Security in company. Standards and vigilance – how to face hackers. Interview with Andrzej Karpiński, Security Director at BIK Group
Undoubtedly, security in such an institution as Biuro Informacji Kredytowej [Credit Information Bureau] is borne with the highest priority. What kind of responsibility lies within the security department headed by you?
It is true that not only is ensuring security at BIK about working to protect one’s reputation, avoid financial losses or maintain business continuity, but it is also a fundamental task that should be pursued by all major organisations. At BIK, the term ‘security’ takes on a special dimension. It is of crucial importance because we safeguard databases containing information on credits and loans taken out by over twenty-five million Poles. In a nutshell, we gather the credit history of virtually every adult Pole. Hence the security of our system and its efficient performance are crucial for Poland’s financial market.
This entails a huge responsibility… What measure does BIK take to maintain the stability and security of the data held? Are there any top-down rules or standards helping to achieve it?
Our operations are split into a multitude of paths. We collaborate with security units as well as experts and management boards of companies, namely, financial institutions, commercial banks, cooperative banks, telecommunications companies or independent cyber-security specialists. Needless to say, it is overseen by a dedicated BIK security team, which has tasks and tools for their implementation, budget and experts. We also act as a consultant in the development of a new service or offer. I follow the principle that if either myself or my team decide that some project may trigger an insufficient level of security, we do not remain indifferent – we submit our comments, modify assumptions so as to come up with a solution in adherence to the best security principles and practices adopted. And here is my reference to your question… Yes, BIK may prove itself to hold recognised certificates of international safety standards. The ISO 27001 standard represents one of them, which describes safety, responsibilities as well as reporting and management methods. This certificate is subject to annual auditing, and its prolongation is of success for all employees of the company, from the Management Board to security personnel, who strive to comply with the highest quality requirements. We also have recourse to industry regulations, such as PCI-DSS, which guides us on how to implement security rules for payments and contains technological and organisational definitions. Generally speaking, we have two security perspectives: corporate and private. Corporate security is well described. It revolves around many areas, incl., safeguarding locations, safe deposits, resources, principles of designing rooms, CCTV and monitoring systems, access procedures, principles of intervention, fire protection, and even the ergonomics of customer service.
I can sense that the private person perspective is a challenge. What did you exactly mean?
A safe company is not only about advanced systems equipped with the latest technologies, closely guarded by machines or robots, capturing risks, reacting to identified irregularities, errors, viruses, malware, etc. A private person is of a real challenge – people, company employees, who, as participants in the financial market, are exposed to social engineering attacks by cyber-crooks and cyber-gangs. This also involves owners, managers and boards of directors in every institution. These days, such attacks have intensified along with the introduction of remote work, forced due to the pandemic. From March 2020, following the lead of banks or other institutions, we have switched to an online mode at BIK. Since we have been operating from home instead of our office building, we cannot feel the same level of security. For instance, we cannot rule out hardware theft, which is why we encrypt drives and memory cards. We have expanded the infrastructure related to network accessibility so that employees can work without having to lose quality and comfort. But this area also demanded the deployment of technology conducive to security. This is paradoxically a positive face of the pandemic – I mean acceleration of innovation in the financial sector. However, what I think is particularly important is the awareness that each and every one of us should take care of their digital identity and security. As private individuals being online outside of work, we are almost defenceless against sophisticated methods and perfidious social engineering attacks by hackers. In most cases, it was the very victims who have provided their data, acting in a hurry or even in good faith. Unknowing consent for the criminal to disclose one’s data, allowing certain fraudulent operations to be performed, unfortunately, from the security perspective, do not bear the hallmarks of an IT hack. This is kind of a trap. It is, therefore, necessary to work on changing bad habits, especially of those users who were not used or accustomed to being online almost permanently. A mindful approach to security is far important.
Changing bad habits is indeed a challenge that may entail improvement, but it is a far-reaching goal. There are probably a number of rules and principles…
Guarding our digital identity and security is absolutely essential. It is worth paying interest to this issue, not ignoring information about leaks, reading the so-called small print carefully, especially messages to which we often react instinctively, clicking on them hastily. There are some tools that aim to reduce the risk of extortion. It worries me, however, that over half of people (51%) admit in opinion polls commissioned by BIK that they are not familiar with any security services and have never used them. Worse still, 28% have never had them, have not even been interested in them nor are they planning to use them.
In this case, we must go back to the issue of tools. You have talked so much about automation… What is available right here and now, what are the facilities that would help increase our security, e.g., protect against extortion?
As I have mentioned, there are the tools. However, it is necessary to take the initiative and make use of it. It is very simple. What to do? Just register an account at www.bik.pl and benefit from the widest protection with regard to limiting the risk of credit extortion using someone else’s data.
It is possible to verify liabilities our singlehandedly, e.g., by controlling our BIK Report, which gathers all information about credit history and current liabilities in one place. It is useful when we are planning expenses or larger investments and we want to use external financing. We can easily calculate our capacities in the BIK Credit Analyser. If we do not want to incur liabilities, we can safeguard ourselves with a Credit Reservation available in our customer account. In the event of loss of an ID card, we can block it immediately. In addition to verifying credit liabilities singlehandedly, customers are also encouraged to order an automatic monitoring service – BIK Alerts. This is the one and only service in Poland that covers such extensive protection against extortion. Its spread is the widest on market due to the fact, that BIK is in collaboration with all commercial banks, cooperative banks, credit and saving unions and almost all loan companies in Poland. Moreover, the scope of information used in BIK Alerts also includes information from the BIG InfoMonitor Register of Debtors (a subsidiary of BIK), namely, data from telecommunications companies, energy companies, local government units, leasing and factoring companies. The service is very straightforward – BIK alerts are sent via e-mail and text messages whenever there is a credit history inquiry at BIK, which is part of the credit process. Notifications will also be sent in each case of someone trying, for instance, to sign a lease contract or conclude a contract with an energy or gas supplier. Importantly, the notification indicates the date of the event, the name of the institution where the request using customer’s data has been submitted and the BIK hotline number – in case support in clarifying the case is needed. If a fraud attempt is identified, BIK immediately notifies the financial institution of the blocking of the inquiry and liability. Our consultants also help in the customer’s contacts with the police or the prosecutor’s office.
And do BIK services also include corporate customers and business entities?
They do. Companies may take advantage of the solutions offered by BIK as well – all they have to do is to add a business account (by providing NIP – Tax Identification Number) to the account of a private user at bik.pl. Reports identifying credit liabilities of a business may be generated then, and additional Alerts may be triggered to protect against fraud schemes in which company data are used.
At this point, I would like to draw your attention to an important issue that concerns those holding high-profile positions, in particular, company owners and representatives. Well, data of these people are publicly available, among others, in the National Court Register, in powers of attorney, contracts, as well as in land and mortgage registers They can easily become a target for criminals, for instance, to extort credit. The very awareness of such a situation should be inspiration to undertake preventive measures.
In the case of companies, the good practice is to use economic information bureaux, such as the InfoMonitor Business Information Bureau belonging to the BIK Group, where not only can we report on unreliable contractors, but also on invoices paid on time. We can check the credibility and timeliness of payments of the company with which we want to establish cooperation. In the event of unreliability, an unfair entrepreneur may face serious complications. They will have problems with taking out a loan or leasing. Our actions allow the elimination from the market of those “entrepreneurs” who have followed non-payment of invoices as their business model.
To summarise the security sphere under discussion – as the BIK security head, would you see any reasons to be optimistic about the future?
Last year, the approach to cyber-security changed significantly. It is certainly not a topic to be ignored. It is a past. Company boards are increasingly aware of the threats, thus the willingness to counteract is growing too, and more and more initiatives in this area are being undertaken. I also believe that company managers put ever greater confidence in security experts. It is the responsibility of security teams and departments to analyse, constantly predict and report solutions. I am convinced that many institutions now attach greater importance to this area of activity.
Andrzej Karpiński, security director, he has been sharing his experience, knowledge and passion in the field of network and security for over 20 years. He has worked, among others, in the largest telecommunications companies in Poland and abroad (Orange, ATMAN, Asiacell), as an expert of the IoT Working Group at the Ministry of Digital Affairs. An expert in the field of network security team management, as a coordinator of one of the world’s largest IRC networks (EfNet). A former member of the SIMARGL steering committee – a European cybersecurity project, he is a permanent member of the PLNOG PROIDEA Programme Council and the Polish Information Technology Association.
In the 1990s, out of his passion for journalistic work, he edited the BitMan column in Dziennik Wschodni, familiarising readers with the intricate and complicated subject of IT security. Privately, he cultivates his sports passions as a member of the shooting section and karate. In the BIK Group, Andrzej is responsible for the security management system of BIK (Credit Information Bureau) and its subsidiary BIG InfoMonitor – the Economic Information Bureau.
Last Updated on May 17, 2021 by Łukasz