2020-11-09

Recently, two out of five companies have noted a security breach (according to data from the Computerworld 2020 report). We provide suggestions as to what one should do to make their company better protected against hacker attacks.

cyberbezpieczenstwo 

A company near Łódź, producer of metalware, received an invoice from one of its regular suppliers. It included all the usual data, the sender’s address, and the sender’s name. A person from their accounts section wrote to advice about the change of their bank account number, as the supplier had moved its account to another bank. The invoice was paid on Wednesday, and two days later, the supplier sent an identical invoice, only that its bank account number was as it always had been… The company off Łódź lost a few hundred thousand zlotys, because the invoice with the fake bank account number had been sent to it by a criminal offender.

Poznań, a medium-sized company which sells its products online. On Monday, when the warehouse staff set off to start packing goods ordered during the weekend, it turned out that the warehouse system was not operating... They reported the problem to an IT specialist and received a clear answer: all computers in the company had been blocked by criminal perpetrators who are demanding a ransom...
These cases are just examples of attacks which happen all over the world. They can have serious consequences: data leaks, problems with day-to-day operations, losses which can be worth millions, loss of company’s credibility, even bankruptcies. The fact is that cyber attacks have become a real threat to small companies and to multinational corporations alike.

Phishing as the most common and most efficient form of attack

Phishing is about impersonating a company, organization, or person and enticing the recipient of the message to take action. In most cases, it will mean clicking on a false link or opening an infected attachment. At times, this is all what is needed for someone to take control over the computer and, for example, change the account number on an invoice which the company is about to send, gain access to documents and files placed on a disk, or steal login data to e.g. electronic banking. Infected attachments are also used in ransomware attacks which means blocking one’s access to computer, very often by encrypting files on the disk (as was the case of the company from Poznań). Sometimes criminals intercept the data and blackmail their victims, threatening them that they will disclose the data. In both types of cases, the solution to the problem is paying a ransom – or at least this is what the fraudsters claim the solution to be as, unfortunately, this not always works. So it may happen that a person loses both the money, and the data which cannot be recovered after their encryption by the criminals. The most notorious ransomware attack took place in 2017, when the “WannaCry” malware infected over 230,000 computers worldwide. Its victims included Renault, Hitachi, Deutsche Bahn, FedEx, and other companies.

One might think: if such global giants were not able to protect themselves from the attack, how can I? The truth is that a vast majority of attacks, especially the phishing ones, can be defended against. What is enough, is an adequate level of awareness among all company staff.

The basic rules of cyber security:

  1. Always carefully check the address of the e-mail’s sender as usually, the sender’s name which we see is displayed as Jan Kowalski rather than kowlaski@nazwafirmy.pl. And it is advisable to always pay attention to what comes after the @ as it can help you detect the fraud The sender’s address may look like this: nazwafirmy.pl or nazwaflrmy.pl. So the only difference is between the letters “i” and “l” (a lower case “L”). The fraudsters hope that you will not notice this little alteration.
  2. Check the website’s address really carefully and make sure that it starts with the abbreviation of https:// and not with http://. Avoid websites which do not have the “s”. Also check the certificates of the websites: just click on the icon of the padlock in the web address bar. Only the fact that the address is proper, the presence of the ”https” shortcut in the website’s address, and the correct certificate prove that the website is safe to use.
  3. It is best to put the bank’s login address in a bookmark in your web browser. Also, keep in mind that address bars often serve as search engine bars and that they take us to search results rather than to banks’ websites. Sometimes criminals manage to buy top ranking positions in search results, so the thus-substituted page may just be false. You will avoid this risk by using bookmarks.
  4. Avoid clicking on suspicious links which reach you be e-mail. Remember that banks never send links to transaction sites. If it is necessary to click on a link, hover the cursor over it (but do NOT CLICK on it!) This way you will check the address to which the link actually leads. If you see a different address displayed than the one shown in the link, you know that are dealing with a fraudster.
  5. Use difficult passwords and change them often. Did it ever happen to you that your kid managed to unlock your phone by entering a random PIN number? If you happen to have an easy password, criminals will easily guess it. Instead of using the “123456” or “password”, use MyVeRyDifficultPassword #5).
  6. Avoid downloading files from e-mails, especially from senders who are not known to you. Dangerous files are those which include extensions .exe or .scr.
  7. Important changes (e.g. change of a bank account number on an invoice) should be confirmed by phone or in direct contact as fraudsters may impersonate a superior or president of a company. If an action (e.g. making a transfer) is supposed to taken immediately, it is worth calling the person who orders this, or simply meeting with them to confirm.
  8. Make independent archives as important company data should be stored in at least two independent places, one of which is outside the company (e.g. in a secure cloud or on a disk stored in a safe place). In such a case a fire or a hostile encryption of the company's disks are not going to paralyse the company’s operations for too long).

Phishing is not all

There are many more dangers to which a company can be exposed. For example, the attacker can be a company’s member of staff. Such situations happen all over the world. For example a person who has been fired or mistreated, can in revenge infect the system with malware or take confidential information out of the company (e.g. customers’ or suppliers’ databases).

A company can also be put in danger by inappropriate storing of documents and data, non compliance with procedures, or poorly securing its information as it all means that someone may access or simply steal it. In Poland, the best-known incident of this type happened to one of the shops which trade online. A cybercriminal stole its customers’ database which contained names and surnames, e-mail addresses, telephone numbers, and personal identity (PESEL) numbers. As a result of the attack, the company was punished by the Personal Data Protection Office with a fine of almost PLN 3 million. This, of course, was accompanied by the company’s tarnished image and a drop in customer confidence.

Another type of threat to companies are DoS and DDoS attacks. In simple words, they mean that a specific service (e.g. a website, application etc.) is suddenly being accessed by so many computers or so many processes are being performed simultaneously that the system gets overloaded and rendered unable to operate as normal. All of us could experience this e.g. when trying to buy tickets to a hugely popular event: if at the same time too many persons are trying to buy the tickets, such a website stops working normally.

Companies need experts

The security of a company should be entrusted to experts as they will know best how to properly create, configure, and manage your network, programs, systems, servers, applications, etc. Surely, this will look completely different in a small company, as sometimes one well qualified and experienced IT specialist is enough to ensure this, and completely different in a company which employs several thousand people, as it will most probably need a separate cyber-security team. Each company should also be prepared to deal with and respond to security incidents. Also, there exist various types of solutions available on the market which can be helpful in dealing with cyber attacks as they e.g. monitor what is happening in the company's network.

An employee is not the weakest link; on the contrary, he is the first line of defence.

Sometimes it can be heard that a person is the weakest link in the cyber security system. I tend to think however that a staff member is the first and sometimes the only line of defence which an organisation has. But in order for an employee to be able to resist attacks effectively, he needs to be equipped with appropriate knowledge and awareness. What is more, he must also feel responsible for the security of the company and understand how much depends on him. Therefore training in cyber security issues should be tailored to the needs and the particular position of an employee because someone from the accounts section is likely to be exposed to a different type of threats than a person working at the reception desk. Staff training should be invested into as cybercriminals know where to strike to make their attacks effective. We should therefore protect our companies on various fronts.

@Marcin Ganclerz
Expert from the Cyber Security Department of PKO Bank Polski

The information contained on the website has informational and advertising nature and does not constitute an offer within the meaning of Article 66 of the Civil Code, investment advisory services, and the provision of recommendations concerning financial instruments or their issuers within the meaning of the Act on Trading in Financial Instruments, and is not a form of providing tax advisory services or legal assistance.