Many businesses are currently operating remotely. Are employees doing their work from home more vulnerable to cyberattacks?
So far, there is hardly any indication of that, as we are invariably dealing with the same attack techniques as before the mass transition to remote work. They are dominated by the surcharge-type e-mail or SMS phishing. The excuse to surcharge is that the package needs to be disinfected – nowadays it is more common than the exceeding the weight limit of the shipment. It’s not surprising – with stores closed we tend to shop online, so we are constantly waiting for some kind of shipments. In other words, the most popular, and I think it’s going to stay that way for a long time, is social engineering. The only convenience for the attacker today is that they are able to impersonate the victim’s close associates. In the past, after receiving an ‘urgent’ (or strange) e-mail from a colleague sitting next to them, one would answer face-to-face. Now a close associate can be in a completely different location, and the only form of contact is via the ‘electronic’ channel, where it is easier to impersonate someone.
What are the most common mistakes that can lead to data breaches?
I would not stick to mistakes, but rather to the reasons behind the employee-caused breach. There are usually two of them: the haste and misunderstood desire for savings, both leading to a lack of proper procedures. Whatever we do, we need to be aware that there will always be an employee who can be got the better of because he wasn’t properly trained, had an off day, missed something in a hurry, did not read or understand something. Therefore, data breach protection cannot be based solely on awareness of hazards among mid-level staffers. It is up to IT departments to configure both the hard- and software so that clicking on the infected file does not cause the entire company to become infected, and overlooking a typo and providing the criminal with a login and password does not allow the use of this data for unauthorized access. This can be done, but it requires hiring people who have the right knowledge, investing in specific software and choosing (or rebuilding) systems enabling stronger employee authentication based on U2F tokens. A key role in an efective strategy to protect the company from threats is also played by the Board, which must understand that security is, firstly, not a cost, but rather an investment, and secondly, that security is a proces, not a product – you can’t buy five pounds of security and forget about the problem for the next few years.
Do you think the cybersecurity is still neglected in Poland, or do we have something to boast about?
There’s a basic response from security specialists: it depends. I tried to avoid it in response to previous questions but here I really can’t anymore J On the one hand, in Poland we have some of the best security specialists, on the other, most of them do not work for Polish companies: they are often poached by foreign companies. Much has changed on the cybersecurity scene in recent years. I have been observing our local IT security market for over fifteen years and in my opinion no one underestimates cybersecurity anymore. We are aware of how crucial this issue is. However, it does not mean that everyone is taking necessary steps. I don’t think the lack of action is intentional – I think it is caused by the lack of budgets. It is a risky game that will sooner or later take revenge on companies taking shortcuts. Every single person using computer or the Internet will, sooner or later, come across a security incident, and then it’s too late for preventive measures. Then the only measures remaining will be those reactive – not 100 percent effective.
What sort of measures and procedures should be introduced to limit the possibility of cyberattack on a company or employee?
First of all, it’s necessary to start off with risk analysis. The company needs to understand what its most important resource is and who it wants to protect that from, who is the most likely attacker. The harsh reality is that it’s tough to protect everything from everyone. This would not only cost a fortune, but would slow work down to the point where the competitiveness of provided services would fall to zero. We have to be aware of what is the most valuable in the organization and what – on the between-the-systems data exchange level – depends on what. There is a slight distinction between protecting data, e.g. the secret recipe of a drink, and innovative algorithm or money in customer accounts. There are other measurements required for ensuring the confidentiality of data and other for protecting its integrity or securing the availability of the system. With those sorted out, we’d need to look at individual scenarios, or – as we call it – threat modeling, but this topic is covered by hundred-page publications, accompanied by another few hundred pages of technical descriptions of each of the proposed safeguards. So I think i’m going to pause right here.
Are public institutions which have each of us’ data well protected?
Yes. No. I don’t know. As an citizen, I assume that all the data I’m providing to any – no matter if a state or non-state organisation – will sooner or later become publicly available. For everyone and forever. Data is leaked (or collected) from network providers, government organisations, and even from Secret Service systems. Everyone tries to secure their system, but this fight is uneven . The administrator must keep an eye on hundreds of different system ‘entries’, but the attacker needs to abuse only one of them. So let’s behave so that the potential disclosure of our personal informations, our family, property and income intel, is not a major concern. Is it an easy task today? Absolutely not. Is it possible to effectively protect your identity? There are still some posibilities. Unfortunately, using some of them means operating on the knife edge of the law, because ironically, logical gaps in government systems and registers need to be exploited to protect one’s data. And before you ask: no, an ordinary citizen can’t do it.
Does the digital transformation of administration, and thus the ability of handling many official matters online, pose risks?
Expertly, we call it an increase of the attack surface. For example: instead of giving our ID to the ‘lady in the window’, we now wave it in front of the camera, or worse, we send a scan. What happens with the scan? Where does it go? To an inbox? To some kind of ‘system’? If it’s deleted, is it sure that it’s gone, even from the trash folder or a backup? There are many obstacles to stumble upon in the digital workflow. However, the situation is not hopeless. After all, it is possible to send a scan of a document marked with, let’s say, recipient’s data and information about the purpose of its transmission with the date. This way, the ‘damaged’ scan won’t be used for taking a loan, although someone would still be able to obtain some of the data. Is all of the data needed when handling stuff online? If not, why not ask people to blur it on the scan? Here, of course, there is another problem, because even after blurring or covering some of the data, a skilled person will still be able to un-blur it. What we need is an electronic, assymetry cryptography-based identity authentification methods. This is the only proper way to confirm someone’s identity over the internet. Waving a document un front of the camera is a clash of two worlds: digital and analog. A very dangerous clash.
You work with many companies to conduct security audit. Could you say, what is your job in this regard?
Generally speaking, my team is involved in hacking into companies’ servers. We steal data and money using the exact same mathods, tools and attacks used by real cybercriminals. Of course, we do this with our ‘victims’’ consent, in order to track security flaws in their ICT infrastructure before real criminals do so. This is the coolest job in the world. We steal, manipulate, decieve, attack and not only we don’t go to prison for it, we’re getting paid to do this! We also turn the experience of online burglaries into training services – both for administrators and developers to create safer systems, and for ordinary office workers to be aware of what might happen to them and to be able to effectively counteract. Nowadays it is a mandatory knowledge for anyone who uses a computer, smartphone and the Internet. Some of our educational content is free, I recommend especially our TEDx: https://niebezpiecznik.pl/tedx and demontracion of phishing attack: https://niebezpiecznik.pl/elearning/ and, last but not least, an hour-long webinar on how to protect your online accounts from hackers: https://niebezpiecznik.pl/ochrona
Piotr Konieczny, a security expert, has been helping the largest Polish and foreign companies in securing their networks and websites for 15 years. A graduate of Glasgow Caledonian University. Multiple winner of awards for the best lectures at the largest Polish conferences devoted to IT security, winner of the prestigious Digital Shapers 2018 award of Forbes and Business Insider magazines.
Founder of Niebezpiecznik.pl, a consulting company that consults IT projects in terms of security. As part of Niebezpiecznik.pl, Piotr manages a team that performs audits and penetration tests of ICT systems and conducts training for administrators and programmers as well as ordinary employees of Polish companies who use computers and the Internet as part of their official duties.