Attacks on corporate security are increasing in number and complexity. How can a company best protect itself against this? Is it enough to set up awareness campaigns? We spoke with technical cyber security & network consultant Fons Quidousse about gamification, IT hygiene, GDPR, encryption and... fishing nets.
In the news bulletins, we hear about ransomware, phishing, malware... on a daily basis. Is that a blessing or a curse?
Fons: It is certainly the case that cybersecurity is no longer a distant concept. The attention paid to the phenomenon in the general press has led to greater awareness of the damage that can be done. Within organizations, too, people realize that there is a real risk. You notice, for example, that banks are making more effort to educate their customers in this area. Think of all the campaigns around phishing, etc.
Cybersecurity is no longer a distant concept. The attention paid to the phenomenon in the general press has led to greater awareness of the damage that can be done.
Companies demand good security from each other
Hasn't regulation like GDPR also helped raise awareness? Hasn't it already required companies to think about procedures and how they should be documented?
Fons: That is certainly true and it is a very good thing. Companies were required to draw up procedures about processing and keeping track of data. As a result, there is a better view of what data is being tracked or processed and at which locations. As a result, we have a better understanding of where critical data is stored, which in turn allows us to better secure it. This, in turn, has the consequence that we are able to work more effectively after an attack. These regulations also place a very strong responsibility on companies that process data. Often, it concerns sensitive, personal information that may only be collected and processed if there is a clear purpose for this data. This cannot be taken lightly. On the other hand, the regulations are open to interpretation, not all companies pay the same amount of attention to them.
I notice that more and more companies are also requiring their suppliers to submit ISO certificates? Is this a good thing?
Fons: That is definitely a good evolution. The consequences also start to run high if you don't comply with the certificates. For example, you have to comply with the best practices prescribed by a company like Cisco, HP Aruba... when it comes to configuration or network topology. If something happens in your network and you are not compliant with this, it can have serious consequences, for example in the form of financial penalties. You don't want to go through that as a company. Through the ISO certificates, companies can assure themselves of a certain security maturity. That's why people pay more attention to it. Everyone checks everyone. Those who purchase services from another company want to cover themselves. In this way, companies increase the pressure on each other, which benefits the overall security of the Belgian market.
Phishing, man-in-the-middle and malware in attachments demand customized approach
What are the biggest threats within companies?
Fons: Email is certainly the entry point through which most attacks happen. Employees get phishing mails, or infected attachments in their inbox. In addition, the security risks have increased because everyone can work from anywhere. People work in the airport, in a coffee shop.... Then it's not hard to spoof an access point and set up a man-in-the-middle attack. Companies need to think about all these risks and adjust their security strategy accordingly. That way, you can quickly detect threats and take action. Or better yet, the system automatically takes action itself. We always recommend aligning all systems and correlating the data. Attacks are becoming more and more sophisticated. This requires that the defense systems grow accordingly.
Raising awareness about IT risks is a must
Isn't it surprising that so many people still click on links or get caught up in phishing messages? What can we do about it?
Fons: Hackers with bad intentions are, of course, very clever at this. They play on urgency, for example by sending messages about packages that are about to arrive or about vaccination registration. Investing even more in awareness is certainly a good thing. At Simac we offer tools to help achieve this, particularly by focusing on phishing mails. That kind of mail is very often the way malware is brought in. For an attacker it is easy: he only needs to be lucky once. Someone clicks and the hacker is in. We ask a lot of an end user if we expect them to be 100% focused at any time of the day. A machine can be 100% alert, you can't expect that from people. A company has to take this into account, for example, by not only focusing on the education of end users, but also by implementing sufficient other technological security.
Gamification is a good way to raise awareness among end users. You can send out fake phishing emails and organize a competition within the company to see which department gets caught clicking the most phishing links. This will definitely make end users more alert.
Investing even more in awareness is certainly a good thing. At Simac we offer tools to help achieve this, particularly by focusing on phishing mails. That kind of mail is very often the way malware is brought in.
Do you think IT security awareness training should be a regular part of an onboarding process for new employees?
Fons: If you point out the threats during onboarding, as a company you immediately make a statement that you consider security a high priority. Then you also sharpen the alertness. However, this should not be limited to onboarding. Ideally, the subject should be brought up regularly, in workshops, by citing use cases of companies that got into trouble, by pointing out the trends, etc. The information you provide does not necessarily have to be deeply technical. If you bring it well, it will appeal to employees and stay with them. Nowadays there are also tools to personalize an awareness campaign. Everyone is at a different level of knowledge and technicality. With the right tools, you can make sure people get messages that are best suited to them. Otherwise, you risk setting the bar too low for some people.
Customized security technology
What technological tools can we use to make the work environment safer? Surely we can't just rely on awareness?
Fons: Indeed, you should not expect everything from the end user. Sometimes malware gets in or a hacker gets in and wanders around your network for months before anything happens. For a very long time, this remains under the radar. This is the moment where other security solutions should come into play.
You can also use the results of an awareness campaign to adjust your security. If you notice that a user keeps clicking on wrong links despite all the warnings, then you can act. You give the endpoint fewer rights, you tighten up the spam filter, you set policies more strictly... In this way, you can work individually.
All the actions you take are complementary, you build in multiple layers. Think of it as several fishing nets that you hang one after the other. There might be a hole in every fishing net, but by using many fishing nets you are forcing an attacker to maneuver well to get through anyway.
Isn't it also already important to have good IT hygiene in general within companies?
Fons: Absolutely. A company had better be careful about who all has access rights to certain information, and what rights end users themselves have, to install applications on their PC. In an ideal situation, end users only have privileges to what they really need for their job. Users who need more access, are then put in an environment that is extra monitored. This is also a dynamic factor. If people change roles within an organization, then their access rights must also evolve.
Passwords remain a vulnerable asset. Companies would do well to offer end users a good tool for managing their passwords. In addition, more focus should be placed on multi-factor authentication, where, for example, a code is also sent via SMS. We also see that technological progress is being made around passwordless access. Biometrics in particular will play an important role here. Think of facial recognition on smartphones. Once the technology is ready, it will greatly increase the ease of use. This is often too low when using passwords and multi-factor authentication.
And of course, encryption should be set by default on all endpoints at a company. Then if a device is lost or stolen, not everything can be read just like that.
Companies perhaps still see security too much as a cost that doesn't yield anything. Don't they lose sight of certain aspects?
Fons: There is also an ethical side to security, it's true. In fact, companies should not ask themselves the question, "can we pay for security or not"? You should never neglect security. After all, it's often about people's personal data. It's about jobs if a company can't operate for a long time after a ransomware attack. And in hospitals, people can die if certain basic services suddenly stop working. Unfortunately, this is often lost out of sight when discussing security projects.
Maybe that's a good idea for a future talk or blog?
Fons: Absolutely. Let’s do that!
Fons Quidousse is technical cybersecurity & network consultant at Simac ICT Belgium. He helps his colleagues and clients to find the best possible solutions for challenges concerning networks and security. Fons has been working at Simac since October 2020.Contact us now