Cyber 4.0 roadshow: methodologies and skills serving SMEs

Rome – 07 October 2022

Unindustria Rome Headquarters

Background and introduction

On the occasion of European Cybersecurity Month, Cyber 4.0 has launched an initiative to bring the SME environment closer to the world of cybersecurity. It is a series of events organized with the DIH Confindustria – Sistemi Formativi Confindustria and LUISS Guido Carli system aimed at informing representatives of Small and Medium Enterprises about the framework of cyber threats to which SMEs are potentially subject and delve into defense priorities, current initiatives and tools to defend themselves, leveraging the action of the Cyber 4.0 Competence Center.

The day scheduled for Oct. 7 featured:

• talks by experts from the National Cybersecurity Competence Center on current cyber risks applicable to SMEs and a description of the main and effective tools for defining and implementing cybersecurity governance tools;

interactive discussions with event participants, representatives of various SMEs and industry consultants, to share and explore specific aspects arising from their own backgrounds and experiences; such sharing enabled the event to continue to improve understanding of the problems SMEs face on a daily basis in this sector.

The current perception of the cybersecurity issue in SMEs

During the first part of the day, it was inferred that among SMEs there is neither shared nor widespread an unambiguous and nationally recognized framework regarding countermeasures and controls pertaining to cybersecurity, defined considering the specific organizational and technological context for small or medium-sized entities.

This situation relates to the fact that currently, at the national and/or EU level, there is no binding legislative framework suitable for defining cybersecurity requirements, constraints and obligations for SMEs.

The result is a lack of perception of sanction risk, which then leads to an underestimation of the importance attached to this issue, resulting then in little, when not no, investment in cybersecurity.

Paradoxically, there is a strong focus on investment in digital innovation, reflecting the opportunity seized by our productive fabric toward the digital transition. Thus, a gap is detected between the interest and drive for innovation and the sensitivity on the part of SMEs to cyber risks, which could have major impacts on business with direct repercussions on the competitiveness of the SME in its own context, as also demonstrated by the #2 case studies of cyber attacks on SMEs reported by experts during the Oct. 7 event.

Cyber attacks towards SMEs

The Euro-barometer, one of the leading Europe-wide public opinion surveys conducted regularly on behalf of the European Commission, reports that in 2021, 28 percent of European SMEs experienced at least one cybercrime-related incident. In Italy, this figure rises to 37 percent: in short, more than one in three SMEs has been a victim of cybercrime. Within the same group of companies, 32 percent admit that their employees have a limited level of information with respect to cyber risks, and 85 percent did nothing about it in the previous year. These data give us a picture of a very large number of enterprises that are not ready to cope with cyber attacks.

The case studies reported by the Cyber 4.0 experts, taken from appropriately anonymized real-life facts, are examples of the current and main mode of attack on SMEs and businesses, namely social engineering (attack techniques that rely on obtaining information about individuals by studying what is available on open sources or by directly coming into contact with the intended target, defining weaknesses and seizing sensitive information). Among these, the main social engineering technique is phishing, a technique that induces the victim, through a false e-mail communication, to link to a target site similar to the original (e.g., a bank’s site) in order to intercept transmitted information, such as login credentials, which will in turn be exploited by the attacker to carry out further primary target attacks (e.g., large corporations, SME customers).

In detail, the SMBs featured in the case studies illustrated during the event, through phishing attacks have been affected by one of the most prevalent malware globally, ransomware malware, which induces limitations in the use of a device (e.g., encrypting data or preventing access to the device) thus being able to severely halt business operations.

The tools and initiatives to support SMEs

The first means of defense against cyber attacks, with particular reference to social engineering attacks, is risk awareness and cybersecurity training.

The challenge in cybersecurity should not be exclusively solved through advanced technological solutions and processes alone, but is first and foremost a skills problem, and should be addressed as such.

It is vital that all users of information systems receive at least basic cybersecurity training so that they use corporate ICT assets in a manner that is aware and alert to possible signs of infiltration of corporate networks by cyber criminals.

In this regard, please note that the incentive made available to SMEs by the Ministry of Enterprise and Made in Italy of the tax credit for the Training 4.0. Training topics include, notably, cybersecurity.

The measure is aimed at supporting companies in the process of technological and digital transformation by creating or consolidating skills in the enabling technologies necessary to implement the 4.0 paradigm. The credit is granted within the following parameters, provided that the training activities are provided by entities identified by the Ministry, which include Centers of Competence, and therefore Cyber 4.0:

• Up to 70% of eligible expenses in the annual maximum limit of 300 thousand euros for small businesses
• up to 50 percent of eligible expenses in the annual maximum limit of 250 thousand euros for medium-sized enterprises,
• up to 30 percent of eligible expenses for large enterprisesin theannual maximum limit of 250 thousand euros.

To learn more about the training opportunities made available by the Cyber 4.0 Competence Center, you can contact the Center directly through the following channels

cyber@cyber40.it

https://www.cyber40.it/contatti/

Other themes emerged during the event in the discussion we had with SMEs:

• Failure to identify a corporate organization to deal with cybersecurity and information security issues:
  • in most cases a cybersecurity manager is not identified, or if one is identified, very often he or she is not adequately trained and experienced. This choice stems both from a lack of awareness of the importance of cybersecurity as already mentioned, and from the fact that there is no obligation on the part of the legislature to identify a figure of reference in SMEs dedicated to this subject, as opposed to the way it is in the areas of safety or privacy, for example;
• as a result, SMEs at best outsource activities pertaining to cybersecurity to external vendors, which tends to make senior corporate management lose the perception of the importance of continuous involvement on prevention measures against cyber attacks that must necessarily involve every single employee;
• typical characteristic of SMEs is to have a high turnover of cybersecurity-skilled employees, also given by the current gap between available skills and high market demand.

There is a need, therefore, to provide the entrepreneur and top management of SMEs with a basic cybersecurity culture that is ongoing to ensure it is up-to-date.

In this regard, Cyber 4.0 will dedicate specific activities and initiatives to top management training in micro, small and medium-sized companies during 2023. If you haven’t already done so, to stay updated on upcoming initiatives and events at the Competence Center, sign up for our newsletter here.

• Lack of attention regarding security issues related to Operation Technology: the spread of IoT devices is an impetuous and unstoppable process. In the face of undoubted productivity and automation benefits, however, this evolution brings with it obvious cybersecurity issues. A focus on IT security that forgets OT security is decidedly ineffective. In this regard, it is specified that Cyber 4.0 provides special training in OT Security, dedicated to various business roles and will organize during 2023, events dedicated to this area;
• Currently, there are no binding regulatory guidelines/requirements directly applicable to the SME context. For example, it emerges that binding legislation in the area of safety, also implies a requirement for SMEs to appoint a person responsible for occupational health and safety and to conduct periodic training on the subject depending on the specific roles. Binding legislation and/or requirements for SMEs, would increase the likelihood of identifying a person responsible in the field, allocation of suitable budget, and training on risks, processes, staff procedures;
• It is important to define processes and strategies for operational management of cyber incidents, focusing on both prevention and response and response to attacks. The role of data back-ups, minimal but crucial tools in managing the restoration of normalcy in the aftermath of a cyber attack, is emphasized.

To make the best use of back ups, it turns out to be important:

• choose the media best suited to your needs: for example, if you choose to back up to an external hard drive, you should consider that this can be easily damaged or stolen. On the other hand, if you choose to back up to a cloud storage platform, you need to check that the provider you choose offers an adequate level of security;
• Perform periodic backups at intervals and time depths appropriate to business objectives;
• Regularly test backups;
• Store backups in physically different locations than the location of the hardware being backed up;
• Encrypt backups to make them unreadable by anyone, even if they are accidentally stolen or lost.
• Among the orientation projects dedicated to SMEs on cybersecurity made available by Cyber 4.0 part, the methodology used by the Competence Center so that SMEs can know their weaknesses to defend themselves stands out: the Cybersecurity assesment.

The day ended with a goodbye to the next leg of the Roadshow to be held in Umbria, in Foligno, on November 25, 2022 .