"The easiest way into the network is through an untrained user," says Jan Mitoraj

Will you tell us briefly what we can actually imagine by the term cybersecurity?

In layman's terms, as soon as I leave the house, I lock the door behind me. In IT, it's quite similar, but with one significant difference. When I lock the house, I'm protecting myself against thieves coming in from outside. In the case of IT security, we usually want to protect from the inside as well. Plus, most corporate IT is a maze with a million doors where someone (or something) has to keep track of who has the key to which door and whether they are all locked.

In a more external view, it's all about processes, technical resources and properly instructed users. When we have all of these elements in place, we have a decent foundation for security.

 

What part of the network should companies treat as the most risky in terms of being attacked?

Because money always comes first, accounting, access to banks, electronic signatures, data stores containing corporate know-how, and so on are particularly at risk. Email is also a good source of information, because, assuming the owner is unaware, a hacker can inquire about information of interest to him or even manipulate other employees to his advantage. 

An example of a similar situation was the recent phishing attacks, where a company director received an email from the accounts department requesting urgent payment of an invoice. Of course, this can be prevented by technical means (antispam, message checking), but more importantly also by processes within the company itself - for example, if it is defined that the director always checks back the authenticity of the message sent from the accounts office, such a risk can easily be prevented.

Another very common problem is backups. Not much care is taken to secure them, despite the fact that they contain all the important data of the company, because there is no need to back up unimportant data. When a hacker gets to the backups, he can access almost everything, even if he doesn't have the most up-to-date data. What is the biggest problem though is the people: poorly trained staff will happily hand anything over to anyone and still wish them a safe journey or a good day, unfortunately.

 

In such a case, is the usual training of, for example, the IT department in the company sufficient or is the intervention of outside experts needed? 

If the organization is large enough and has the budget for it, in-house IT is always preferable. Internal "IT people" (apologies to all IT staff for this hated slang term) usually know the users personally, which in many cases makes the job easier. They know what to expect from whom. In the case of a smaller organisation or a limited budget, it is better to leave ICT management to professionals who do it for a living. They have developed better and more efficient ways of dealing with problems and situations because they do it for multiple companies. They also have a better general outlook and are not at risk of knowledge stagnation because the pressure to educate themselves is greater when serving more customers. But in terms of security, there is a very widespread myth that external IT will solve security and the customer doesn't have to worry about anything anymore. Unfortunately, that's not entirely true. I'll repeat myself, but security is a process that involves everyone in the company.

 

How easy is it for a hacker to attack a network if it is not secure enough?

As everything becomes more secure, it becomes more difficult, but never impossible. For example, an easy way is through an unsecured wireless network (WiFi). If a company doesn't guard physical access to its computers, servers and network elements, this is also very easy. But again, the easiest way is to go through an untrained user. For example, email him a link to a fake login screen, he will not notice and will enter his credentials into it, effectively handing you access. I've also heard a story about someone throwing flash drives around a company. Almost all the finders then plugged them into their computers to see what was on them. Which is obviously dangerous and wrong. But there are more sophisticated techniques relying on bugs in installed programs or systems, but I won't go into that here, it would be boring and long... (laughs)

 

What do you think a well secured network looks like?

There is no such thing as a completely secure network, but a well-secured network has, shall we say, some rules set for communication. It segments devices and users into certain units based on what level of access a given user or device should have. That said, I certainly don't want to have visitors, a robot vacuum cleaner, and company computers on the same network. At the same time, I should be able to look back and see where which device communicated and how much of that communication was sent/received - just some frame statistics of what's happening on my network in general. And ideally a person who knows these statistics and a smarter firewall that can detect suspicious activity. Regular training of users on how to behave and what not to do on the network will have the greatest effect.

 

"Our company is tiny, our data is not interesting to attackers." Is it a good idea to say that?

So of course this sentence may be true, the question then becomes what is the lifetime of such a company. In the other cases, it is true that it is easier to carry out some phishing attacks on small companies, because it is easy for an attacker to get an idea of the structure and functioning of social networks (especially LinkedIn), for example, by looking at them. It is then easier to send a fake email requesting payment than it is for a large company that has processes and control mechanisms in place. Another disadvantage of small companies is that they are usually built around a unique idea and there are plenty of competitors who would like to get that idea or the know-how around it.

 

So what data is most tempting for hackers?

In short, it's any data that can be easily monetized.

 

How's your network? Maybe well? There is no room for maybe, probably, probably in the realm of sensitive data. Better act now. We'll be happy to help you diagnose and secure your network's weak spots in time. So that even the most skilled hacker won't dare to attack you!