Cyberdanger: every employee is a potential risk for leaks.
His life’s mission: protecting people from cyberdanger.
In 1989, Eddy Willems worked for an insurance firm. Via a floppy disk – then a popular storage medium for digital data – a Trojan virus was secretly installed on his computer. Criminals were able to take his computer hostage and demand a ransom. Willems came up with a solution to neutralise the virus. The assembled media reported extensively on this “ransom virus”. This was the impromptu start of his career as a security evangelist…
All employees are vulnerable to internet fraud.
As a security evangelist at the German firm ‘G DATA Software AG’, Eddy Willems gives lectures for employers, employees, and experts, as well as children and retirees who can also become the victims of e-criminals. His aim above all is to warn people about the dangers of e-crime. He sees it as his role to put the often very technical terms relating to internet fraud in more understandable language for a wide audience. His book “Cybergevaar” (Cyberdanger) was published in 2013, and is still available as an e-book. An updated version of the book, featuring tips from opinion leaders in the field, will shortly be published in English.
“It won’t happen to me”.
Not much has actually changed since the 1990s: all the current headlines about e-crime already existed back then – albeit on a smaller scale, explains Willems. “Everything comes round again”. The fact of the matter is that a cyber problem or internet fraud with a computer is always linked to human activity. One does not exist without the other. There is always a lot of naivety in this respect. Employers are mistaken if they believe it won’t happen to them. Even the best IT experts get stung…
Willems has two observations.
The first is that people will always get scammed. “Phishing is still a major problem around the world,” explains Willems. In this form of internet fraud, thieves attempt to obtain sensitive information, such as passwords or bank card details. For example, a fake Facebook page can result in serious data leaks in companies.
The second observation is that malware (malicious software) is becoming increasingly sophisticated. According to Willems, large security services, including the American NSA (National Security Agency) are partly to blame for this, having developed software to keep tabs on people. Criminals simply apply the same techniques.
I Love You. WannaCry.
These are not titles of romantic pop songs, but the names of two notorious viruses. The ‘ILoveYou’ virus first struck in 2000, and originated from the Philippines. It was the first time that a virus had such a global impact. It attacked the Microsoft Windows operating system. The damage worldwide was estimated at $5.5 billion!
The WannaCry virus hit the headlines in 2017. It infected more than 230,000 computers in 150 countries. Among other victims, WannaCry infected the computer systems of the Spanish telecommunications company Telefónica, as well as parts of the British National Health Service, FedEx and Deutsche Bahn. WannaCry is so-called ransomware which encrypts files on a computer. Between $300 and $600 ransom money was subsequently demanded to remove the encryption.
The difference between malware, phishing and hacking.
“Malware” is an umbrella term for any software which is malicious. Examples include viruses (which propagate), Trojans (which you don’t notice), spyware (someone watching when you enter a password, for industrial espionage for example).
“Phishing” involves sending an email to trigger you and lure you to a website, so that additional details about you can be ascertained. This is one way of eliciting bank details, for example. “Spear phishing” is a variant that involves the more targeted phishing of passwords. It is a technique that is often used to hack into companies. The most serious corporate hackings around the world are usually the result of spear phishing. The criminals are almost like psychologists, asking the right questions to find their way into the network.
“Hacking is the most widely used term in the media, but it gets bundled together with phishing and malware. Hackers want to take control of a system and perform a specific action: extortion or spying. Ethical hackers are hackers who work for an employer to test the security and keep it robust. In fact, a hacker does what malware does, but manually: they look for security loopholes in order to force their way in and consequently control systems.
How well-protected are Belgian employers?
Belgian employers are doing a pretty good job, in Eddy Willems’ opinion. “We are up there with the best pupils in the class”. The fact that we score well on average is due to organisations such as NATO, the European Union and a number of major banks in Belgium that have excellent protections in place. The problem is more with large employers, where different departments don’t communicate with each other, and servers, PCs and networks are vulnerable as a result. In addition, Belgium is primarily a country of SMEs, and that is a weak point. In general, cyber security is less robust within SMEs, since the cost factor plays a role. A good example is antivirus software which is not always optimally installed.
What can employers do to protect themselves?
“Every employer must have a security package, without fail,” Willems stresses. The security provided by an IT provider or reseller is almost always inadequate. A well-managed anti-virus package is a good basis. In addition, leaks are a major problem. Willems refers to this as the Achilles’ heel for employers: software updates are installed too late, for example. The 3% rule is often cited. In other words, 3% of a company’s turnover should be invested in cyber security. For Willems, that is still not enough. He prefers to apply the 5% rule as a minimum. He admits that such a rule is very general. It is logical for a large bank or renowned law firm to invest more than average in cyber security. For example, Willems knows that the leaking of the Panama papers was traced to a law firm.
The cyber security expert concludes that everything ultimately starts with awareness: getting information, extensively testing security software (possibly via an ethical hacker), inviting an expert to give a lecture, etc. The important thing is that it gets discussed. However, the problem is that people think they know all they need to. They underestimate the risk.
Belgian legislation fairly effective, but the problem is complex
Willems believes that Belgian legislation is fairly effective. It is comparable with that of our neighbouring countries. Unfortunately, internet fraud is an international problem. But that’s the snag. Cooperating with the Netherlands or Germany is a lot more straightforward than with somewhere like Brazil or India. Different laws apply in these countries, the judiciary works differently and you have to know people to get things done.
Another well-known problem that has recently been in the spotlight is the lack of transparency among internet giants such as Google and Facebook.
People are actually being arrested in places around the world, Willems explains. Although proceedings sometimes take a long time, so they aren’t always covered by the media. For example, the scandal involving stolen nude photos of celebrities was a simple phishing attack via an Apple ID. The man behind the theft was finally arrested following a 5-year investigation. They are often complex cases, in which it is difficult to identify and prove the exact source.
From Internet of Things to Internet of Threats.
In the near future, countless household appliances, devices and vehicles will be connected to the internet, so that they can communicate with each other and even make decisions autonomously. This Internet of Things (IoT) is usually inadequately secured. Fortunately, there are as yet no standards, says Willems. So the hackers don’t speak that language yet. As soon as the IoT is rolled out on a large scale, it will undoubtedly create problems. Because ‘large scale’ means that there is a lot of money to be made for e-criminals…
Eddy Willems is an internationally-respected security specialist.
He is a security evangelist at the German security software supplier 'G DATA Software', and sits on the board of various industry organisations, including the European Institute for Computer Antivirus Research (EICAR) and the AMTSO (Anti-Malware Testing Standards Organization). An updated version of his book "Cybergevaar" will shortly be published in English under the title "Cyberdanger".