the reduction of society’s vulnerability will be done, on the one hand, with a continuous commitment to raising awareness and creating skills in our society, through the creation of a Cybersecurity Academy. On the other hand, through the regulation of the Legal Cyberspace Security Regime, the regulation of economic activity agents will be insisted on, requiring them to apply security measures in order to guarantee a high level of cybersecurity in services by they rendered.
All of this is in line with the European Union’s new legislative cybersecurity package, in which Portugal, by virtue of its presidency during the first half, takes on a particularly relevant role.
It is necessary to demystify and naturalize cybersecurity in the lives of people and organizations. Leaders committed and aware of the strategic value of cybersecurity are needed for organizations and society.
Coordinator of the National Cybersecurity Center (CNCS)
This article is part of the Dossier The best and worst of 2020. And expectations for 2021