„Human errors are still the top cause of data breaches in all kinds of organizations.“ – Interview with Cyber Security Expert Paula Januszkiewicz
Paula Januszkiewicz is an Expert on cybersecurity and a well-recognized speaker at international IT conferences. With her company CQURE, she advises companies on their IT security strategy. In addition, she is committed to getting more young people interested in the industry. We are very happy to have had the opportunity to talk to her about her work as a cybersecurity consultant.
Hi Paula, thank you very much for talking to us today. My first question is: How did you first get started as a cyber security consultant, and where do you get your information on what is going on in the IT security industry?
When I started my adventure as a cybersecurity consultant, I have already heard what is happening in the market because I had been working in a consulting company for a while. Although it was not an international enterprise, I was engaged in different types of community activities and special projects. So, generally speaking, I read all the news and spoke with different people from the industry. And that is something that gives you many, many insights on what is going on and how people interpret these changes. Of course, I graduated in Computer Science and spent many years practicing the knowledge I obtained at the university. From today’s perspective I know that it is not enough to know something but also to try it countless times. It is also worth mentioning that nowadays we have many tools that help people updating their knowledge: we have bottom-up websites like Twitter or GitHub, big news portals, or learning platforms like the Medium. This way, we are able to read about all types of cybersecurity situations, that are happening out there, and become familiar with diverse professional approaches and strategies.
When you get hired by a specific company to check their state of IT security, where do you look first when you walk into a company?
Well, every case is different, so our methods are diverse and depend on the type of project. When we perform an internal pen-test, one of the first things we should do is to start the recognition and reconnaissance phase. We try to figure out, what kinds of services are out there. The activities in this phase are not easy to defend against. Information about an organization finds its way to the Internet via various routes. Employees are often easily tricked into providing tidbits of information, which, over time, act to complete a full picture of processes, organizational structure, and potential soft spots. After the recon, decision makers are able to pick an appropriate approach in order to move forward with the pen-test. Usually, during the test, the main purpose is to indicate vulnerabilities (within a technology, processes, management, user education etc.) and to support the system owner with the information allowing to translate technical findings into a valuable risk management input data.
What happens after the recognition phase?
Phase 2 is Scanning. The objective of this test is to determine the possibility for anyone who is a part of a trusted source to get into the network through Internet and to determine how far they can get into if they gained access. A detailed security analysis should be carried out on the servers and network assets that are accessible through the Internet in order to verify the security in place (methodology, tools, detailed testing steps, and research questions depends on the enterprise).
Once the attacker has enough information to understand how the business works and what information of value might be available, they begin the process of scanning perimeter and the internal network devices looking for weaknesses.
Human errors are still the top cause of data breaches in all kinds of organizations.
Do you also consider the people working there and the workplaces, or is it only the software you are exploring?
Absolutely. Human errors are still the top cause of data breaches in all kinds of organizations. Hackers are constantly developing better tactics to trick employees or individuals into exposing their sensitive data. Therefore, cybersecurity and, in general, awareness, are things that still need to be built within the companies. But overall the situation is changing for the better.
What kind of companies are you advising, and, in your opinion, what can a security consultant bring to a company, to improve their situation?
Our Team is internationally consulting numerous enterprises. These organizations are hiring even more than 200.000 people. It is extremely inspiring. The advantage of a consultant role is that the more you work in cyber, the more people you meet, the more experience you get. And what is also amazing in the cybersecurity field is the fact that every single environment is completely different. Therefore, we have to adjust individually and personally to every type of workplace. Projects that we are performing are discussed in detail with Clients. We believe that this is the only way to achieve full satisfaction in providing IT services. At the end of the day, it is really a key matter as it, in fact, it generates much of an added value and customers’ profits. The role of the consultant is to become familiar with different kinds of environments appearing in today’s world. Although cases are specific, we are able to see patterns – different types of the same schemes are repeated over and over again. From the customers’ perspective, something might be completely new, but we have seen it before and can help precisely.
Can you give us one or two examples of security issues at one of your jobs and how you and your team fixed them?
Due to highly confidential character of our work and the level of importance of industries we cooperate with, it is hard to disclose the details. But let’s imagine the situation that cybersecurity expert comes to the client’s office and looks around. Employees password are written down next to their computers. It could be even worse – it’s terrifying, but more than 25% of United States workers admit that they are leaving their computer unlocked when they go home at the end of the day. Even more users do not lock their computers while taking short trips for coffee. This leaves an excellent opportunity for co-workers (or invited external consultant) to have a quick peek. We face it all the time! It goes without saying how important it is for the organization, especially the one dealing with highly sensitive information and personal data, to ensure that both technologies and users will not fall for a trap.
What is not changing as quickly as the attacker possibilities, are the processes and approach to cybersecurity inside the companies.
What do you think are the biggest threats for companies at the moment, or what are common weaknesses in IT security strategies?
It is too easily to say that human is the weakest link. Of course, people have their own weaknesses, they are susceptible to emotions and can trust the wrong person. Nevertheless, it is impossible to imagine an organization without people. All the structures are built of people and administrators, IT professionals or decision makers have their own sins as well. What is not changing as quickly as the attacker possibilities, are the processes and approach to cybersecurity inside the companies. Nowadays, we have CISOs, CCOs roles, but sometimes in all that complexity we tend to forget about the core principles of cybersecurity, as we do not have enough time to follow the current trends and up-to-date security solutions. Hence you should always remember that cybersecurity journey has no end and new challenges appear all the time – for everyone, both Experts and end users.
Is Quantum technology a real threat for companies at the moment? If not, when do you think the situation could become critical?
First of all, I would like to emphasize that Google announcement from October 2019, which has started a massive debate on the lack of limitation of technology development, was indeed a point of discussion for cybersecurity professionals. Quantum computers are unimaginably more powerful than the most advanced modern supercomputers. Theoretically, a Shor’s algorithm can be used to factor large composite numbers exponentially faster. Thus, if hackers would have an access to a sufficiently powerful quantum computer, they could easily crack encryption systems. Of course, Quantum technology can benefit as well – perfect examples are medical analyses, financial calculations or advanced research studies. I think that we still do not have enough information how quantum computing can affect processing data on a daily basis. However, once quantum technology becomes really practical, cybersecurity teams will face completely new challenges. And, trust me, we are not bored now!
One threat to businesses is theft or loss of equipment. I am thinking, for example, of sales employees in the field. Do you have any tips for this case?
As you cannot stop the theft, it is important to make sure that the data on the device is secure. Storing your data in the cloud, where all privileges can be managed easily, is one of the recommended solutions.
Do you think that companies are more willing to move their data to the cloud now? Have you seen any developments in that case in the last years?
Companies are actually making that step. We have many customers who place IT systems into the cloud, and they are happy because they do not need to support these systems — everything just works. Moving to the cloud from local infrastructure usually reduces the risks, but trust always plays an important role here.
What do you think actually convinces companies to move to the cloud?
One of the things is the continuity of the service. Another part is the possibility to implement different kind of security solutions that are out-of-box. Additionally, more and more companies are moving to the cloud especially small and medium businesses, because it is much easier. You do not have to be familiar with different types of server technologies and maintain the talent on-site. You can choose either an unknown XYZ company or a big manufacturer like Microsoft. I trust Azure, because it is already a “mature” product with rich functionality, but basically there is no difference. By the way, Azure monitors all the activity on the server - if anything happens, we can refer to the logs. The cloud will not work for everyone, it was created for services that can be run on external servers without fear.
There are a plenty of things that the cloud gives you. Recently, when we are discussing the data strategy or security strategy with our clients, very often the project is actually related to moving the data to the cloud.
A quick question concerning individual users: Do you think that users are ready, and also tech-savvy enough to handle 2fa?
Of course! I mean, if they can handle an extra email, they can do it. There were times when the process would be too complicated for end user. Today even my grandparents have daily access to email boxes – banks and financial institutions made us used to them. Speaking of my grandparents, they are using different types of online services as well but cybersecurity does not have to be everybody’s area of studies. Instead, and this is very important, they and all end users around the world need to be able to use services that are effectively taking care of security for them.
So, you think that users are getting more tech-savvy?
Oh yeah, they are. Because this comes naturally with the growth and accessibility of the technology.
Another topic we want to talk to you about is finding new talent. Some companies are having trouble to find employees, especially in the IT sector. In Germany, for example, there are 124.000 vacancies at the moment, in the IT industry alone. At Boxcryptor, we focus strongly on diversity and LGBTQ friendliness to motivate more people to apply. What measures do you take at CQURE, to build a good team?
CQURE Team is very diverse. From the beginning I was focused on choosing the most interesting people from received applications – most of them had strongly technical backgrounds before CQ but few had a detail-oriented, I would say ‘detective’, attitude. When we recruit new Team members, we verify not only their skills but also, maybe even primarily, their creativity and enthusiasm. Speaking of diversity, I think that it might be surprising, but we employ more women than men.
If you had to recommend another female expert in cyber security to follow, for example, on Twitter. Who would that be?
I think about Magda Chelly from Singapore, she is definitely the one to follow on Twitter. She is really well recognized consultant in the Asian region, she has also a lot of experience and interesting arguments.
Thank you very much, Paula, for the interview.
Did you like what you read?
If you liked reading the interview with Graham sign up for our newsletter to stay tuned for more cyber security and encryption news.