From the business perspective, cybersecurity is quite tricky. As opposed to design and development, if the cybersec team performs at their best… nothing happens. And it’s the best thing you could hope for.
In a way, this is like buying insurance. You hope not to need it, but then a year passes and not using it feels a bit like wasted money. Especially if that’s yet another year where you don’t need it. And in many companies, where the excel sheet is a business oracle, this is how cybersec is perceived. A non-tangible cost.
I would say that this shortsighted approach is a recipe for a disaster… But in the past, thinking that way, I found myself in the minority. Many companies – especially ones seeking investors – are short-term oriented. This is not necessarily always a bad thing – but you need to know what to trade off. Security and quality seems to me the worst possible choice.
How important is cybersecurity?
A security breach is a risk at many different levels. On the most basic, you need to restore your operations. And without proper business continuity protocols and backups this may take a lot of time. Time during which your company is not making money, but still has costs that have to be covered.
Then, there’s the matter of your reputation. You don’t always know what the hacker’s goal is. And it’s not only money anymore. In the case of the Uber security breach, the hacker was seeking attention and admiration. So it was in his interest to advertise it as much as possible. Some customers will forgive you, but some will just go elsewhere.
Another thing is that with ransom attacks, your backups might not be enough, and you will have to suck it up and pay. Reportedly, because of a simple human error, Garmin had to pay $10m to Russian hackers. And they most likely did so through an intermediary, as the hacker group was subject to US sanctions. That would for sure mean a nice fat fee on the top of it.
Last but not least, we live in times of GDPR. The breach alone is grounds for a fine, but failing to notify affected users will increase it. If your company operates in different EU countries, remember that each GDPR office is a separate institution. So those are 27 angry European countries kicking you in the face, while you’re already on your knees.
So, yeah – I’d say that cybersecurity is pretty important.
What can you do as a product professional?
We will go through many of those things in the Cybersecurity section of this blog. In fact the next article I’ve planned is one on password managers. But to not leave you hanging for now, just remember this: stay alert.
Not clicking links or opening attachments automatically is basically a good habit to develop. The other is using password managers and generating strong and random passwords for all services you use. Also those services you use in your private life.
Talk with your development team about cybersecurity best practices, and ask them to implement them in their daily work. Do not assume that they’re doing it. In one of the companies I worked with, the devops team for 6 years had one password to all clients’ admin panels. Yes – both plural – many clients, many panels – one password. This was despite the fact I personally negotiated a licence for 1password for all team members with our CEO (again – yes – I needed to negotiate the $50/month of licences). It took Russia’s barbaric invasion of Ukraine, and the hacker attacks on EU infrastructure that accompanied it, to change that.
And the last thing for now – read about it and share articles on your internal communication channels. A constant drip of water wears away even a mountain. Below I share my favourite cybersec pages and some of the tools I use in my private and professional life. As I’m Polish, some of the portals are in that language (and they’re exceptionally good). However my foreign colleagues have no problem reading them with Google automatic translation on.
- English speakers
- Polish speakers
Cybercrime Magazine – They have a whole separate section on cyberattacks cases. As they’re from US, they often describe schemes that later one are used in other parts of the world. I also recommend their podcast.
Tripwire – They are CyberSec company running a blog. They have a rich library of “how to” articles. It’s worth to take a look from time to time.
Dark Reading – I heard this is the best site for CyberSec. To be honest I prefer Cybercrime Magazine, but they have really good free reports. They have new articles everyday, so it’s good place to stay up to date with cyber security.
Yubico Blog – This is a product company running blog, so obviously they’re circling around thing that YubiKey could be used for – but if you have one, you can learn how to use it more effectively.
Niebezpiecznik – One of the best Polish sites dedicated to Cyber Security. You will find here a lot of articles about threats, prevention and hints. They also have their own CyberSec alerts app that notifies users about active attacks in Poland.
Zaufana Trzecia Strona – Slightly smaller team, but delivering very good CyberSec content. You will find detailed described cases and articles about Cyber Security. They’re also running a podcast, and their editor in chief organizes annual “Security Confession” webinar where he shows what tools he use in his private and work life.
Sekurak – A bit more technical website dedicated to Cyber Security issues. Here you will find much more about practical application and news about technology that indirectly affects security.
Kacper Szurek – a blog run by a Polish CyberSec profesional. He has produced a lot of “how-to” articles and YT videos. You can learn from him about tools and apps improving security, but also what to do if you were affected by the attack.
My short list of recommendation
Signal – It’s an encrypted end-to-end communicator, available for the most popular operating systems – including Android and iOS, not connected to any of the Big Tech companies and not selling your data. One serious con for people enjoying WhatsApp is that moving to a new device or reinstalling wipes the message history.
KeePassXC – Free and open-source password manager that I use in my private life. As I consider it one of the most important day-to-day security measures, there will be a separate article about it.
Yubico NFC and 5C NFC – a hardware authentication device – my favourite cybersecurity measure. The only problem is that it is still not very popular. In 2023 the first Polish bank will start using it to authorise users. And that will probably also be the first bank worldwide. But each year there are more and more popular.
Google Authenticator – Wherever YubiKey is not available I use Google Authenticator. Recently they added an option to connect GA with your Google account – so changing or losing a device will not be that big a deal anymore.
Revolut (disposable virtual cards) – The best option if you need to buy something from a source you don’t know or trust much. I used it to buy the theme for this blog. You just top up your account with money, pay and in case it’s hacked the card was one-use only. Additionally I don’t keep any money on my Revolut account when I don’t need to.
BLIK – Polish payment method based on a 6 digit code generated for 30 sec. You type in the code and confirm on your phone. You’re not sharing a CC number, so even if someone fooled you, all that is at stake is the amount you’re paying. I also use it to withdraw money from ATMs to avoid scammers.
Credits
- Photo by cottonbro studio: https://www.pexels.com/photo/a-memory-card-near-a-laptop-5474287/
- Dilbert comic strip by Scott Adams: https://scottadams.locals.com/
