Annette Niemczyk is a senior systems engineer with Envision Technology Advisors, which has offices in Pawtucket. Information technology management, disaster recovery, network design and implementation, and Microsoft solutions are a few of her areas of expertise. Cybersecurity issues aren’t going away any time soon, she says, and companies can reduce their vulnerabilities with a constant commitment to learning.
PBN: What is new in the field of cybersecurity?
NIEMCZYK: Almost every single day we hear news about a new threat or vulnerability or big data breach. The crazy thing is that for every threat you hear about, there are countless others that emerge, most of which never actually make the news. So, the answer is that there is always something new in the field of cybersecurity.
I think one of the most challenging kinds of cyberthreats that we are seeing – and which have become more prominent over the years – are socially engineered attacks. These are much more personalized than just a generic, mass-generated spam email. With a socially engineered attack, an actual hacker has made contact with a target and is trying to trick them into giving up specific information, money, or additional access to their systems.
Because these attacks are more personalized and targeted, and because a real hacker is behind the attack, they can trick even some of the most tech-savvy users in an organization and cause some serious damage.
PBN: By now, we would think all companies would have anti-phishing/cybersecurity instruction and policies in place. Where are we still falling short?
NIEMCZYK: Companies seem to understand that they need to protect their networks with the appropriate hardware and software solutions, but what they often fail to consider is the most likely attack vector their company has – their people. The reality is that all employees in a company, even the ones who know a bit about technology and security, should be trained and regularly updated on cyberthreats.
This training should be personalized to the company itself and should not just be some canned, online videos that everyone is mandated to watch. A company should start by rolling out baseline security training for all employees … because every company has employees with different levels of experience and knowledge about cybersecurity. It gets everyone on the same page. These trainings can then be augmented with additional information as new threats emerge into the market, helping a company maintain [its] security standing over time.
PBN: You have said you have a quick, easy way to validate links sent via email, just hovering a cursor. Can you explain?
NIEMCZYK: Keep in mind that depending on the vehicle used to view the email, the exact process may vary slightly. If you are opening an email in Microsoft Outlook or a web browser and that email contains a link, you can place your cursor over the hyperlink and the actual address the link will take you to will be displayed either right by your cursor or in the bottom left corner of your web browser. Say the email is from your company but the link says it is bringing you [to] a website that you do not recognize; that may be a cause for alarm and you should be cautious about clicking on that link.
PBN: What is the worst outcome you’ve seen as a result of phishing?
NIEMCZYK: The two most common outcomes we see are the transfer of large sums of money or the sending of confidential data to the threat source. In most cases, the compromises we have seen could’ve been avoided with some simple training and education.
Sadly, one of the most unfortunate realities about cybersecurity is that many companies only begin taking it seriously after they have been attacked and compromised.
PBN: Are you absolutely positive that a Saudi prince won’t reach out to anyone via email with news of an inheritance?
NIEMCZYK: One-hundred percent.
Susan Shalhoub is a PBN contributing writer.