Cybersecurity at ALSO
In this series of interviews we want to introduce you to some of our team members and delve a little deeper into their job role and responsibilities. In a previous interview, we spoke with Simone Blome-Schwitzki, Senior Vice President Solutions at ALSO , about IT solutions with which ALSO is supporting its resellers. Now we’d like to introduce Artjoms Krumins, our Cybersecurity Center of Competence Lead.
Please tell us more about your job position and responsibilities at ALSO?
Artjoms: As the Cybersecurity CoC Lead at ALSO Group I’d describe my responsibilities as follows:
- Providing our partners with market-leading cybersecurity solutions so they can establish trusted relationships with their clients.
- Managing our Cybersecurity CoC to ensure our partners have all the necessary resources to grow their business, such as training, financial and logistical services, vendor negotiations, and business planning.
- And of course, working with our vendors on a daily basis to ensure the best possible offerings at ALSO.
How fast is cybercriminality developing and what are the most important trends you see regarding cyberattacks?
Artjoms: Currently we are still dealing with the unprecedented challenges of 2020. The healthcare sector is still battling the COVID-19 pandemic, which, in addition to its tragic health consequences, has been the breeding ground for numerous incidents of malicious cyberactivity. While most companies are looking for the most efficient ways to do business and recover losses from 2020, cybercriminals continue to use every means possible to gain access to valuable assets. It’s become clear that anyone can now become a victim of a cyberattack. While an attack on government institutions or the financial sector is something we are already familiar with, last year has shown that even companies operating in niche segments and enjoying positive community support can become a target.
In addition, cybercrime continues to grow as a network, with many players consolidating their skills and knowledge to gain access to vital technologies to help their business or maximise their profits. eCrime activity has increased by 400% compared to Q1 2019 and, of course, working remotely in an unsecured environment and a lack of cybersecurity education for employees is one of the key reasons for this.
On the other hand, it’s crucial for every business owner to understand that criminals have previously chosen the biggest asset holders, such as the financial sector or governments, to attack. Nowadays, size does not matter anymore, and according to reports, 43% of breach victims are small and medium-sized businesses. This stems from the fact that hacking tools have become easier to use. Most SMBs don’t invest enough in their own security, and with remote work, it’s much easier to breach a home office environment.
The basis of efficient risk management is to understand the possible threats. How does risk assessment work?
Artjoms: When discussing risk assessment, we need to have a clear understanding of what it is. I often meet customers who tell me that they carried out an assessment of their security perimeter last year and it was on a good level. This is a great first step, however it is not a quality security risk assessment which is still valid today. When we at ALSO are speaking about assessment, what we mean is a continuous process where we assess Technology, Processes, and People in regular, frequent intervals, based on an industry standard framework. So, when we speak about full cybersecurity risk assessment, we need to take care of all the three mentioned elements. As a technology provider, ALSO is offering its partners various tools and services to constantly stay up-to-date. Currently, our portfolio includes assessment tools that can help almost every partner to do quality risk assessment. If your customers are mostly dealing with the Microsoft Azure environment, we offer Cybersecurity Assessment Tool from QS Solutions, the partner recognised and recommended by Microsoft for MS Azure security analysis. A solution we recommend for checking all the legacy equipment for known vulnerabilities is the Greenbone offering. But if you need a comprehensive cybersecurity assessment solution, which shows all the existing risk, exploit probabilities, attack vectors and expected mitigation plan, you should opt for our partner CYE’s continuous assessment service offering. By the way, during the ALSO CTV we announced our new product, developed in cooperation between ALSO Group and CYE – HyverLight - which provides services for companies of any size, who seek to improve their cybersecurity posture, get the most actual data on their cybersecurity state and risk mitigation capabilities.
You already mentioned the topic of educating employees about cybersecurity. Very often, the problem is not in, but in front of the device. So how can you raise employees’ awareness of threats?
Artjoms: Cybercriminals are still targeting employees with their attacks as they continue to be one of the easiest ways to penetrate organisations. Even though we are living in a digital world and everyone knows how to operate computers, cybercriminals are using machine learning and artificial intelligence to target their attack on employees. Nowadays, hardly anyone clicks on an email offering 1 Million EUR, but 1 in 10 employees will click on a link from their management regarding new information about the COVID-19 vaccination, which then will execute some malicious code or will bring the employee to a malicious website. That is why at ALSO, we’ve always put education at the core of our approach to cybersecurity. Now everyone can watch and pass cybersecurity online awareness training, and most of these trainings are free and are a good basis for general awareness. We need to understand that cybercriminals are adapting and using new ways to target employees. Therefore, we believe in choosing the right technology tool to regularly make employees aware and keep them up-to-date. One example is the service offered by HoxHunt, a partner who recently came on board. HoxHunt automates the sending of various potentially malicious emails to an organisation’s employees, and if an employee clicks on the link contained within – it will show them where the potential threat was and how not to be caught out in future.
There is, of course, a heightened risk if you move all your data to the cloud. Is it worth taking the plunge regardless, or what flexible options are there?
Artjoms: Let me politely disagree. First and foremost, moving data to the cloud is a great opportunity. It enables companies to increase or decrease necessary computing resources with a few clicks. They can significantly reduce capital expenditure and shift it to operational expenditure, which will bring more flexibility and better control over costs. If we return to the cybersecurity topic, we need to understand that moving away from the cloud will not solve cybersecurity issues. You will still need to protect your employees, you will still need to protect communication channels between employees or offices, you will still need to control and protect any exposed assets such as websites or online shops. To summarise – don’t delude yourself that the cloud will give you cybersecurity, but it will definitely give you flexibility.
Given the fact that new threats appear almost every day: How can a company stay on top of the risks?
Artjoms: That’s a very interesting question. I think there are a couple of ways to achieve the level of protection required. The first is fairly obvious – i. e. recognising that cybersecurity is an integral part of every business and investing in it by hiring the best people and purchasing various best in class solutions. The second option is to work with Managed Security Service Providers – organisations that focus solely on providing cybersecurity services and taking control of the company’s cybersecurity operations. We’re seeing this option become more and more relevant. Value added IT resellers have realised that this is a viable business model, you can start quickly with subscription services and provide customers with the best offering at a reasonable price. And of course, there is a third option to keep on top and spot risks – which is actually a combination of both of the previously mentioned –the business takes responsibility for core systems and delegates smaller areas of cybersecurity (such as email security) to the service provider.
Of course, before choosing your preferred model, you should make an internal assessment, even the most basic one, by asking yourself simple questions: Will I be able to continue doing my business if my CRM database is stolen? How much will it cost me if an employee downloads malicious software and encrypts my ERP and accounting database? How much money will I lose if someone gains access to my webshop and is able to change prices? The answers to these or similar questions will help a business owner choose the right approach. Just don’t decide not to care about cybersecurity.
With regard to cybersecurity at ALSO, can you disclose how often ALSO’s servers or systems are being attacked?
Artjoms: I can’t give you an exact figure, but what I can tell you is that every large organisation is scanned for potential penetration options hundreds of times a day. And these are only passive scans, which are not considered an attack, but a warning that an attack might be imminent. It is also important to remember that a malicious email sent to an employee’s email inbox that is opened on a company PC is also an attack on company assets, and there are billions of emails like these spread around the world looking for a vulnerability. One trend these days is a so-called supply chain attack, where the cybercriminal focuses efforts not on the target company, but rather on its supplier, whose level of cybersecurity is less mature, and by penetrating the supplier you can almost automatically gain access to the target company’s assets. To simplify this, imagine you work with a small call-out agency that sends a list of leads to your company CRM. You considered this communication secure at the start, you provided them with some credentials to access the CRM, but for the attacker it’s much easier to hack into the small agency and access the CRM data than to attack you directly.
What was the most complex and clever attack you know (and secretly admired)?
Artjoms: My understanding is that any planned attack is like reading a well-written detective story. Some can be masterpieces and some simply exploit weaknesses in people or companies. Unfortunately, there are more badly written stories than masterpieces. That is why I prefer to tell the story of how our partner CYE does its work to test the cybersecurity level of an organisation. To avoid throwing names around, let’s assume it was a bank. After signing off on the intrusion, with absolutely no prior information about the company’s cybersecurity status, CYE specialists conducted a reconnaissance and checked that all public assets known to them were well secured. On top of that, they left a few flash drives in the bank building, and hey presto, someone put them in. CYE gained access to one particular account, then used password similarities in other systems (spoiler alert – companies still don’t take regular password changing seriously). Once they had gained access to an active directory, they got the keys to the whole kingdom and then they could do anything – transfer money to a specific bank account, take a picture from the CFO’s laptop camera, change a few records in the database, etc. What I really like about this story is that the hacking here is being used on the authority of the company that wants to have a better understanding of the existing state and is aimed at providing more secure services to customers. And the good thing is, these CYE Enterprise services are available at ALSO in every country where we have offices.