Tallinn, October 2018
What do you do if you find a flash drive in the parking lot of your office? Do you always log into open Wi-Fi networks? Or how do you protect yourself from shoulder surfing? The Estonian cyber security company CybExer Technologies has created the world’s only e-learning platform, which uses simple questions to show any participant their personal cyber weaknesses, which could tomorrow result in an attack on the person or hospitals and factories or even the entire country’s economy.
The CybExer Technologies’ showroom in the center of Tallinn is dead silent. The eyes of top politicians of Estonia at their laptops are boring holes in their screens. There is tension in the air as if it were an exam. However, there are no “fail” marks in the cyber hygiene test by CybExer. Everyone succeeds here. It can be said without exaggeration that this test can save the parliamentary elections to take place in Estonia in 2019.
“What is two-factor authentication?” The silence is broke, and Klaid Mägi, the head of the Cyber Threats Division at CybExer, flies to help the politicians. The e-learning has reached the question stage: do you use additional authentication to protect your e-mail or social media accounts; that is, a unique code you receive on your phone so that no-one else can get to your account without it? Having had extensive experience in dealing with the Estonian state’s cyber crises, Mägi knows that experts’ only reaction to this question would be a facepalm. Because how can it be that in 2018, when hundreds of thousands of attacks for hacking people’s accounts take place daily on Facebook alone, can one not be aware of such a simple security measure? But Mägi is patient and not quick to judge because only patience will get you to the goal.
“Sadly, it will get you nowhere if you keep repeating dry warning and instructions. If we want people to start genuinely worrying about their cyber hygiene, in addition to raising awareness we need to change their attitude and mindset,” Mägi says. “In 1994, when those who fastened their seat belts would be ridiculed, 364 people died in road accidents in Estonia. In 2017, when fastening your seat belt had become a natural thing to do, there were 48 deaths. Making people finally understand that one simple action was necessary to save the lives of their own and their loved ones was a long process, which required patience. Our mission is to reach the same results through our test. We want people to feel responsible after taking the test and to be aware that their poor cyber hygiene can cause a crisis with unpredictable consequences.”
The mission is driven by reality: by 2020, there will be around 30 billion gadgets online, including smart watches and teddy bears as well as high technology equipment of large-scale production facilities and nuclear power plants. But it is already now that a criminal war is raging in the cyber space on the scale never seen before.
For example, approximately 1,800 people are said to fall victims to cyber crime every 60 seconds; every minute, 5,500 data leaks are believed to take place while losses of a total of 1 million euros are incurred by the victims.
“No-one knows the exact answer, but one version says that cyber criminals caused a total damage of 450 billion to the global economy in 2017. For the sake of comparison, Estonia’s national budget this year is 10.5 billion,” says Janek Gridin, member of the board of CybExer Technologies. “It is companies that feel more and more pressure from cyber crime, and attacks on servers protected with firewalls are a thing of the past; these days, companies are being hacked into through the accounts and devices of careless employees who, figuratively speaking, don’t know how or don’t think it necessary to wash their hands during the flu season. Unfortunately, people still haven’t realized that their own indifference and negligence can let a virus loose which can, in the end disrupt the work of transport networks, banking systems, hospitals or retail chains, which is exactly what happened in 2017 during two major waves of cyber attacks in several parts of the world.”
CybExer’s mission started in the spring of 2017 without much publicity noise or presentations. The piece news about something really special that had been developed by an Estonian company was revealed by none other than the Ministry of Defence of Latvia, which had implemented the test for improving the cyber security awareness of its employees. Estonian universities, hospitals, banks, small and large companies, production facilities, ministries, government authorities, and foundations followed suit. Last spring, CybExer’s e-learning platform was employed by the Estonian Information System Authority to improve the cyber hygiene of thousands of government official as a part of their preparation for the country’s presidency in the European Union. Eighteen months after the launch of the mission, the e-learning environment licenses for 200,000 people have been purchased in Estonia alone; the number means improvements in the cyber hygiene and attitude of a third of the state’s population of working age, and this storm is not about to subside.
“Cyber hygiene tests should be taken by all members of the parliament at the beginning of their term of office,” says one of the most prominent Estonian politicians Keit Pentus-Rosimannus. She was one of the top politicians to have taken part in the journalist experiment organized by the digital news portal Geenius in collaboration with CybExer, which was triggered by the piece of news about the Information System Authority organizing a training session on cyber security for the leadership of all political parties before the spring elections. Geenius and CybExer would not spend another day waiting though and had politicians face the test which has by now been translated into 11 languages of the world.
What is the essence of the CybExer’s test phenomenon? It is, above all, game-like, because each participant faces real-life situations and answers how they would try to avoid a small or more dangerous crisis in the digital world on the basis of their personal experience. However, the most important feature is, as we have already mentioned, that it is not a test built on the classical pass or fail principle. At the end of the e-learning session, CybExer compiles the user’s personal risk analysis of their strengths and weaknesses and provides recommendations on how to protect themselves from specific cyber threats with little effort. Moreover, each employee’s personal risk area is used to make a ‘drone-mapped overview’ of the major weakness of the company. The company’s cyber security specialists can then use it to decide how the help such employees who read personal e-mails on their office computers, process company data on personal devices or download things that can hide malware behind a pretty picture from unknown internet sources.
The experiment with politicians brought no surprises. There were those with very good cyber hygiene and those whose patterns included numerous risk indicators marked in red. The question about two-factor authentication was mentioned earlier, and some still have no idea what a secure password is. Social media chats, which can easily be attacked, are used for delicate work-related conversations. Attachments to fake e-mails get opened without a second thought, and passwords are given to assistants although the two last types of situations became crucial for John Podesta, head of Hillary Clinton’s U.S. presidential campaign, in 2016.
“The Estonian parliament is a cross-section of society, which also means that people’s knowledge about cyber hygiene is comparable to that of the politicians,” Geenius quotes Mailis Reps, the Minister of Education and Research, who took part in the experiment.
What’s next? Foundation has been laid for changing our mentality and opening our eyes. CybExer and the experts working for it have enough patience. The mission continues.