The events of recent weeks, during which the data of customers of well-known Lithuanian companies and websites have been leaked, have raised the sensitive question – are the businesses of our country really taking all possible measures to ensure the security of their data? According to IT specialists and security experts, Lithuania still lacks understanding and basic knowledge about cyber security, so such and similar data leaks should not come as a surprise.

Lack of competencies

Lukas Apynis, IT engineer of ESET Lietuva, a company implementing antivirus and Internet security systems, says that City Bee, Orakukas.lt, Darni pora, Domenai.lt and others was not the first programmer victim of this scale in the history of Lithuania.

“We can remember an incident several years ago where the personal information of patients at one beauty clinic was stolen. Hackers who hacked into the systems of the Beauty Surgery Clinic stole very sensitive company data: patient photos and other personal information about the treatment. They blackmailed the company and, possibly, forced the affected patients to buy out the stolen data, ”L. Apynis recalls.

Unfortunately, according to him, no lessons have been learned from the mistakes of “Beauty Surgery”, which clearly signals that Lithuania still lacks competence in this particularly important security issue.

“It is certainly not possible to say that the entire Lithuanian business sector does not fully ensure the security of its internal systems, but the biggest and most common problem is negligence or low interest in security – lack of competence,” says the IT engineer.

Asked by Apynis whether it was possible to make at least preliminary predictions about how programmers managed to obtain data from companies and websites, the interviewee says that there is a good chance that this happened in the same way as the programmer himself said – he accidentally found unprotected data.

“As he himself publicly stated, he simply found insecure data on one of Citybee’s servers and misappropriated it. After the investigation, it should become clear how things really were. As I mentioned, that would be negligence and lack of competence. The server, which stored important customer data, was poorly configured, ”says the specialist.

Tadas Burba, the head of the IT department of the company Heximus, which offers network security solutions, agrees with him, and considers the level of data protection in Lithuania to be at least insufficient.

“The pace of digitalisation development is faster than the ability to assess the resulting threats, including adequate data protection. Many organizations still fail to estimate that data is one of the most precious resources and pays too little attention to its protection. Although we, like other advanced countries in this field, have all the technological tools, unfortunately we do not use them, ”says T. Burba.

The most painful blow – to reputation

So why do Lithuanian companies still risk their data security?

Mr Burba has an explanation. “Because we still do not realize that security is one of the most precious resources, the loss of which causes not only material but also reputational damage. This is due to cultural peculiarities – we almost never pay attention until we suffer personally. Insufficient assessment arises from the fact that no practice has yet been established in Lithuania, which directly affects the undesirable consequences, ”says the IT specialist. According to him, the leakage of the company’s data causes a lot of inconveniences, but the main problems are two: paralysis of the company’s activities and a very strong blow to the reputation.

“In the first case, in the event of an incident, the company may lose intellectual data – the” know-how “on which the organization’s business processes depend. In the second case, it is likely to suffer reputational damage. Crisis management requires several times more than investing in data security. Also,
organizations will also face penalties. In both cases, the existence of the organization may be threatened, ”T. Burba does not doubt.

At that time, programmers themselves, as the interlocutor explains, usually use illegally obtained data for blackmail in order to obtain monetary gain.

“The main goal of programmers is to make a profit. The stolen data is used to blackmail the company by offering it for redemption, it can be offered for purchase to competitors or sold to the public, thus giving a blow to trust in the company, ”says T. Burba.

Global trends

As L. Apynis says, such and similar cyber attacks against business in global practice are also not new. ESET specialists have analyzed a number of well-known cases outside Lithuania.

“It simply came to our notice then. One example is a data leak from a large telecommunications company, T-Mobile. One of the employees misappropriated more than 1.5 million customer records and tried to sell them. Following such cases, DLP (Data Loss Prevention) and
additional security solutions hired by third-party audit and security firms that deal with corporate security. Another example would be the Snapchat, a social network for video and photo sharing. The company has been hit by a common phishing attack, focusing on e-mail. to a letter allegedly sent by Snapchat manager Evan Spiegel. The letter asked employees to share confidential and payroll information. The employees of the company, who did not notice the scam, shared confidential data, ”says the IT engineer of ESET Lietuva.

There were more similar cases. Here is the 2015 Chrome’s Webpage Screenshot extension for screenshots has leaked sensitive data from its 1.2 million users. In the same year, Microsoft’s Xbox Live suffered a cyber attack when its security certificate was “hacked”, and in 2018. Fake banking programs have been detected in the Google Play online store that steal credit card information from people who use it.

“And while these are really widespread stories, not everyone, including Lithuanian businesses, has learned from them, because the wrong attitude still prevails -” big companies here, for me, this will definitely not happen, “T. Burba emphasizes.

Trying to get out of hibernation

However, with the increase in cyber attacks in our country, according to T. Burba, Lithuanian companies are gradually starting to show signs of interest in the field of data security.

“After the recent events in the country, there is a business interest in data protection solutions. There has been an increase in the number of companies wishing to conduct data security audits and assess opportunities to enhance security. Interest is viewed positively, but increased interest alone is not enough. Employees are in a hurry to change their passwords, but many organizations do not check that the system itself is inaccessible to third parties, ”says Heximus, head of IT.

However, according to him, there is no one-size-fits-all solution for cyber security, so a comprehensive approach to data protection by companies is necessary.

“It is necessary to strengthen network security with the products and tools offered by security solutions, to ensure only authorized access to data and to transmit data only through secure channels. Regularly back up data to secure locations and pay due attention to strengthening the qualifications and competence of data workers. Test the resilience of employees by periodically performing simulated phishing attacks. Following these recommendations, long-term results can be expected, ”says T. Burba.

Very often data theft occurs due to human error, so, as Mr Apynis says, it is important not only for companies to be sure of their data security to choose reliable security systems, but also to invest in the training of their employees.

“For example, ESET provides cybersecurity knowledge training and other security solutions. Company employees should be made aware of the compliance requirements of various provisions or regulations (such as BDAR) from the point of view of cyber security and comply with them in their day-to-day operations. The main purpose of the training is to draw the attention of the company’s employees to the importance of security for the company’s activities, their own and others’ responsibility for the actions taken. During the training, the company’s employees are taught to recognize emerging threats and how to protect against them when the company grants the right to work remotely, ”explains the ESET Lietuva representative.

Risks, according to the specialist, also remain with the use of protections installed by the manufacturer or free antivirus programs.
“The latter do not have certain important functions and can detect malware late when they have already done their job. Therefore, one of the most effective ways to protect yourself is to use advanced security software or a new generation antivirus program, ”says L. Apynis.

For all IT security issues, please contact: info@heximus.lt.