How to avoid a cyberattack, told by those who protect us
Cyberattacks increased by 151% in 2021, according to estimates in Global Cybersecurity Outlook 2022, drawn up by the World Economic Forum. And it is not because companies have lowered their guard (their cybersecurity budget has grown steadily over recent years), it is because the situation has changed. Before they had to protect the company's computers and servers, now they have to do the same with their employees' online profiles. "Before, there was a perimetral barrier," says Manel Cantos Priego, Professional Services Manager at Cipher, Prosegur's cybersecurity business line. "Employees being at home means that the perimeter no longer exists, making them much more vulnerable."
The pandemic popularised the hybrid model: we work more from home, we sometimes work on our mobile phones, we connect to public networks. And the hackers know that. "They used to focus on corporate networks. Now, the easiest thing for them to do is to attack employees, because they know they are the most vulnerable point." According to Accenture's report on the state of cybersecurity resilience now, more than half of companies are unable to effectively stop cyberattacks.
Cipher is a global cybersecurity company that provides a wide variety of services: managed detection and response, managed security services, cyber intelligence services, Red Team services, management, risk and compliance, and cybersecurity technology integration... And they do so using the latest technology. But the weakest link, Cantos points out, is the human one. That is why we must consider not only connected systems and networks, but also awareness and training tools to make people an asset where risks can also be minimised.
As a cybersecurity expert, Canto's job is to find flaws in the company that hires him, just as a hacker would. He is what is called an ethical hacker. The procedure is the same, but the purpose is not to make money but to point it out to the company so that it can solve it. "They hire us to play at being the bad guys."
He tests for phishing (a method of tricking the victim into sharing their passwords) via emails with misspellings, pixellated logos or little mistakes that should make the recipient suspicious. They rarely do. "A high percentage fall into the trap," he acknowledges. "But we're thinking about traditional phishing, via email, but it is also carried out via other formats, such as SMS or even calls." In this way, Cipher helps companies to stay protected. And their employees to be more aware of how these sophisticated forms of hacking work.
Another existing method for highlighting the weaknesses tackled by companies is to leave a lost USB inside the offices. Toilets or stairwells are good places, as employees tend to return what they find in public and monitored places, such as meeting rooms, but they are not so generous when it comes to somewhere more private. Through this, they aim to raise awareness about the risks of connecting an external device to our equipment. "The problem is that, if you connect that USB, you don't know what's on it and it could steal information that shouldn't leave your computer," explains Cantos.
The expert is aware that many employees who fall fowl have already taken prevention courses beforehand, but points out that we lower our defences when there is a reward involved. It's like the misleading message that tells us we've won a prize: the possibility of getting a reward makes us ignore the risks.
Sometimes it's something as simple as a USB stick. Others, more sophisticated methods are chosen. For example, the hacking of a smart aquarium to get inside a casino's internal network. Manel Cantos has been dedicated to cybersecurity for 20 years and has seen everything. It is a world in constant movement and you have to stay up to date. The new situation has changed the rules of play and has made companies more vulnerable, but he believes that things have been changing over the past couple of years and cybersecurity is once again a priority. "At first, it was about being able to continue working no matter what. Now it's about doing so with certain guarantees."