A cyber sleuth explains why you might be your own worst cyber enemy

Who knows what evil lurks in the heart of the net? At Zurich Insurance Group (Zurich), Vivien Bilquez has some notion about why people might wish to find their way unbidden into supposedly ‘secure’ sites and systems. As principal cyber risk engineer at Zurich, he works within Zurich’s newly formed global service business unit, called Zurich Resilience Solutions (ZRS), providing risk management services to companies.

He became fascinated by cyber security when, at age 17, a website he had set up was attacked. “Hackers replaced my homepage with a black skull – a website defacement,” he recalls. The hackers had gotten his password via a phishing ruse, employing a fake authentication page of the company that hosted his site. It was a lesson in how easy it can be to destroy someone’s sense of security. It motivated Bilquez to find out how hackers work, and if possible, make things a little harder for them.

Time is of the essence

At Zurich, he frequently works with corporations large and small, helping them to become more resilient to cyber threats. Some of his recent work has included advising offshore wind farms, where risks from cyber issues may include business interruption, and also potentially the need for very expensive repairs caused by physical damage to equipment in the middle of the sea if something does go wrong. Bilquez, along with a global team of 20 cyber specialists, also helps large commercial entities to understand and monitor the cyber security maturity level of their subcontractors.

“Often, breaches originate with subcontractors and third parties, which might have access to confidential and personal data,” says Bilquez. His team offers crisis management preparation, which can include a simulated cyberattack. In any case, “it’s better to be ready. The quicker that companies react, the more efficient the response, and that gives them potential to lessen the impact.” Shockingly, he says, it can take a long time – up to seven months on average – for a company to even detect that they are under attack.

Note, too, that a timely response is of the essence, not least due to recent legislation that increases companies’ responsibility to report data leaks. The European Union’s General Data Protection Regulation (GDPR) introduced in 2018 requires EU institutions to report certain types of data breaches within 72 hours of becoming aware of them. In a similar approach, Switzerland has also introduced new laws, which, starting in September 2023, aim to better protect personal data.

Encouraging news for SMEs

For Zurich Resilience Solutions (ZRS), the focus today includes advising companies on ways to spot and address cyber risks, which is an independent service from providing insurance coverage. To secure insurance, companies must anyway need to demonstrate that they are fit when it comes to cyber security. Especially for smaller and medium-sized enterprises (SMEs), this can be a challenge.

“When an SME starts to approach cyber risk, they are often lost. We can make the process simpler,” says Bilquez. The biggest risk is that lacking support, “companies won’t do anything. We can change that.”

To assist customers and mitigate threats, Zurich and the ETH Zurich University have published a study outlining the most important things companies can do to more easily and effectively reduce cyber risks. The study identifies 10 ‘controls’ that could help reduce the likelihood of 70 percent of the most frequent types of cyber attacks. That includes ultra-simple but highly important cyber awareness, to governance practices and risk monitoring, including in SMEs.

Factoring in humans

Cyber security may seem like a technical discipline, but as much else in life, individual humans play a big role. Their behavior can keep a company safe or amplify the risks. Most of us know not to click on links without first checking the sender’s email address, but it’s easy to forget now and then. And we know that a strong password, and using different strong passwords, and frequently changing these strong passwords (emphasis on the word ‘strong’), can help. But this isn’t automatically going to keep people or the companies they work for safe.

Given the human risk factor, it’s wise to include psychology and risks of social engineering in risk assessments. Besides preying on people’s emotions, studies have also suggested days of the week when we are most likely to be hacked (probably Mondays), favorite passwords (‘guest’ and ‘123456’). And don’t take anything for granted. Ask questions. One hack into a U.S. company involved a fish tank thermometer. Apparently, the hack may have been discovered only when security experts wondered why the fish tank was communicating with a remote server in Finland.

Besides using secure passwords, minimal security demands a multifactor identification, one which includes, for example, a biometric ID, or soft tokens that produce a single-use log-in code. Yet even that’s not enough. We are generally not as safe as we’d like to believe. To prove this point, outside of work, Bilquez says he has even hacked into a friend’s mailbox – with their permission, of course. “It took me all of 20 minutes,” he recalls.

How do you get a job like that?

Keen to work in cyber security? The good news is, there are many ways to prepare, whether it’s gaining a solid background in IT, risk management or legal and compliance. A skilled cyber security specialist needs “a helicopter view,” according to Bilquez. He compares the field to medicine, in that the variety of disciplines is almost limitless. Some jobs are very technical, and others are more governance related. “Cyber security involves IT, but also a wide range of knowledge, ranging from governance to sales and marketing.”

The path to becoming a cyber security expert is not always linear, either. Bilquez’s first passion in his youth was for French rock and roll acrobatic dance. As a youngster, he also learned programming on his father’s Victor personal computer, a PC still fondly remembered by fans long after it disappeared from the market. At a certain point he decided to focus fulltime on ‘geekiness.’ This led to a master’s degree in computer science with a cyber security specialization. During university breaks, he volunteered as a cyber security expert in France – a ‘Gendarme Réserviste’ – even receiving a medal recognizing his contributions.

Bilquez is especially proud that, after finishing his degree, he continued to teach cyber security to university students at his alma mater. “Sometimes I was also learning from my students. By teaching and making cyber security concepts easier, it helped me to get deeper into the subject matter, forcing me to explain it to others in simple terms,” he says. After graduating, he worked as a security specialist for various companies before joining Zurich.

Technology is not standing still. It’s hard to read any news today without finding stories demonizing or praising artificial intelligence (AI). As tech grows more sophisticated, so do the cyber attacks. In one recent case, a voice generated by AI software duped a hapless UK director into transferring over USD 240,000 to a criminal account. The crime was discovered only when the real person and the ‘deep fake’ were both speaking simultaneously to the same director from different phones.

“The job is always evolving,” says Bilquez. “Security is a race. You can’t stop running.”

Key takeaways

• Keep people in the picture: the human side of tech can be the most vulnerable.
• Ask questions.
• Consider risks to your subcontractors and suppliers.
• Use secure passwords, changed often, and multi-factor identification.
• Plan ahead to respond rapidly if a breach is detected.

Photography: Daniel Bürgisser