"Thinking about the human capital that is in your company, raising awareness, training, educating, developing skills and competence is of utmost importance."
Keynote by Pascal Steichen, CEO, LHC / Luxembourg House of Cybersecurity
Luxembourg Wealth Tech Day, January 26th
“One cannot ignore the risks, the inherent challenges that technologies bring with us, especially in field like wealth management, where high net worth individuals are at stake. Ignoring cybersecurity, allow me to be blunt, is severe negligence. I'm active since many, many years in cybersecurity now, since almost 20 years. Today, I'm leading the Luxembourg House of Cybersecurity, which is in public agency here in Luxembourg, making sure that Luxembourg has leading edge cyber resilience for the economy.
Allow me to share you a few elements of cybersecurity that might impact your business, or how you can use cybersecurity to create trust and confidence to recreate maybe trust and confidence to your business developments. Who has heard or knows about eternal blue, Hafnium, sunburst or Log4Shell ? These are not the latest music bands, obviously, these are one of the most prominent cyber attacks or cyber incidents that shocked the world in the last few years. Eternal Blue is the toolkit of a criminal to do a cyber attack, the one that was behind a more famous attack called WannaCry.
You probably heard about WannaCry many years ago. Well, 2017 was the big WannaCry compromised and more than 200,000 computers worldwide were compromised, this was a ransomware attack. Sunburst, then that's the name of a malware, that abused a buck in a software called SolarWinds. Maybe you heard about SolarWinds, which is a software solution that was used by many companies and had an vulnerability and was abused by the criminals, targeting companies of prominent entities like NATO, the UK, NHS, or AstraZeneca back in 2020. Log4Shell is the descriptor of a so-called zero day vulnerability. What is zero day vulnerability? Well, this basically is a vulnerability where you have exactly zero days to protect against, because there is no known solution to it. That's why it calls zero day vulnerability. So if this happens, it's a big trouble. And this vulnerability was part of a software package called Log4J. Nobody knew about it until last year when it came out. We noticed -the IT community noticed - that Log4J was basically in every integrated software. It was a huge concern: many are still struggling with it. Finally, Hafnium is a group of cyber criminals that has specialized in attacking Microsoft Exchange servers, and is responsible for most of the Microsoft Exchange breaches in the last years. They are still active at the moment. So if you have a Microsoft Exchange server, update it as fast as possible, because there are many cases still today in Luxembourg and in Europe. Hafnium is not a normal criminal group: they are a so-called state sponsored group. That means they have quite some resources in their background, and therefore they are still active and create some headaches to the cybersecurity people around.
So yes, cyber criminals are not young geniuses in their garage hacking systems for fun and challenge, but organizations, corporates, well organized structures that do this as business, and even some specialize in dedicated technologies or dedicated types of attacks and, sell services one to another. So it's a kind of real underground economy that we face on a daily basis when it comes to cyber security. Sorry to have been a bit geeky in the beginning, but let's take another thing. Who has already been part of an incident or has already faced a cyber crisis or incident or know someone who has, I would say? Okay, quite a few hands. What about investment in cyber security? Has your company invested a lot in cyber security the last years? Yes. No. Or have there been investments? Good.
Allow me last question. Who's using email every day? We all, of course. When it comes to the number of incidents to the number of attacks, 70% of attacks are related to email compromise, in Luxembourg, but also in many, in many other countries around. Why are these emails or even SMS you probably have received recently some SMSs from the Luxembourg tax authority, asking you to connect because they have money to give you back.
Why does this still work? Well, we humans, our brains, our behavior cannot so easily be updated or patched or fixed. Our human reactions, our decision taking processes have been shaped many, many thousand years ago when we were still chasing the saber-toothed tigers. These reflexes are still there, and criminals obviously abuse them. So these 70% are targeting us, the humans, you, he, she, I, we are all part of what some would call the weakest link. I prefer “the first level of defense”, which is what you really have to consider when defining a cybersecurity strategy.
Thinking about the human capital that is in your company, raising awareness, training, educating, developing skills and competence is of utmost importance. Employees, but also clients, partners… all the people that interact with your organization should be aware of how to develop or how to behave in a cyber secure way. Because only this will make sure that your digital services, your digital business becomes trusted and has a certain confidence level. At national level in Luxembourg, the Luxembourg government invests in this campaigns in cyber security awareness raising since many, many years. For instance, there is an initiative called Be Secure, which addresses this topic of cybersecurity or helps raises awareness among schools, among children in schools. The national cyber security strategy, running from 2021 to 2024, has its strategic pillar building trust in the digital world and promoting human rights online.
I would like to give you this as a first takeaway really to capitalize on human resources, strengthen them to strengthen your business and confidence in your business. But what about technology? Will technology help to balance this gap that we as humans have in our behavior? Cloud, AI, IOT, web 3.0, blockchain, NFT, metaverse, banking 4.0, and smart cities, all these new initiatives, all these new trends, will it help? Will it bring more security? It at least promises more efficiency, more performance on the cybersecurity side. I'm not so confident, unfortunately. A lot of it is sometimes really more hype than really useful, especially because it's not really new. It's building on top of the good old internet that has been invented 60 years ago.
The worldwide web, that's 30 years ago, but still, that's a very ancient backbone that we use, that we build on top. All these new technologies add layers, more and more layers. And especially when it comes to cyber security, the complexity of all these layers is really an issue. Because an attacks and intrusions will not be at the edge, it'll be at the core. So you have to go down through all these layers to find out what really happened, what needs to be fixed, and how to react to these incidents and manage the situation. So protecting, putting yet another layer of protection on top of it, is not enough anymore.
We also have to prepare for the ugly, prepare for the situation when there is an incident. And it is when, not if, because there will be incidents. And maybe there is already an incident that you have not detected yet. Because detection rates of cyber attacks are around two months, when looking at several international studies. So it's important to combine those elements, because we all have skin in the game when it comes to technology to cybersecurity. Each individual organization, but also there are interdependencies: we are dependent on one another, partners, providers, clients, et cetera. Even regional sectoral or at the national level, working together is important collaborating, sharing, also information about knowledge of incidents, of threats, lessons learned, and all these things, because only together can the digital society become more resilient. This leads to the second strategic objective of the Luxembourg cybersecurity strategy, which is to strengthen these security and the resilience of the digital infrastructures. As a lot of them are in private hands, there is a need to have public private partnerships to work together between public, between private, between different entities to cope with this cybersecurity challenges.
Following the bad news about the human factor being the weakest link, the ugly aspects of technology where security by design is often ignored. Good news : there is a huge expertise available, especially here, here in Luxembourg. So don't suffer in silence. If you have an issue, if you have an incident, or if you are looking to become more cyber secure and benefit from the Luxembourg cybersecurity ecosystem, there are more than 300 companies in Luxembourg that provide cybersecurity services and solutions. These are not only hardcore IT cybersecurity specialists, but also law firms, insurers, auditors, accounting companies that add on top of their core services a specialty in cybersecurity service linked to their specialty. Such a diverse and interdisciplinary cybersecurity ecosystem really makes and creates a real value of resilience for the Luxembourg economy.
My agency, the Luxembourg House of Cybersecurity, has exactly this as mission: to federate, to foster, and to make sure that the Luxembourg cybersecurity ecosystem develops in a sustainable way and makes it possible that we have a secure digital economy in the future. Further details about the strategy, about the ecosystem and all the available service providers, everything is publicly available on the national cyber security portal Cybersecurity.lu. Ladies and gentlemen from the financial sector, and especially you from the wealth management world, are used to apply high standards when it comes to confidentiality and compliance. And especially on the side of regulation, we see a lot of cybersecurity being part or becoming part of regulations or specific cybersecurity regulations coming along. You all know GDPR, probably as well, the PSD2 two, maybe soon three. And many, many others to come on top of the list of the European Union to address all those specific needs in cybersecurity and challenges.
All of these regulation really have taken into consideration the fact that there it's not only technological issue, but it has three dimensions: human, technology and organization. These are the three ingredients of a cyber equation. So to address cybersecurity, it's really these three elements that need to be combined. Building and foster the human capital that you have, don't let technology guide you, but take the control of it, define the pace that your business is needing to develop the technology, and consider a security by design, think about it.
And last but not least, I said it already, don't suffer in silence. Embrace the potential of the environment in Luxembourg, but also in the region or at the European level. Yes, we can together make cybersecurity better because it's a shared responsibility and only together can we tackle all the challenges, and embrace all the opportunities. “