'Only three places take it seriously': The bleak view of Italy's online security

Two reports have painted a picture of Italy's threat landscape, and it's not a pretty one.
Written by Federico Guerrini, Contributor

Fewer hacktivists, more cybercriminals, and little or no protective measures to keep them out: two different reports on cybersecurity published recently in Italy have painted the same picture of the country's online future.

The first report, by the Italian Information Security Association (CLUSIT), details current cybersecurity threats both on a global and national level, focusing mainly on attacks that are public knowledge and have caused serious damage to the infrastructure and reputation of the victims. But, thanks to a collaboration with Fastweb, it also gives a broader perspective of the number of online threats that businesses and organisations have to face on a daily basis.

The second report, a collaboration between the University of La Sapienza's Cyber Intelligence and Information Security (CIS) research unit and Microsoft Italia, highlights instead the vulnerabilities and strengths of public administrations' digital infrastructure.

Both reports are quite scary - if you care for your data, that is. Twenty-two out of the 42 central administrations and none of the municipalities analysed in La Sapienza's report were judged by researchers to have a level of defence adequate to the dangers they face.

Lack of awareness is also an issue for the organisations. "The degree of maturity and education of those who manage and operate public IT infrastructures is often quite low, and this is a problem," Microsoft researcher Carlo Mauceli told ZDNet.

The amount of time between when intruders penetrate a system and when they are discovered is also significant.

"According to a research we did last year," CLUSIT's board member Andrea Zapparoli Manzoni told ZDNet, "in Italy there's an eighteen month timeframe on average before a company starts to understand what's happening."

What's more, unlike other countries, Italy has no regulations in place forcing private companies to disclose when they've been victims of a security breach. "Only telcos are obliged, and only when their customers' personal data is involved," Zapparoli Manzoni says.

Still, such attacks are no urban legend. Attacks on hospitals' databases, to gain access to patients' data and use it for identity theft, increased 200 percent year-on-year in 2014, the CIS says.

In October, hundreds of Italian municipalities fell victim to Cryptolocker, malware which encrypts all the data on the administrations' servers, asking for money to unlock it. In many cases, the sum was paid by the employees themselves, who passed the hat round to cover the cost of the ransom.

The only public authorities that, according to the research, take data protection seriously enough are the Friuli Venezia-Giulia region, the Social Security Service (INPS), and the Corte dei Conti.

Things seem to work better in the private sector. The CLUSIT report highlighted 10 very serious attacks in Italy among the 900 that occurred worldwide in 2014. "That's a little more than one percent of all global attacks, a figure which isn't realistic if you consider the importance of the country and the size of its economy," CLUSIT's Zapparoli Manzoni says. "Obviously, there is a gap: either the attacks are not reported, or firms don't even understand that they have been breached in one."

Both explanations could hold true: most corporations prefer not to speak publicly about being targets of cybercriminals in order not to lose their customers' trust but often they can't hide the magnitude of the costs they face in shoring up their IT infrastructure in the wake of a cyberattack.

According to EMC's data protection index, those costs amount to $9bn a year, suggesting that the scale of the issue is much bigger than companies would like to admit - something which is confirmed by the analysis carried out by Fastweb's Security Operations Center (SOC).

The SOC constantly monitors carriers' networks in search of anomalies that are typical of cyberattacks. In 2014, it spotted five million security 'events' (from DDoS attacks to malware and phishing), up from the 172,000 registered the year before.

The nature of the attacks themselves has also changed.

Last year, 83 percent of intrusions were carried out by hacktivists, with criminals accounting for the remainder. Now it's the opposite, both the CLUSIT and CIS report say. "Before the purpose was to protest or support a certain ideal, now it's rather to cause the worst possible damage to the target," Microsoft's Mauceli says.

Most of the attacks (60 percent) are now carried out by criminals trying to steal industrial secrets or knock out a company's infrastructure to favour a competitor.

One such case, which took place at the beginning of last year but was revealed only in April, concerned the famous fashion multinational Benetton. "The news received little coverage and was published only by some local newspapers," CLUSIT's Zapparoli Manzoni says. It would have probably remained a secret were it not for the fact that some dresses of the new 0-12 collection began to be sold in some stores in Syria before Benetton had started selling them itself.

A smaller part of the attacks (40 percent) fall into the 'hacktivism' category and the targets are both public institutions, utilities, and companies.

There are no easy solutions. For public bodies, one potential answer would be reducing the 'attack surface'. "In Italy we have around forty thousand organisations, each one managing its own IT infrastructure. We should centralise computational resources in a limited number of datacentres, which would reduce the attack surface and create a national strategic asset," CIS' director Roberto Baldoni says.

In February, the Italian government approved the Strategic National Framework for the Security of Cyberspace.

The document contains some general guidelines meant to reduce the vulnerability of the public sector's most sensitive elements to cyberattacks. In particular, it stresses the importance of private-public partnerships in order to better defend services that are critical to the national security against hacktivists and cybercriminals.

Universities could also play an important role in spreading awareness about cybersecurity risks and training security experts, it adds.

Read more from Italy

Editorial standards