Cybersecurity beyond IT: The human factor and the need for holistic protection – Interview with Microsoft expert Gaia Guadagnoli
by Onelia Onorati (Fondazione Mondo Digitale)
Why is it important to involve both a company’s internal and external resources in the protection of cybersecurity? Because attacks will become increasingly sophisticated and evolved and will be linked to delicate geopolitical issues, but also because the human factor plays a crucial role among the elements of vulnerability. Cybersecurity represents an excellent professional opportunity for those beginning their careers, independently from their curriculum of studies. Onelia Onorati Social Media Manager at Fondazione Mondo Digitale interviewed Gaia Guadagnoli, Privacy, Data Protection & Security Technology Specialist at Microsoft Italy and coach of the Course organised as part of Fondazione Mondo Digitale Programme Ambizione Italia for Cybersecurity (March 6-9-13-16)
According to the latest Microsoft Digital Defense Report, in 2022, there were 710 million phishing emails per week and 921 password breach attempts per second, up 74% from last year. Cyberattacks are on the rise, putting businesses and individuals at risk like never before. In your opinion, what are the reasons for this surge?
In recent years, the increase in cyberattacks is due to many factors, ranging from purely technological issues to human factors and opportunities. The rise of interconnected devices and the pervasive growth of the IoT have created a larger attack surface for malicious actors. Furthermore, the emergence of sophisticated and automated attack tools has made it easier to launch more or less complex attacks, exploiting economies of scale which, therefore, make it much more economically efficient to launch large-scale attacks. Finally, the lack of adequate security measures has also contributed to the increase in cyberattacks in many organisations. The human factor is, therefore, central both from a business and personal point of view.
In fact, the use of good security practices manages to block most of the standard attacks. Consider, trivially, the use of a double authentication factor, the systematic updating of the operating systems, and applications in use. Then, it is essential to pay attention to what surrounds us and what we are subjected to, developing our critical thinking. You do not need to be an IT expert to create a level of protection that allows you to feel more relaxed.
What are the most vulnerable points of a company, the ones that a cybersecurity professional must pay attention to?
There is no single answer to this question because every business context is different, both in terms of infrastructure and data. For example, there are sectors with a greater use of operational technology (OT) devices than others, and companies that allow the use personal devices for personal operations (bring your own device). These peculiarities differentiate the possible attack surface, which may be more or less large. However, there is one element that all organisations have in common: the human factor. As I said before, the human factor is almost always the weak link in the security sector. It is essential to pay attention to this point in a particularly structured way because inattention (or, even worse, the malicious activities of any insiders) can lead to very serious consequences. And it concerns not only the implementation of technical measures, but also organisational measures and user awareness of IT risks.
On a technical level, it is also important to find a balance between protection and usability. In fact, it is important that the users are not too limited in their operations, otherwise they might look for potentially dangerous “workarounds.” Therefore, it is necessary to opt for measures that are as simple as possible (both on the back end and front end).
Finally, it is possible to summarise what in my opinion is the most important point: “culture”. In fact, technical measures, investments, security policies and procedures are nothing more than the derivative of a cultural drive dictated by management’s attitude towards security. A crucial area is the economic factor. Unfortunately, we often see huge ex-post investments, only after the perpetration of a cyberattack. If these investments had arrived on time, however, great economic losses could have been avoided. Any worker operating in the security branch (from the more technical to the less technical) must keep in mind the economic factor and the so-called “ROSI” (Return on Security Investment) which, in fact, governs every type of decision in the organizational sphere.
What is the ideal path for someone who would like to work in this area? Are there basic requirements that you need to get started? Are there opportunities for individuals starting from scratch?
I have a three-year degree (BA equivalent) and a master’s degree in International Development Cooperation, Political Sciences. Can you imagine something more distant from “cybersecurity”? Difficult. Then, I gradually discovered my true passion and decided to cultivate the one I had always known I had – in this case computer science – and to find an area that excited me. I’d be lying if I said I chose this field deliberately, because it actually happened almost by chance, but what I want to emphasize is that the only really important thing is to be interested in a certain subject.
Now let me give you an example that might make someone smile. One day, I was at home. My phone rang and it was a recruiter who, after seeing my LinkedIn profile (I still had several tech-related things to my credit, but absolutely nothing in the cyber field) had decided to contact me for an interview in the cybersecurity field. To me, “cybersecurity” meant long, complex passwords, and that’s about it. So, I called a friend of mine who worked in the field and asked her to tell me about five super important things in this area, without which I would not have even remotely thought of passing the interview. It was unconceivable to have a holistic view of the whole subject in a few days, so I concentrated on the five areas that my friend pointed out to me and really studied them thoroughly. I passed that interview and my life changed. I was not an engineer. I was not born a pentester. I was just someone who had been presented with an opportunity and was willing to learn.
The truth is that computer security is an almost boundless area, and there really is room for everyone, as there are both more and less technical specialties. In my career, I have gradually approached more and more technical subjects, but this was a personal preference motivated by an interest that matured day by day. This is not a law that applies to everyone. I know people who are absolutely non-technical and in front of whom one can do nothing but bow down and learn, so yes, there really is room for anyone interested in the subject. Each one of us has peculiarities in his baggage that make them unique and that can bring added value to any cyber specialisation.
It is natural that some sectors have very strict requisites, especially the purely tech side, but I repeat, you need not be “trained from birth,” especially if you are beginning of your career. We are fortunate to live in a world where we have every opportunity and possibility to research and learn whatever interests us, so it is all about commitment and willingness to learn. Who is interested to know more about career opportunities in this field can join the Career Orientation Jobtalk in collaboration with Cyber Strategy Initiative on On March 15 (6-7 pm) How do you think cyberattacks will develop in the coming years?
Cyberattacks are constantly evolving and do not depend only on factors of opportunity, but also on geopolitical factors. However, also based on the indications of the Microsoft Digital Defence Report 2022, it is possible to make some interesting forecasts. Ultimately, given the backdrop of recent years, cyberattacks are expected to become more sophisticated, targeted and organised. To begin with, it is believed that attackers will increasingly use artificial intelligence (AI) and machine learning (ML) techniques to automate their operations, which will include attacks on different sectors of corporate infrastructure, taking advantage of the growing attack surface available. By automating attacks, it will be possible for malicious actors to launch more sophisticated attacks with greater speed and accuracy. Additionally, attackers will be able to use AI and ML to create more targeted and personalised campaigns. They will continue to use phishing and social engineering tactics to gain access to corporate networks. By leveraging social media and other communication channels, attackers can target specific individuals and businesses.
Finally, the attackers are thought likely to form more organised and professional groups, possibly even sponsored by nation states. These groups will be able to launch more coordinated and sophisticated attacks, making it even more difficult for organisations to defend themselves. As the digital threat landscape continues to evolve, it is important for organizations to stay up-to-date on the latest security trends. By proactively monitoring threats and implementing appropriate preventive and corrective measures, organizations can stay one step ahead of attackers and better protect themselves from increasingly sophisticated cyberattacks.