Security evangelist: you probably spend more money on coffee than data protection
Ondrej Kubovič has been working as a cybersecurity awareness specialist for 5 years. His career path did not lead him straight to the IT sector, however. For many years, Ondrej used to work as a journalist. And money was not the reason he left journalism.
Ondrej Kubovič believes that there is no doubt that the salary in IT is higher while journalists are being underpaid. But money was not the decisive reason for him to dive into cybersecurity.
“If you don’t like sick people, you can’t become a doctor. If you don’t like programming, technology, then don’t go into IT, it is not going to work,” told Ondrej. He has been working for ESET as a cybersecurity awareness specialist for 5 years. During an interview with CyberNews, he not only explained his career choices, but also reflected on the cybersecurity situation as a whole and gave some advice on how to protect ourselves online.
Why did you ditch journalism and how did you become interested in the IT sector?
It started long before any studies. My father was working in IT, he was a sysadmin for 20 years. We were playing with computers back at home. I was addicted to video games when I was young. It was something that I liked to do all the time. Which brings you naturally into the operating systems and settings: you have to install, uninstall, set up your device. That gave me proficiency with computers, devices, and new technologies. I was studying mathematics and physics in high school, and only after that, I moved to journalism and political science. I was always interested in politics, I have been reading the news since I was young. When I started working for the news, I was also working with the topics mostly related to homeland security, defense, and also cybersecurity, which were often connected to technology. And these three topics often overlapped. I was writing about malware that companies found. So this was my first step towards this direction, the first one to become a professional in IT.
Do you miss journalism? Do you miss being part of the media?
What I miss is that you are responsible for everything that goes out there. Your name is sitting under the title so everyone knows that it was you who wrote it. When you are working for a company in the private sector, a lot of things undergo review, you have to get used to the cycle and the process is much slower. On the other hand, what I don’t miss about journalism is that you don’t have enough time to prepare your articles. In IT, sometimes I have weeks to prepare an article, I have all the data, I can talk to experts and get all the information I need so that the article, in the end, is polished. When you are a journalist, you have two hours to produce an article, you just put something together and it has to go out.
Your profession is security evangelist. Please explain more about what it means?
I prefer to call myself a security awareness specialist. We are trying to take everything that our researches find through a filter and find what is interesting for the media. My job is to take their findings and adjust the language so that everybody can understand. It’s mostly writing articles, creating presentations, also some speaking so I’m traveling around Europe mostly, giving talks.
So you are learning a lot? To translate everything for the general public you need to have a good understanding of it yourself?
I train by practicing. For the past five years, I’ve been talking to experts every day, so most of my knowledge in security comes from my human contacts. I’m also trying to read everything, for example, reports from competitors and big bodies such as the FBI, Europol, etc. So I am just trying to put a picture together of the whole cybersecurity environment and compare it to what we know from our data, ask the experts here, and try to come up with an understanding of what is going on and what we have to say in those regards.
As your job is to raise awareness, do you see enough awareness among businesses, among people? Do they know how to protect their data?
There are a lot of efforts out there, a lot of companies and people are trying to raise awareness. At the same time, I am surprised how easy it is sometimes for the bad guys to get into the system. People still make the same mistakes. Just to name a few, for example, publicly available RDP (Remote Desktop Protocol), so anybody can brute-force their way into your network. And if they know the easy password you were using, they can get inside your network. This is just one example. We see a lot of cases, and these often result in ransomware infection. It is a simple mistake at the beginning. And we see this every day.
Is the number of incidents rising? Has quarantine and remote work had an influence?
I would not say that the quantity of attacks is growing. The form of the attack changes. The RDP I mentioned jumped from 40,000 clients who reported RDP attacks to almost 110,000 attacks per day. I would say it was connected to the pandemic. People are working from home, a lot of them connect remotely, a lot of IT departments just set it up quickly, because they needed the company to continue business operations and they didn’t have time to secure everything properly. So, a lot of companies became open for these kinds of online attacks. They opened their ports and the attackers could misuse this. Cybercriminals are watching the latest trends and try to get the most out of it.
IT is one of the sectors with high-paying jobs. And it is one of the reasons why young people want to get into IT. Was it an argument for you too? A journalist's and an IT specialist’s pay differs significantly.
It wasn’t a decisive argument for me. At that time as a journalist, I said to myself that if I want to work for another company, not in journalism, it is going to be ESET. I wasn’t looking for another job, I was happy being a journalist, I liked this type of work, even though it was exhausting and underpaid. It is an argument when you are deciding in the beginning. Sure, in IT you will get more money, but if you don’t like this type of job, you are going to get bored or burned out. You cannot become a doctor and at the same time not want to help people, to cure them. If you don’t like sick people, you can’t become a doctor. If you don’t like programming, technology, then don’t go into IT, it is not going to work. You are going to be tired and the money is not worth it.
As a cybersecurity specialist, do you feel that your data is safe and protected?
I am trying to follow all the advice we are giving. But we have a saying here - if an attacker wants to get into your system and steal your data, he will. There will be a lapse in your security that a bad guy can misuse. If you have anything that is of interest to the attackers - your credit card data, social media credentials - you need to protect it. Start with strong passwords, add two-factor authentication (2FA). I am trying to do them all, but I’m not perfect also. So, if you are looking for one vulnerability in my security, sooner or later you would surely find one. I’m sure of it.
Have you always been smart in protecting your data? Now we are all more aware of the threats, but it wasn’t so five or ten years ago.
I wouldn’t say I was smart. Nobody is at first. No one comes to this earth being smart about everything, and security is one of those things. That is why people like me have a job. I can teach people what to do, how to stay secure. For example, I have been on Facebook since 2008. And I remember that back then we were writing about everything - vacation, posting 5 pictures every day, informing where you went, if you were in a relationship, etc. All this information was on my profile. Right now it is private, most of that information is not there anymore and I post maybe once a year. I am not comfortable with sharing almost anything on social media, because I feel that is my public face and I do not like the idea of sharing private information and moments. So I have changed a lot. I added a lot of security layers to my profiles, online accounts, and my digital identity. And I started to think differently. I also started educating my family, my friends.
So you don’t feel comfortable about sharing your info. But others do. And people like to brag about the places they visited, the restaurants they went to. What is the worst thing that can happen if they continue sharing?
You need to set your account correctly. It’s fine if you are OK with all the risks, with people knowing you are going on vacation. You have to understand that you are communicating that you are going to be away for two weeks because you are traveling to Thailand, somebody can understand that your flat is going to be empty, some burglars can misuse this information. It might sound like something that will never happen, but there are cases when this has happened. So we need to raise awareness. So if you are sharing photos, look for what is in the background, what is on the table, are there any documents, any IDs. Those things should not be in your photos. You should also think about other people and their privacy. You don’t want to share the photo of the license plate of your friend’s car or some other private information they wouldn’t want to share. Social media is building your profile and this is used for advertisement. Are you OK that a lot of advertisements will be personalized? Private life is something I treasure, and I am not going to share it with everybody in the world. To share something with my family, I use encrypted services. You can use Signal, WhatsApp, and upload a photo of a child and send it securely. You need to use security tools and need to know who you are sharing it with.
On your profile, you said that you hate it when someone in your family installs malware and you have to fix that. Does your family know how to be safe online?
If anything doesn’t work, if something doesn’t work correctly or looks suspicious, my mom is always calling me and asking whether she should open this, delete that. I am always trying to be the first security layer and advisor. But to be honest, it all started with my father. He, as a sysadmin, was always very security-savvy. For example, for years he kept our home wifi really well protected – difficult to find and connect to. My mom and sister hated those security measures, but he didn’t budge and kept them in place.
Isn’t this the problem with cybersecurity? People want to be protected but at the same time, they don’t want to go through all the necessary trouble and invest money.
I understand that. On the other hand, I would say that cybersecurity has changed a lot in the last few years. Back then, to use 2FA you had to have this special card or hardware reader. Today, it is just a pop-up on your screen you don’t even have to copy – you just need to click it. The security industry is trying to make this easier for people but on the other hand, people need to understand that they need to take this extra step. It is not going to work just by using a short password. Sometimes, people don’t want to hear that and they are taking the risk. And when something bad happens, it’s already too late. You should do it in advance and be safe. Otherwise, you wait for the incident and have regrets.
And about the price tag on security solutions/tools. The industry is trying to help users. They are making products subscription-based, cheaper and cheaper, it’s only a few dollars or euros per month. How many coffees do you buy in the coffee shop during the month? Whatever you spend on coffee is probably going to be higher than what you spend on security. Coffee is giving you a kick for an hour but security is protecting you for the whole month.