Assoc. Prof. Dr Kęstutis Driaunys: Cybersecurity Is a Continuous Process With No One-Click Solution
Cyberattacks are constantly evolving in their form and content ‒ from the first pop-up ads on your computer screen promising a chance to win a new mobile phone at the click of a button or emails about a long-lost relative’s inheritance to a more sophisticated scheme with messages containing active links from your bank requesting a password change. Moreover, you may soon expect scammers to replicate a familiar person’s voice for fake calls to attempt to steal your money.
So, how should we recognise cyberattacks and avoid them? What is their impact on organisations? What are the remaining gaps in our cybersecurity approach? Assoc. Prof. Dr Kęstutis Driaunys, a researcher from the Institute of Social Sciences and Applied Informatics at Kaunas Faculty of Vilnius University, has the answers to these and many more questions.
Researchers equip organisations with cybersecurity skills
The research carried out by Assoc. Prof. Dr Driaunys’ team focuses on digital content analysis and phishing attacks on organisations. Thus, various institutions and businesses often hire researchers to gather information, profile them, or conduct social engineering attacks.
"Our business and public sector clients are primarily offered training services that extend beyond educational content. First, we dig deep into the organisation’s profile and activities and then perform the necessary tests (social engineering attacks and simulations) before providing the training itself. This is how we check the effectiveness of organisational processes and communication. In other words, we assess not only the clicks on malicious links but also whether such attacks are reported and who is informed," says Assoc. Prof. Dr Driaunys.
After more than 20 years of studying cybersecurity, the researcher has observed a shift in public attitudes towards it, mainly driven by the ubiquity of digital technologies and communication on cyberattacks.
"All of us have faced cyberattacks at some point: from news reports to stories shared by our friends or acquaintances, and even our personal experiences. These attacks vary in nature and include invitations to invest in different fraudulent financial platforms, scam calls asking for money transfers to specific accounts, catfishing on dating platforms, and other methods. Therefore, most of us are now familiar with such attacks, which makes us less likely to fall for scamming tricks," notes the researcher.
Cybersecurity as an integral part of our daily lives
The researcher notes that participants in the training sessions he and his colleagues conduct for employees of companies and institutions often expect that there is a one-size-fits-all solution, some kind of programme that can be installed, or some secret rule for safeguarding against fraud attacks.
"People are often critical and reluctant to engage in training as they believe there is a universal "magic button" for data protection. However, I have to disappoint you ‒ that button doesn’t exist," says the Associate Professor.
It is much more important to see cybersecurity as a routine part of our daily lives. Just as we know about the health risks of fast food and a sedentary lifestyle, we should also understand that neglecting key steps in cybersecurity can be detrimental.
"We need to establish guidelines for the effective management of technologies and determine rules or even specific processes for dealing with certain situations. Failure to follow these rules usually results in greater damage. Therefore, everyone should consider what their most important data is, whether it is secure and who else has access to it, as well as what would happen if it is lost or exposed – in which case, who should be informed and what actions should be taken," explains the researcher.
Cyberattacks: from phishing links to invoice fraud
When speaking about the main features of cyberattacks, Assoc. Prof. Dr Driaunys notes that the current trends mirror those across the EU and are primarily linked to social engineering.
"The Nigerian Prince scam in English is no longer effective today, so we no longer anticipate this type of attack and tend to ignore such messages. However, we now have sophisticated phishing attacks targeting Lithuanian speakers. They are highly advanced and particularly challenging to detect," states the researcher.
Rather frequently, we get messages with attached links claiming to provide details about supposedly received fines or packages awaiting pickup at the post office. When asked about the threats of clicking on such links, the Associate Professor warns about specific risks, including potential software installation or file downloads.
"The most basic trick scammers use is redirecting you to a website that can collect your personal information. Even without additional actions, they gain extensive insights into consumer data. Scammers frequently ask the intended victims to fill in a certain form or reset a password. Traditional phishing directs users to login forms for various systems. They can simulate any login forms, whether for a bank, a university, or any other institution," remarks the researcher.
Numerous cases of fraudsters receiving payments for real services or goods intended for those organisations have been reported. According to the Associate Professor, these attacks exploit vulnerabilities in public sector systems. In the public sector, procurement is conducted through public tendering processes. Thus, the public procurement information system provides information on all transactions, including contractors and even invoices received.
"Such documents containing contact and other company data are publicly available. Therefore, fraudsters easily exploit such ready-made invoices to deceive public sector organisations by altering account numbers. Amidst the heavy workload, the organisation’s accountants may sometimes overlook such minor discrepancies in bank account numbers. Unfortunately, we still lack procedures to check and identify fraudulent invoices. So, we can conclude that transparency is actually what backfires in this case," he notes.
Damage caused by cyberattacks
While large businesses are enhancing their cybersecurity efforts, small and medium-sized companies are still lagging behind. Introduced in 2018, the General Data Protection Regulation (GDPR) sets out the regulations and requirements, yet many organisations struggle to understand and adhere to them.
"Lithuania’s situation closely reflects the global statistics. Around 60% of small companies tend to shut down within six months after suffering a cyberattack due to insufficient recovery resources. Medium and large businesses operate differently, as they can allocate more human and financial resources. The situation is expected to change as of October 2024, when the EU’s Directive on Security of Network and Information Systems (NIS Directive) is implemented in Lithuanian law. More than 16,000 of Lithuania’s companies will have to comply with this Directive," says Assoc. Prof. Dr Driaunys.
The impact of cyberattacks on businesses includes financial and reputational losses, along with potential fines for data mismanagement. Another crucial point is that the failure of enterprise systems leads to disruptions in all business operations.
"We had a case where a public sector organisation was hacked and faced two weeks of downtime due to a cyberattack that disrupted their email and other systems. It is also important to note that companies receive hefty fines for concealing cyberattacks and data theft, exceeding regular penalties for data protection failures. It is a pity that businesses often fail to step up their cybersecurity oversight even after experiencing an attack," he states.
Tips for preventing cyberattacks
Existing cybersecurity models can be helpful in analysing and assessing the cybersecurity process. Start with preventive measures: do not disclose excessive personal information, and follow digital hygiene rules regarding passwords, authentication, or backups.
"Companies are less and less likely to publish employee contact details on their websites, as they realise that employee email lists create abundant opportunities for scammers targeting the organisation. Public sector entities still make this data public, which, in turn, leads to increased attacks. Of course, don’t forget about LinkedIn, which serves as a treasure trove of work connections and other data for potential fraudsters. Thus, one of the preventive strategies is to conceal this data. The second strategy is hardware and software that analyses and filters incoming information, blocking fake messages from reaching employees," claims the researcher.
There are also some effective tools for halting cyberattacks once they have already occurred. One such tool is a DNS firewall – a free public service provided by the National Cyber Security Centre.
"This firewall blocks access to recognised malicious websites when employees click on deceptive links. Some attacks can be stopped by antivirus or internet security software that analyses incoming traffic to organisational networks," explains the Associate Professor.
The third strategy covers the measures taken in response to successful attacks, as some of them manage to breach the first line of defence.
"We need to be clear about what we are going to do with critical resources, have data backups, and use multi-factor authentication methods. It is also crucial to use tools that report data breaches (e.g. those related to passwords). This can help us to take fast action and swiftly change compromised passwords to minimise risk. Therefore, cybersecurity steps include prevention, defence, and response to attacks", says the researcher.
Artificial intelligence and the future of cybersecurity
The growing integration of artificial intelligence (AI) tools and algorithms also extends to cybersecurity. Together with his colleagues, Assoc. Prof. Dr Driaunys is conducting research to explore AI applications for risk assessment.
"We aim to use AI to analyse digital content and collect potential evidence. So, we employ AI for network monitoring, detecting anomalies, and identifying cyberattacks," says the researcher.
Conversely, AI is also leveraged to create cyberattacks despite the existence of counter-tools. One of the most pertinent examples is the use of AI in social engineering to produce deepfakes.
"Today, we get alarming calls from strangers about fake emergencies, yet we must get ready for even more deceptive schemes ‒ scam calls imitating the voices of our loved ones. They can go even further by sending a pre-recorded video of someone close to you, requesting that you transfer money to their bank account or take some other actions," he adds.
The Associate Professor recommends using a phrase or a code word to verify identity in such conversations.
"Code words can help ensure, especially in unexpected situations, that we are really talking to that person. The rise of AI and the abundance of personal data (video and audio recordings) enable the development of models that can mimic a particular person. That is why, in the future, we will have to be extremely vigilant to avoid falling victim to fraudsters," concludes Assoc. Prof. Dr Driaunys.