„Human errors are still the top cause of data breaches in all kinds of organizations.“ – Interview with Cyber Security Expert Paula Januszkiewicz
Paula Januszkiewicz is an Expert on cybersecurity and a well-recognized speaker at international IT conferences. With her company CQURE, she advises companies on their IT security strategy. In addition, she is committed to getting more young people interested in the industry. We are very happy to have had the opportunity to talk to her about her work as a cybersecurity consultant.
Hi Paula, thank you very much for talking to us today. My first question is: How did you first get started as a cyber security consultant, and where do you get your information on what is going on in the IT security industry?
When I started my adventure as a cybersecurity consultant, I was already up-to-date on what was happening in the market because I had been working in a consulting company for a while. Although it was not an international enterprise, I was engaged in different types of community activities and special projects.
Generally speaking, I read the news and speak with different people from the industry. And that is something that gives you many, many insights on what is going on and how people interpret events and changes.
Of course, I graduated in Computer Science and spent many years practicing the knowledge I obtained at the university. But from today’s perspective, I know that it is not enough to know something but also to try it countless times. It is also worth mentioning that nowadays we have many tools that help people updating their knowledge: we have bottom-up websites like Twitter or GitHub, big news portals, or learning platforms like Medium. This way, we are able to read about all types of cybersecurity situations that are happening out there, and become familiar with diverse professional approaches and strategies.
When you get hired by a specific company to check their state of IT security, where do you look first?
Well, every case is different, so our methods are diverse and depend on the type of project. When we perform an internal pen-test, one of the first things we do is to start the recognition and reconnaissance phase. We try to figure out, what kinds of services are out there. The activities in this phase are not easy to defend against. Information about an organization finds its way to the Internet via various routes. Employees are often easily tricked into providing tidbits of information which, over time, act to complete a full picture of processes, organizational structure, and potential soft spots.
After the recon phase, decision makers are able to pick an appropriate approach in order to move forward with the pen-test. Usually during the test, the main purpose is to indicate vulnerabilities (within a technology, processes, management, user education etc.). We support the system owner with information, allowing to translate technical findings into valuable risk management data.
What happens after the recognition phase?
Phase 2 is Scanning. The objective of this test is to determine the possibility for anyone who is a part of a trusted source, to get into the network through the Internet, and to determine how far they can get if they gain access. A detailed security analysis is carried out on the servers and network assets that are accessible through the Internet. This helps to verify the security in place (methodology, tools, detailed testing steps, and research questions depend on the enterprise).
Once the attacker has enough information to understand how the business works and what information of value might be available, they begin the process of scanning perimeter and the internal network devices, looking for weaknesses.
Human errors are still the top cause of data breaches in all kinds of organizations.
Do you also consider the people working there and, or is it only the software you are testing?
Absolutely. Human errors are still the top cause of data breaches in all kinds of organizations. Hackers are constantly developing better tactics to trick employees or individuals into exposing their sensitive data. Therefore, cybersecurity and, in general, awareness, are things that still need to be built within the companies. But overall the situation is changing for the better.
What kind of companies are you advising, and what can a security consultant bring to a company, to improve their situation?
Our team is internationally consulting numerous enterprises. These organizations are often employing more than 200.000 people. It is extremely inspiring. The advantage of a consultant is that the more you work in cyber, the more people you meet, the more experience you get. And what is also amazing in the cybersecurity field is the fact that every single environment is completely different. Therefore, we have to adjust individually and personally to every type of workplace.
Projects that we are performing are discussed in detail with the clients. We believe that this is the only way to achieve full satisfaction in providing IT services. At the end of the day, this is really a key matter, as it generates much of an added value and customers’ profits.
The role of the consultant is to become familiar with different kinds of environments in today’s world. Although cases are specific, we are able to see patterns – different types of the same schemes are repeated over and over again. From the customers’ perspective something might be completely new, but we have seen it before and can help precisely.
Can you give an example of security issues at your jobs, and how you and your team fixed them?
Due to the highly confidential character of our work and the level of importance of the industries we cooperate with, it is hard to disclose details. But let’s imagine the situation that a cybersecurity expert comes to a client’s office and looks around. Employees passwords are written down next to their computers. Often it is even worse. It’s terrifying, but more than 25% of employees in the United States admit that they leave their computer unlocked when they go home at the end of the day. Even more users do not lock their computers while taking short trips for coffee. This leaves an excellent opportunity for co-workers (or invited external consultants) to have a quick peek. We face it all the time!
It goes without saying, how important it is for organizations, especially for those dealing with highly sensitive information and personal data, to ensure that both technologies and users will not fall for a trap.
What is not changing as quickly as the attacking possibilities, are the processes and approaches to cybersecurity in companies.
What do you think are the biggest threats for companies at the moment, and what are common weaknesses in IT security strategies?
It is too easy to say that human is the weakest link. Of course, people have their own weaknesses, they are susceptible to emotions and sometimes trust the wrong person. Nevertheless, it is impossible to imagine an organization without people. All the structures are built of people, and administrators, IT professionals, or decision makers have their own sins as well.
What is not changing as quickly as the attacking possibilities, are the processes and approaches to cybersecurity in companies. Nowadays, we have CISOs, or CCOs roles, but sometimes in all that complexity we tend to forget about the core principles of cybersecurity, as we do not have enough time to follow the current trends and up-to-date security solutions. Hence, you should always remember that a cybersecurity journey has no end, and new challenges appear all the time – for everyone, both experts and end users.
Is quantum technology a real threat for companies at the moment? If not, when do you think the situation could become critical?
First of all, I would like to emphasize that Google’s announcement from October 2019 which has started a massive debate on the lack of limitation of technology development, was indeed a point of discussion for cybersecurity professionals. Quantum computers are unimaginably more powerful than the most advanced modern supercomputers. Theoretically, a Shor’s algorithm can be used to factor large composite numbers exponentially faster. Thus, if hackers would have access to a sufficiently powerful quantum computer, they could easily crack encryption systems. Of course, quantum technology can be beneficial as well – perfect examples are medical analyses, financial calculations, or advanced research studies. I think that we still do not have enough information on how quantum computing can affect processing data on a daily basis. However, once quantum technology becomes really practical, cybersecurity teams will face completely new challenges. And trust me, we are not bored now!
One threat to businesses is theft or loss of equipment. I am thinking, for example, of sales employees in the field. Do you have any tips for this case?
As you cannot stop the theft, it is important to make sure that the data on the device is secure. Storing your data in the cloud, where all privileges can be managed easily, is one of the recommended solutions.
Do you think that companies are more willing to move their data to the cloud now? Have you seen any developments in that case in the last years?
Companies are actually making that step. We have many customers who place IT systems into the cloud, and they are happy because they do not need support for these systems — everything just works. Moving to the cloud from a local infrastructure usually reduces risks, but trust always plays an important role here.
What do you think actually convinces companies to move to the cloud?
One of the things is the continuity of the service. Another part is the possibility to implement different kinds of security solutions that are out-of-box. Additionally, more and more companies are moving to the cloud, especially small and medium businesses, because it so much easier. You do not have to be familiar with different types of server technologies and maintain the talent on-site. You can choose either an unknown XYZ company or a big manufacturer like Microsoft. I trust Azure, because it is a “mature” product with rich functionality, but basically, it does not matter. By the way, Azure monitors all activities on the server – if anything happens, we can refer to the logs. However, the cloud will not work for everyone, it was created for services that can be run on external servers without fear.
There are a plenty of things that the cloud gives you. At the moment, when we are discussing data strategies or security strategies with our clients, very often the project is actually related to moving data to the cloud.
A quick question concerning tech and private users: Do you think that people are ready, and also tech-savvy enough to handle 2fa?
Of course they are! I mean, if they can handle email, they can do it. There were times when processes were too complicated for end users. Today even my grandparents have daily access to email boxes – banks and financial institutions made us used to them. Speaking of my grandparents, they are using different types of online services as well, but cybersecurity does not have to be everybody’s area of studies. Instead, and this is very important, they and all end users around the world need to be able to use services that are effectively taking care of security for them.
So, you think that users are getting more tech-savvy?
Oh yeah, they are. Because this comes naturally with the growth and accessibility of technology.
Another topic we want to talk to you about is finding new talent. Some companies are having trouble to find employees, especially in the IT sector. In Germany, for example, there are 124.000 vacancies at the moment, in the IT industry alone. At Boxcryptor, we focus strongly on diversity and LGBTQ friendliness to motivate more people to apply. What measures do you take at CQURE, to build a good team?
CQURE Team is very diverse. From the beginning I was focused on choosing the most interesting people from received applications – most of them had strong, technical backgrounds before CQ but few had a detail-oriented, I would say ‘detective’, attitude. When we recruit new team members, we verify not only their skills but also, maybe even primarily, their creativity and enthusiasm. Speaking of diversity, I think that it might be surprising, but we employ more women than men.
If you had to recommend another female expert in cyber security to follow, for example, on Twitter. Who would that be?
I think about Magda Chelly from Singapore, she is definitely the one to follow on Twitter. She is a really well recognized consultant in the Asian region, she has a lot of experience and interesting arguments.
Thank you very much, Paula, for the interview.
Did you like what you read?
If you liked reading the interview with Graham sign up for our newsletter to stay tuned for more cyber security and encryption news.