In April this year the information systems of "Bulgarian Post" became the subject of a serious cyber-attack. The Commission for Personal Data Protection (CPDP) imposed a fine of BGN 1 million (approx. EURO 511.292) and after a 3-month inspection found that the company neglected cyber security and no measures were taken to protect users' data. There was no analysis that would lead to a proper implementation of organizational measures for the protection of data electronically. After the encryption of the data of 680,000 individuals, personal names, social security numbers, and information about personal cards were leaked. The amounts of money that the employees received, as well as their bank accounts, are available. Sensitive data on the age and health status of employees, as well as emails of the company's customers, were also accessed.
A few months later, this October, the websites of the Presidency, the Ministry of the Interior, the Ministries of Defense, Justice and the Constitutional Court and others (14 Bulgarian institutions in total) were also hacked. Most of the attacks were of the DDoS attack type, associated with a delay or temporary restriction of access to the site.
One of the architects of the cyber defense of the Israeli army (Gabi Siboni) arrived in the country and gave a short interview to the media. He paid special attention to the business: "I don't know the exact situation in Bulgaria. I can only say that you can always be better qualified. From what I know, there is a lot to be done, since the preparation is not only on the part of the Bulgarian state administration, but also on the part of the Bulgarian business branch, as well as the civil sector. They should be better prepared. The business sector is just a unit, just like the country. If they attack the business, they can harm the Bulgarian economic system. It's as simple as that.
As simple as that... says the expert, but it seems the words remain somehow unheard and misunderstood.
The latest research from the World Economic Forum's Center for Cybersecurity reveals several key critical differences in the perceptions of CIOs and business managers in general. First and foremost is prioritizing cyberspace in business decisions. While nearly all of the business executives surveyed explained that cyber resilience is integrated into their risk management strategies, only 55% of the security officers surveyed agreed with this statement.
Getting business leadership buy-in for cybersecurity projects is also becoming a point of misunderstanding. Most of the respondents shared that cyber resilience is considered a priority in their organization and has the support of their management. Significantly less is the share of those who see cyber resilience as a core part of their company's overall risk management. Many security experts comment that they are not consulted when making business decisions, which leads to problems later on. Misunderstandings between different executives as a direct result of incompatible priorities and security policies can leave companies vulnerable to attacks.
Next comes the attitude to cyber legislation and the need for legal consultants in a number of actions to prepare an internal organizational legal framework for response to an attack in the specific business organization.
A dissection of the basic principles of creating a credible defense program[1] shows that there is almost no level of response that does not involve the intervention of a legally trained expert. Preparing a legally valid response to the relevant regulator; assessing whether personal data is affected; determining the level of compliance with the legal regulation; working with the IT team; stopping the possibility of using stolen data; participation in possible legal disputes are all stages that should not be missed in preparing for the next attack.
In the country, however, the processes seem to happen too slowly, and a large part of the business claims business preparation at a level similar to an article in New York magazine back in 1996: "Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool and therefore strange, spooky."
[1] (i) identifying weaknesses in the organization; ii) protection through access management and training; iii) determination of personal and/or sensitive data flows (trade secrets); iv) rapid identification of incidents and coordination with suppliers and partners; v) adequate response and signaling and vi) recovery of information.
By Irena Georgieva, Managing Partner, PPG Lawyers
