“In Italy we’re very good at dealing with emergencies, but not quite so good at preventing them,” says Gerardo Costabile, CEO of DeepCyber and lecturer in corporate safety at San Raffaele University in Rome. He is referring specifically to the highly topical matter of cybersecurity. According to the European Union Agency for Cybersecurity (ENISA), in the first six months of 2020 IT security breaches were up 54% on the same period in 2019, with 71% of infringements involving a demand for money.

Professor Costabile, please explain in simple terms exactly what cybersecurity is.

It is that set of technologies, processes, procedures (and indeed also people) that is there to protect assets from internal and external IT threats. So it is not just about purchasing a technology: what matters is that the procedures for all the aspects involved are properly followed. Mistakes in the digital sphere are less visible so they are more insidious – and the risks often go undetected.

Does remote smart working bring new challenges?

Yes it does, and for a variety of reasons. In this historic period, many people are working from home, so the boundaries of cybersecurity are not just limited to the traditional corporate network because they have been extended beyond a company’s actual premises, with all the data entering the homes of employees. The very latest statistics – including some from the FBI – warn us that attacks exploiting this historic moment have increased: we are isolated from others, home networks tend to be less secure, and when users are at home they feel safe and so lower their guard more than they would in the office. There has been a rise in the amount of malware that infects computers and demands payment in order for it to be removed. Some actually pay the amount demanded, but that only feeds the market. Malware in just one e-mail can infect an entire company, passing from traditional PCs to industrial technology or domotics, as it seeks to block machinery, doors and lifts.

What are the risks for the hospitality sector?

Hospitality invests very little in security because it is considered to be of secondary importance, whereas in actual fact a huge amount of client data, such as credit card details, is stored there. The hotel industry in particular is very susceptible to fraud and data breaches. We should remember that the sector also holds a lot of information about people’s tastes as well as more sensitive details about food intolerance among the clientele.

How can IoT machinery be protected?

When it comes to Industrial IoT, one big problem lies higher up the design chain. The national industry 4.0 programme has prompted a good deal of digitisation in the sector and many have taken advantage of this. One example of a weakness in the system would be the fact that there is no antivirus for ovens and blast chillers, and there won’t be one until those who produce the smart software for these kinds of appliances invest more in security. IT barriers need to be incorporated into the network from the outset, at the design stage. All too often, though, the device is installed and connected up with no thought given to security.

What risks do digitised restaurants run (on orders, bookings and deliveries)?

There isn’t actually a lot that needs protecting in a restaurant. It all boils down to the bookkeeping, the orders, customer details, and the need to ensure continuity of service: You can’t afford to allow there to be any discontinuity in online orders. As for deliveries, if you use the cloud of a big international concern the risks are more limited (with the exception of identity theft), because the systems are tested and proved to be generally safe. I can see more risks when you start doing things ‘at home’, with the data contained in your own system. In this case it’s essential to carry out tests on the safety of the system of third parties in relation to its designer and make conscious choices to invest in security.

How much does cybersecurity cost?

Between 1% and 10-12% of IT costs, depending on the sector. In hospitality we can estimate the cost of a system that is fully up and running at around 2-3%. But you have to think about the initial design: the first step is to assess the state of health of the system, and then work out what needs to be done – and that will depend on you budget, with the amount to be spent needing to be balanced against the actual risks, measured in terms of likely consequences.