In connection with phishing e-mails, one often hears statements like: “You know that. Who clicks on such links?” Experience shows: Someone always does. For senior consultant René Decker, terms like phishing and ransomware are part of everyday life. The 34-year-old switched to the IT world in 2017 out of private interest and is now among other things responsible for technical security audits in the technical team at TÜV TRUST IT. In this interview, he gives an insight into his everyday professional life and explains why ransomware is such a big threat.
Mr Decker, you entered the IT sector as a later entrant. How did that happen?
Yes, exactly. In fact, I studied history and English, but have always been interested in information technology in my private life. I finally came to my current job through a friend who performed tests of mobile apps at TÜV TRUST IT. He trained me in this field while I was still a student. After my state exams in summer 2018, I started working full-time as a security consultant.
And you stayed. What do you particularly like about your job and the IT-business?
Especially that it is so versatile. The IT world is constantly changing, IoT devices are becoming more and more popular. Especially with regard to modern, increasingly sophisticated attack strategies, this is a very fascinating field. Social engineering is also a big topic here, meaning attacks that are not primarily directed against computer systems, but are intended to persuade people to do something that benefits the attackers.
Are there special trainings for companies against these attack strategies?
Yes, there are. Our portfolio includes awareness campaigns, which also involve training courses and workshops with different points of focus. The nice thing is that we are not the “good guys”, but take on the role of the attackers. That means we write phishing e-mails, try to get hold of passwords and talk through various attack scenarios with the customers. Afterwards, the company receives anonymised statistics on how many employees have clicked on links in our mails, for example.
The German Federal Office for Information Security (BSI) describes ransomware as the greatest threat to companies at the moment. How do you rate this statement?
Ransomware is definitely a significant threat, but has been ‘in vogue’ for more than a decade. The attackers usually encrypt data on their victim’s computers and use this as a basis for blackmail. The dangerous thing about this is that in the worst case, not only individual computers are affected, but the entire network. This was the case with “WannaCry” in 2017. Fortunately, however, it is not the rule. Following this, the attackers offer to lift the blackmail in exchange for a ransom payment. In principle, a good backup system offers protection for certain types of ransomware, so as not to be completely at the mercy of blackmailers. If one does not have this, companies are often in a dilemma. Ransomware is so lucrative for cybercriminals mainly because e-mails with corresponding attachments can be sent in large numbers and with relatively little effort.
Do you feel that companies are aware of this?
It depends somewhat on the sector. The newer the branch and the younger the companies, the greater the awareness. On the one hand, because younger people often know more about IT topics and are not so quick to click on everything they are asked to do. But also, because the hardware and especially software in older companies is often very outdated. So, in addition to training employees, it is also very important to make sure that companies are technically well positioned. It therefore makes sense to think about and implement a comprehensive security strategy with several levels.
And if it does come to the worst: How does an infection become noticeable and what can be done about it?
If a system is infected, the first step is to prevent the spread. A shutdown of the entire system stops the encryption, given that it is detected in time. However, this cannot always be achieved without losses, due to the dependency on other systems. Companies should make sure that the latest patches are always applied and monitoring software can also help to react faster. A newer model in this context is called “zero trust”. The network is built on the premise that absolutely no one is trustworthy. Often, for example, older company networks are not segmented at all. Everyone can reach everyone else from every system. This is of course a security risk. A lot can be optimised here, and we are happy to provide support.
We already talked about awareness campaigns. Beyond that, what offers exist?
We offer a broad portfolio of services that we can individually adapt to the needs of the respective company. This starts with a general audit of the systems in terms of network security and a listing of the vulnerabilities found, through making recommendations based on need, and extends to the many possibilities of our social engineering campaigns. In my opinion, it makes most sense for companies to invest in both the technical security of their computer systems and the training of their staff. It is difficult to guarantee that no one will ever fall for phishing attacks. However, we can definitely help to reduce the number of employees clicking on links or opening dangerous attachments. If this commitment is combined with technical measures, a reasonable level of security can be built up.
Many thanks for the interview, Mr Decker!