Interview
Do you consider current cybersecurity (CS) education in Czech Republic sufficient?
Based on our company’s practical experience it’s not sufficient. We develop software for economic agenda and human resources and with our 6000+ mostly public sector customers CS problems very often emerged. Mainly huge deficiency in behavior and perception of information technologies and therefore the fact that humans are the weakest link in the whole CS.
What’s the prevalent source of the mistakes users make?
Insufficient responsibility, there’s a lack of healthy approach to technical devices from smart phones to computers. We input a lot of data into them but before the cyberattacks became more common about 10 years ago, users have considered CS a purely formal issue. While they would lock sensitive data printed on paper in vaults or at least into a locked drawer, they didn’t pay that much attention to computer stored data. We must teach people the same common caution that makes them protect their homes or confidential information.
What specific precautions do you recommend to your customers?
We try to react to social engineering used by hackers and to instill basic habits – like using strong enough passwords, not hiding them under the keyboard or sticking them on monitors on post-its. Also, to choose passwords not connected with my environment, names of my family members, items in the office or out of vocabulary index. And of course, when leaving my office, to sign out and clear my desk from any work in progress. Physical security is also very important for companies, to lock your doors. But even self-employed people working from home need to gain certain habits, especially if they share their devices with others – not to let anyone sign into their admin profile or the need to encrypt data on their discs, especially at mobile devices. Electronic life without data encryption is actually impossible nowadays.
How do you fight with that?
As we are a software developer, we created a program to support security analysis and risk assessment at companies which is compliant with our CS laws, GDPR and ISO 27000. Thanks to that our customers can implement technical and legislative changes in the long-term never-ending process. We also offer online and in-person courses for adults and not only for our customers. Everyone talks about the necessity to educate employees in companies, but a lot of people are self-employed and there’s nobody who would send them to CS training, it’s up to them. Besides that, we participate at educational projects for the great public. For example the Kybez Initiative gathering technical companies and academical subjects, trying to spread a sort of a “CS spirit”– we offer i.e. educational interviews with various experts in this field. We also created a site called vimkamklikam.cz (I know where I clicked) designated for all age groups. It’s quite a shock when an adult customer openly admits he would click on anything at a given site without a single thought.
You work with adult users. What brought you to the idea to focus on younger generations?
When we started with the trainings for our users, we also looked around if there was any kind of CS education at elementary schools, high schools or even universities. And we found out that the level was very low. We started raising it in our region Vysočina where our CEO Jaromír Řezáč would prepare packages for first graders with rhymes, a first very simple introduction into how to properly deal with communication technologies. We also started with CS lectures for students at several high schools and a few schools oriented directly at CS even gained our direct support, both financial and know-how.
You have been also participating at the National CS Challenge since the very first year.
Yes, but its aim is different – to support and motivate talents already interested and experienced in the CS field. As members of the competition committee, we then offer to them summer courses or various internships at CS companies to further evolve. There’s a huge lack of experts in the professional world. But the participants of the National CS Challenge also give a lot to us. Thanks to their questions and reactions we gain an overview of how they think about informatics in general. And that’s what we try to pass along later to the other students that don’t show that much interest in CS.
You mentioned lectures for high school students. In which way you explain CS topics to them?
Mostly through real life stories and experiences, sometimes even from their peers, to make it more accessible to them. It’s not a boring classroom lesson. It’s not so important what topics we bring, in the end it always shifts into a discussion about topics they are most interested in. They start to elaborate on their thoughts and then we just try and motivate them to contemplate i.e., why they don’t lock their phones or why they spend so much time at social media.
In your opinion, what is the most important topic to contemplate about?
How to approach and perceive technology. Not to consider it from a pure consumerist point of view and to be aware of importance of our personal and company data, how to protect them and make accessible only to those we intend to. Today’s students got used to technology very soon and quickly, we call them electronic kids. At a very young age they enter social media with the help of their peers. But every friend can show them how to create an account, how to sign in and how to navigate. But they are not aware of the rest, especially how much personal data are they giving away there. What’s appropriate to share about yourself in a space where you can’t take anything back. Most of them don’t have any idea where the data are actually stored when they use social media or where it’s possible for anyone to look them up. They perceive it as something they simply have access to from their phones or they don’t think about it at all.
Which topics students regularly bring up in such discussions?
How exactly can you secure your devices and why – after all I have the phone on me and watch it all the time, they say. But just look around on public transportation and you see how many phones are unlocked without any password. Or you can just stand above someone sitting on a bus and you can see his display. If he uses some simple graphic password, it’s easy to spot it and then you just need to physically steal the phone. And of course, cyberbullying is a very common topic, some schools have direct experience. How to avoid it, how to protect yourself and how to maintain a mature approach to social media, not letting cyberbullying to break you down.
Can we even expect IT teachers to educate students in CS?
Recently I asked one IT teacher out of curiosity what they teach about informatics at her school. According to her it was Word, Excel, sometimes PowerPoint… I was wondering if she tried to explain what hardware is, basic components, so the kids would know i.e., there’s a hard drive where all the data is stored. She said it wasn’t that important. So, teachers manage to convey the application-level knowledge of most common products. Nowadays CS is such a specific and extensive field that we can’t really expect them to teach it.
A possible solution then might be a specialized course like swimming lessons?
There are special days at elementary schools when they invite over firemen, police, or rescue service to speak about their fields with kids. How to behave on a bike in traffic etc. They can invite an ethical hacker to explain how to swim in cyberspace. And of course, it’s necessary to educate teachers so they can spread the knowledge at schools. At this moment it’s not in their power and I think it should begin at the Ministry of Education which should give a strict legislative instruction. Our future depends on how we teach younger generations to live in the cyberspace-
That’s a powerful thought. Do you mean that human error factor can jeopardize further development of digital solutions like banking identity which can significantly simplify our lives? Or do you refer to a threat to society?
That’s deeply connected. I was referring more to the first interpretation – we need to teach young people how to properly handle technology, how to protect their data and responsibly decide what to share and what to keep only in physical form, never digitalizing it. For example, there’s a new government app in development where we’d be able to store all our documents, ID, driving license, maybe even birth certificate in a way we do today with Covid certificates. And some of the cheaper devices don’t follow very thorough security policies, don’t enforce every security update and it’s very hard to protect data between apps there. So, when a kid downloads a game with some hacker’s code, data from other apps can be mined. In such cases the risk would be too high, and I wouldn’t recommend using such application with sensitive data stored. And it also means to educate students not to download everything they stumble upon, but to think about what I use my phone for and what other apps are really necessary for me.
And the social side of view? Today, social media more likely intensify divergencies of opinion rather than support any real communication.
It would be beneficial to educate users how to behave on social media. People got used to express whatever’s on their mind if it’s not a face-to-face communication. Children are copying this from their parents or other kids, that’s also how the cyberbullying starts. They don’t restrain themselves to communicate online anything and in any manner. Some sort of ethics of social media behavior could be a part of elementary school curriculum for example during civics classes. I can imagine teachers being able to handle this without any deep technical knowledge.
Thanks for the interview