How to Defend Your Company from a Cyber Attack: Q&A with Juraj Malcho

Juraj Malcho, the CTO of cyber security company ESET, talks to In The Future about how corporations can improve both solutions and policies in order to stay secure, especially in light of recent malware attacks.


Conversation has been edited and condensed for clarity and brevity.

When the WannaCry ransomware attack hit a number of high-profile systems last year, it exposed profound vulnerabilities throughout different computer networks. Still today, the loss from the attack is taking a financial toll on some of its targets. Whether organizations are prepared for these kinds of attacks has become an essential question for boardrooms around the world. According to cyber security expert Juraj Malcho, many companies, from top to bottom, need to better understand the risks associated with new technology—and create more airtight policies that employees can easily follow, in order to avoid future attacks on their computer networks.

Sean GourleyMalcho has been the CTO of ESET, the largest security vendor in the EU, for two years. In the 14 years he’s been with the antivirus and security solutions company, he’s seen it grow from just 25 people to some 1600 employees. He’s responsible for the company’s technical operations and helping to provide ESET’s wide range of clients with tailored, automated security solutions. Malcho talked to In The Future about how companies should approach cyber security, and the vital questions C-level executives need to ask themselves when onboarding new technology.

In The Future (ITF): What’s the first question that companies need to ask when approaching cyber security solutions?

Juraj: If you want to be a modern company and you want to use the full potential of anything out there, the first question you need to ask yourself is what your expected benefit is. If new technology works for you, what is the benefit—and if it fails, what is the damage? The cost that you invest in your defense should be proportionate to the assets that you’re protecting. Companies that are exposed might need several layers of different solutions, because they have something valuable to protect.

ITF: What are the fundamental metrics that companies should use to gauge their security plans?

Juraj: Looking at potential security problems, companies need to focus on the three ‘P’s’: products, policies and people. With products, companies need to ask themselves what types of devices should be allowed and where they come from. Have they previously been tested? Do they come with default passwords? This is a basic risk assessment. Product is the number one thing—you need to know what you’re going to allow.

ITF: The Internet of Things (IoT) is particularly susceptible to security risks—how should companies approach adopting IoT technology?

Juraj: When you’re talking about IoT, you need to address what we call BYOD: Bring Your Own Device. A lot of gadgets are popular now and people often bring them to work, so companies need to figure out which gadgets are allowed in the office. This ties into policies. Then, we have people: companies need to educate employees about using new technology.

ITF: How can C-levels ensure their network’s safety when they’re onboarding new IoT technology?

Juraj: In large corporations that are not IT-related, we know that senior management is often not computer savvy. Of course there are exceptions, but we do hear this all the time. People just don’t get why they should care. Education from top to bottom is the number one priority, so that people understand new devices tied to IoT. They need to know how easy they could be misused if you connect them at any place, to any WiFi. There are significant risks if you don’t ever bother with updates or if you don’t use basic password protection. Each new piece of technology is another potential vector for attack in a company, and the important result of education is an understanding of that risk. Then we see a shared responsibility over how the office behaves.

ITF: The concept of BYOD sounds relatively simple—but is there a catch?

Juraj: BYOD can be great, and it can save money while increasing comfort for employees—but that being said, companies need to know what’s on their network. We need to understand that if employees bring their own devices, part of the devices’ functionality needs to be blocked. The devices can’t just be sitting there completely open. Looking at other things, like long and proper passwords or two-factor authentication, there are a number of different ways to increase protection. Policies for protection should be written down and also enforced. Enforcement is sometimes forgotten, and I’d like to stress that security is about what you know and what you practice.

ITF: Then how can you be sure that implementing a BYOD policy is right for your company?

Juraj: As a security company we’re by nature paranoid, and we dub it Bring Your Own Destruction. What that means is if you don’t care about setting it up right, things will go wrong. There are good reasons to do BYOD: it’s economical. Let’s say you have 1,000 employees and you need all of them to be available on their mobile phones. You either need to buy 1,000 phones or let them use their own. If you let them use their own, you need to start caring about the devices and which applications are installed. You need to be super confident about knowing if those devices are too old, if they’re not jail broken and if they have a reasonable patching policy. You need to make sure those devices cannot be easily attacked.

ITF: From your experience at ESET, which types of companies are generally more susceptible to attacks?

Juraj: We’ve seen that the smaller the company, the more problems they have with security basics. They don’t have dedicated personnel, or they’re growing and just starting to realize there are security risks. I think that awareness is going up. It would be a shocking surprise if after all the visible attacks, especially having been mentioned in the media, that companies wouldn’t take more notice that there’s certainly a problem with IT security. Attacks don’t have to be sophisticated and they can have a devastating impact on your end. Last year opened a lot of eyes to this.

ITF: How does a company make a final call on whether new technology is too risky to bring in?

Juraj: The bottom line for companies is if bringing in new devices is going to make a profit, then that technology should be used. But you need to know about the devices and also the vendor—can they fix things quickly and deliver the patch—which is essentially your disaster recovery plan. Let’s say your new platform is going to be down for one day: are you reliant on this 100% and will you standstill for one day, or is it just supplemental? Can you move to something else if it goes down? These are the questions that need to be asked. It’s not straightforward in that you can itemize new devices on a list with price tags, but instead devices should be categorized as low risk, high risk and so on. All of the security best practices need to be considered for every type of device.

ITF: What is the one most important piece of advice you would leave with a C-level about understanding cyber security?

Juraj: Don’t believe the hype and don’t be lazy. There’s a lot of marketing in our industry these days, and people are coming with yet another silver-bullet solution. There is no silver-bullet solution to security—security is hard. Your adversary sees the solution and they are going to break it apart and learn how it works. You need to look for something that works for you. Build your defense and make sure you trust that it works. Keep in mind that security is like a chess game. If you don’t know the rules or don’t pay attention, you’re going to lose—and you cannot get comfortable. If something sounds too convenient, it’s probably not secure.