On April 18, we in Costa Rica received the unfortunate news that the computer systems of many public institutions had been attacked by the criminal organization Conti, with the Ministry of Finance being the main target. Although much information about the transgression is yet to be elucidated and it is impossible to know the extent of this inconvenience (whose consequences could last for several months or years), at this stage there are some lessons that we can learn.
The clearest, most obvious teaching is that in terms of cybersecurity and personal data protection, an investment that is preventive and not reactive must be made. In this case, it seems that not all the appropriate precautions were taken and, therefore, the impact of the attack was greater than first realized. Whether in public institutions or private companies, adequate information protection systems that can detect any type of attack must be installed to isolate an intrusion immediately to reduce its impact. In this case, indications are that the attack occurred several months ago and, therefore, the criminals had the time necessary to map the entire network without being detected.
To go with a protection system, an organization must train its staff in detection, and adopt a suitable organizational culture of constant computer security awareness. This helps reduce human error that could allow phishing or malware attacks that eventually become the gateway to criminal trespass. Training employees to detect anomalous situations, apply the appropriate mechanism to isolate them, and promptly report them to higher-ups is critical.
Also of vital importance is the handling of personal data. To maintain confidence in the system, the proper treatment of information and personal data must be a top priority, which in turn, inculcates more secure handling of information, avoids the storage of more personal details than is strictly necessary, and ensures that the inconveniences (or worse) an attack of this type may cause people are minor.
As we know, a criminal attack could lead to sanctions and compensation that must eventually be paid. In addition (and perhaps more burdensome), unawareness of a “hack” could result in the loss of a company or institution’s valuable information, damage to the reputation and credibility of the entity affected, and the suspension of business or service continuity. Therefore, the option of purchasing cyber risk insurance may be important to reduce such exposure.
Originally published on El DelfinoCR