Cyber security is a very media-savvy topic these days. Adam Galach, President of Galach Consulting
Over the past 2 years, the operating model of many companies has changed significantly. Employees much more often perform their work remotely. What, in your opinion, are the main risks associated with this?
The introduction of widespread remote working has resulted in a significant increase in the risk of information security violations. With the classic model of functioning of the organization, employees mostly perform their tasks in the area controlled by the employer, to which only authorized persons have access. Employees use computer hardware and software managed by the employer, so it is possible to enforce such a configuration to reduce the likelihood of security incidents. Data processing takes place on IT systems that are separated from the Internet and protected from attempted cyber attacks. What’s more, because employees are in the same location, it is easier to communicate between them and immediately explain any anomalies that are noticed while working on the IT system. Of course, even before the pandemic, not all organizations functioned this way and the remote working model was used, but these were more the exception and not the rule universally.
When organizations were drastically changing their working model 2 years ago, most of them were not prepared for this way of working. I would risk to say that, taking into account the aspects of cyber security, this state has not changed. Although the problem of remote access has been solved a long time ago, it is often very far from perfect. We should remember that while a password as an identity verification mechanism seems to be sufficient when working on the employer’s premises, it is absolutely insufficient when working remotely. It is common practice to allow remote access from any computer, even if the employee has been provided with company equipment to work from home. There are cases when an employee uses his own computer to perform his business tasks because it is more convenient for him. The thing is that in this situation we have no guarantee that the computer is properly secured and is not a breeding ground for viruses and other malware. All this causes that the risk of unauthorized access of strangers to the company’s IT systems increases dramatically.
Of particular concern are social engineering attacks designed to phish for information (including remote login credentials to systems), and to convince employees to perform actions that could harm their employer. Keep in mind that clarifying whether a company colleague actually sent an email asking to access a website that requires logging in with the password used to access the accounting system is difficult when the colleague is not sitting at the desk next to you, and the phone is not answered due to endless teleconferences. On this occasion – new types of attacks have emerged. The first one is an attempt to unauthorized join a teleconference, which is not difficult when you obtain a link to it, many people participate in a teleconference, and it is common practice to let all guests in as a courtesy (not to mention the case of misconfiguration allowing guests access without prior approval). The second attack is phishing aimed at convincing the user to join a fake teleconference and, in doing so, pass on information that should not be passed on to outsiders under any circumstances.
Talking about remote work I would like to bring up one more issue. As long as the work is done at home, the risk of unauthorized viewing of data is rather limited. This risk increases dramatically when the work is done in a public place, e.g. a coffee shop. There is an additional element connected with the computer’s connection to the Internet. If the connection is made with the use of a public WiFi network (and the network in a cafe, secured with a password written at the entrance to the premises, should be considered such a network), there are additional threats related to a cyber attack through this network.
What about the impact of these risks? How does this affect the business?
Threats can have a devastating impact on your business. Let’s start with the famous topic of ransomware attacks, resulting in encryption of the entire enterprise data. The effect of such an attack is obvious – paralysis of the organization. Does the probability of such an attack increase when working remotely? In my opinion, it may be so for two reasons. First, as I said before, an employee can use his own, insufficiently secured computer for remote work. If it becomes infected with malware, that infection could spread to the company’s internal systems. On the other hand, even if an employee is using company equipment, there is always the possibility that they will receive an email with a malware attachment. Working alone rather than in an office, there is no one to consult on the legitimacy of the email, so there is a greater risk that the email will be opened and the code contained in the attachment run. Of course, the company’s IT systems should be protected against malware, and the employee should always be able to consult with specialists from the helpdesk, but practice shows that in many cases we are far from this ideal.
An attack using ransomware causes, at least temporarily, the loss of data processing capabilities. In practice, it results in paralyzing the organization’s operations. However, we should remember that the loss of possibility to access and process information does not have to be connected with the activity of this type of malicious software – there are a number of other attack techniques that can result in making the organization unable to function in practice.
The effects of threats that cause loss of data processing capabilities are usually immediately apparent. However, we must not forget about actions aimed at stealing data. In the absence of adequate monitoring of IT infrastructure, we may not detect such an event at all. I am not talking about the unauthorized acquisition of data to perform financial transactions – theft of money from the company account will be sooner or later detected. But I’m talking about a situation when the acquired data will be used to gain, in a fraudulent way, a competitive advantage. Let us imagine a situation in which a company prepares an offer to be submitted in a tender procedure. Acquiring information about the proposed price conditions or deadlines for the execution of work by the competition will allow the company to submit a better offer and win the contract. And this is not a story from sensational literature – these kinds of situations have happened and, I am afraid, still happen.
In addition to the effects that directly affect the operational activity of the company, there are also legal effects. Virtually every organization processes personal data, and its scope and volume depends on the nature of its business. If personal data security is breached, the enterprise may face severe sanctions. One should also bear in mind the contractual obligations to secure the entrusted data – the lack of adequate protection of the processed information may result in compensation consequences.
Finally, it is worth remembering the consequences of attacks on the company’s image. Cyber security is currently a very popular topic in the media, and an incident related to the loss of information processing capabilities, especially as a result of ransomware, or to a leak of a large amount of personal data, is a rewarding subject for publication – especially if it concerns a large, well-known company or a government or local administration office. This is the kind of publicity everyone would rather avoid.
Do companies properly secure the collected data? What are the most common mistakes that lead to data leakage from the company?
One could say that if data were secured properly, there would be no security incidents, but such a statement is not fair. I am afraid that with the current way of processing data in IT systems, with the widespread use of the Internet, and with the imperfections of software, incidents will happen. Software suppliers practically non-stop publish updates removing so called vulnerabilities – weak points allowing to carry out more or less sophisticated attack. If someone does not install that update, it can be said that he or she is guilty, but what if the attack happens before the update is published?
Certainly, however, in many cases, securing information systems falls far short of perfection. One of the problems we’ve seen is an unbounded trust in technology. We have an anti-virus system, so there will definitely not be a problem with malware. We have UTM-class solutions, so we are protected against an attack from the Internet. Practice, unfortunately, shows that technology is unreliable. Ransomware attacks happen in spite of anti-virus protection systems, penetration of servers in spite of Internet security.
The problem we are talking about is not only caused by imperfections and limitations of technological solutions, but also by errors in their implementation and administration. An example can be the already mentioned UTM class solutions, which protect the Internet connection and have quite extensive functionality, which is often used only in 10 percent of cases. In such a situation, it is difficult to expect that the IT infrastructure will be properly secured.
It is important to remember that protection against cyber threats is not just about technical solutions, but also about security management processes. As a rule, this is where there is the most work to be done. There are cases when a leaving employee is not deprived of remote access privileges – in this case he or she still has access to the company’s IT systems. The same happens in the case of employees of external companies, which in the past provided services for the company, but whose contracts have long expired. Vulnerability management and system performance monitoring are important issues. The first of these processes ensures early information about the weaknesses of IT components allowing to carry out a cyber attack and take the necessary preventive measures. We encountered situations, when software was not updated, although there were no contraindications for that. The second process, system monitoring, allows us to detect suspicious activity early enough and respond appropriately. Thanks to this process, we can detect, for example, an information leak at an early stage and react accordingly. We noticed a paradox here – there is software available on the market that streamlines the monitoring process, ensuring notification of those events that require a response. During the implementation, the system is configured so that when the majority of events monitored by it occur, the administrator receives a notification. As a result, the administrator receives dozens, if not hundreds of notifications every day, so he ignores all of them – both the unimportant ones and those that require immediate response.
In the introduction, we talked about social engineering attacks. Often the problem is given too little attention, and it is one of the most effective methods to breach the security of information processed in IT systems. In connection with imperfections of privileges management in IT systems, it gives very good prospects to intruders.
What steps should you take to reduce the risk of cyber attacks on your corporate data?
In the first instance, I would suggest that we consider what the greatest risks are and how we can protect against them. The risk management process allows us to assess the current situation and make rational decisions on further actions. Let us imagine that an enterprise is considering the implementation of one of two security measures – strengthening the protection of the Internet connection or ensuring encryption of information stored on server disks. The question is whether an attack from the Internet or the theft of disks from the server room is more likely. Which of these events can cause more serious consequences? Based on such an analysis, rational decisions can be made.
While on the subject of risk management, I would like to mention a certain issue – well, many times risk analysis is treated as a formality consisting of coloring the spreadsheet, mainly in green, indicating acceptable risk, and therefore requiring no action. We have seen this phenomenon in organizations that for some reason are required to estimate risk, whether due to legal, regulatory or corporate requirements. Of course, the value of such estimation is none – the risk assessment is supposed to be a tool to support decision-making about the directions to secure information systems.
When implementing safeguards, it is important to keep in mind their limited effectiveness. Therefore, a complementary approach is recommended, so that if one of them is ineffective, the other will work properly. Let me give a trivial example of an antivirus system – let’s imagine that an antivirus system analyzing e-mail is located on a network device at the interface with the Internet, additionally on an e-mail server, and of course also on users’ computers. If it is the same anti-virus system everywhere, which at the moment does not detect a particular type of virus, the threat will not be detected in any of the places mentioned above. If, on the other hand, we use different antivirus software on the network device, the mail server and the users’ computers, respectively, the chance that a threat will be detected in any of those places increases. Of course, such a solution, coming from different vendors, is more difficult to manage than a unified system, but it is a matter of deciding whether the threat is so significant that it is worth taking appropriate action at the expense of administrators’ convenience.
Cybersecurity management processes are an extremely important issue. Without proper implementation, it may turn out that technical safeguards do not fulfill their role at all. We have given examples before. I would just like to emphasize that the implementation of processes is not limited to describing them in the form of procedures – they should really work. And one more thing – it may turn out that a given process hinders the realization of business tasks in an unacceptable way for the organization. In such a situation, one should consider finding a compromise, which will probably be connected with remodeling the process. Let me give you an example – the process of granting privileges to a user, due to the number of instances required to approve the application, takes so long that a new employee can de facto start his work 3 weeks after the date of employment. The question is whether this is acceptable for the efficiency of the organization and whether such a process should not be optimized? Let me just add that such monstrosities are just asking to be bypassed by all means, which in consequence leads to total disregard for safety rules.
We come here to the evaluation of the effectiveness of applied security measures. It concerns both technical and organizational safeguards. Such evaluation should be carried out on a regular basis, and it is recommended that in addition to being carried out by the company’s own forces, it should also involve specialized external entities – this allows, on the one hand, for a more objective evaluation, and on the other hand, makes it possible to use the experience gained in cooperation with other organizations. The fundamental purpose of assessing effectiveness is to identify areas of cyber security that should be improved – this is how to approach this task.
Finally, I wanted to remind you of the need to build employee awareness of cyber security. It is not only training, although it is very important. Practice shows that regular simulations of social engineering attacks, including phishing, have a significant impact on ensuring resilience to such activities.
How do you assess the awareness of Polish companies in the subject of cyber security? How do we compare to other European countries?
It seems to me that awareness on the topic of cyber security is similar. The differences in awareness are not related to nationality, but more to the size of the companies. In large organizations the awareness is definitely higher, in smaller ones it is sometimes worse. Probably this is related to budget issues, including the ability to hire qualified personnel responsible only for the area of cyber security. Small organizations employ “IT do-it-yourselfers” who simply don’t have time to deal with cybersecurity – until a major incident occurs, of course. In addition, in small organizations the level of maturity of processes is usually lower than in the case of large entities, which also translates into the area of cyber security management. Of course there are exceptions to this, but in general it looks more or less like this.
Is our data that is collected by government institutions sufficiently secure and resilient to cyber attacks?
Media reports published from time to time about various security breaches, including those related to ransomare, would suggest that data is not sufficiently secured everywhere. Assessing data security deficiencies would require a detailed analysis of these incidents. If I remember correctly, these incidents tended to affect local government offices.
In Poland, there are binding regulations imposing on state institutions the obligation to ensure security of IT systems. An example is the regulation of April 12, 2012, last amended in 2016, known as the KRI regulation. It indicates the framework actions that must be taken to protect the information processed. This regulation recalls the basic information security management standards, which are PN-ISO/IEC 27001 and PN-ISO/IEC 27002.
Measures are being taken to centralize information processing using government cloud computing, which in my opinion is a good idea due to the possibility of ensuring security of IT systems used by the administration. The possibilities of implementing appropriate measures by a specialized entity responsible for maintaining and securing the centralized IT environment are incomparably greater than by individual offices, especially the smaller ones. I make a reservation, however, that I am referring here to the general concept of this solution, because I do not know the details of its implementation.
How does Galach Consulting help companies ensure online security?
We provide consulting services in the area of cyber security. We support our clients in assessing the level of IT security and determining, based on the results of the survey and risk estimation, the necessary improvement actions. We also assist in the implementation of these actions, as needed. I would also like to add that while conducting the assessment and preparing recommendations we do not rely only on the dry provisions of norms and standards, but first of all we use practical experience gathered during many projects we have implemented in the past. This allows us to select solutions appropriate to the specifics of a given organization, so that they are relevant to its operations.
The assessment I mentioned can include both the ICT layer and the organizational layer, particularly the cybersecurity management processes. We look at the presence of vulnerabilities that allow a cyber attack to take place, as well as the possibility of actually exploiting them. Security assessment may also include the simulation of socio-technical attacks, which, together with the training materials we provide, allows for effective building of employee awareness.
We also carry out projects related to building security management systems, including defining and implementing processes, policies, regulations and rules of conduct. The aim of such projects is very often to adjust functioning of the organization to certain standards – whether in connection with the need for certification and gaining competitive advantage, meeting regulatory requirements or adjusting to corporate rules.
Our services also include outsourcing of cybersecurity management processes, which can be, especially for smaller organizations, an interesting alternative to hiring in-house specialists.
Last Updated on February 22, 2022 by Anastazja Lach