As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tunio Zafer, CEO of pCloud AG — the company that develops and provides the pCloud storage platform. He has over 18 years of management and marketing experience in the field of technology, and has participated in a number of successful business projects such as MTelekom, Host.bg, Grabo.bg, Mobile Innovations JSC and others. As a leader and manager of the cloud storage company, Tunio promotes innovation in areas such as security and cost-effectiveness to end users. Tunio encourages forward-thinking throughout his team, working to make a significant impact on the rapidly growing IT market, for individuals and business alike.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I am a reader. I grew up being interested in science books. My first experience with a computer was rather late — at the end of seventh grade. Funny story, because of rare chance to have an entire day with a computer, I missed my high school admission test. As a result, I had to miss an entire school year, after which I had to pass two academic years for a single year. Pursuing a career in technology came naturally in time. I studied Industrial Management in university, followed by Marketing Management, in which I have a Master’s degree. Today I have more than 18 years of professional experience in various Bulgarian IT companies, which have become leaders in their respective fields. pCloud is the most interesting and challenging project I’ve worked on so far.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
At the top of my head, I can’t think of a single story that inspired me to pursue a career in file security. Working on different projects throughout the years, I saw how information fuels change and how it’s becoming more and more valuable. On the other hand, there were all these companies handling important information irresponsibly and afterwards suffering the damage from the lack of good security. In times where information is more valuable than gold, I wanted to know that there is a service out there, which offers robust security without limiting usability. That’s also what inspired pCloud. My team and I wanted to build a highly-secure platform, where you can store your files and know that they are private and safe.
Can you share the most interesting story that happened to you since you began this fascinating career?
It’s 2015 and we’ve just released our encryption feature pCloud Encryption. We know that we’ve done a really good job and we want to show off. That’s why there were discussions about starting a hacking challenge (which we later called the pCloud Crypto hacking challenge). What really blew my mind was that — when we were discussing the prize fund — Anton, pCloud’s CTO told me that I could say whatever amount, because it’s impossible to actually hack the Crypto folder. We started off with 50,000 USD, then moved to 100,000 USD. We even had talks about announcing a million dollar prize fund, just because we know that we’ve done a good job.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
It’s not a single person. It’s the entire team that made pCloud possible — the people, who built the service from scratch. Actually, around 90% of the team that were part of the launch are still in the company. Developing pCloud was no small task. I can’t count the hours spent discussing and developing the infrastructure that now handles large volumes of data and traffic securely. I remember us drinking so many energy drinks during this time that we made a Christmas tree from the empty cans. It became a tradition. The team still makes Christmas trees from empty energy drink cans every year.
Are you working on any exciting new projects now? How do you think that will help people?
I’m fully devoted to pCloud at the moment. There are so many exciting features that we’re working on or discussing for the future.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I really like the open communication in the office and I have had cases in the past, where team members have suffered from burnouts. And I always say this — every time you’ve lost motivation and you feel a lack of accomplishment, remember that millions of people are using the service you’ve helped build. You’re saving millions of people’s time and your solutions are protecting one of their most valuable assets — their information.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Several things excite me about the industry. The final goal has always been boosting security without limiting usability. The thing is — we generate more information now than ever. It’s estimated that by 2025, approximately 463 exabytes would be created every 24 hours worldwide. Not only enterprises are realizing the importance of cybersecurity, small companies are also becoming aware. With the advancements in technology and this rapid information generation, security companies will need to get creative in the way they implement solutions. Security teams now have a lot to deal with and there’s actually a shortage of trained personnel. That’s why teams will have to permanently include security into their software development cycle. I’m excited to see the ways they do that.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
We’re living in times of rapid digital transformation. Like I said earlier, we’re generating more information than ever before, meaning that the impact of a cyber attack is going to become more severe. Meanwhile, currently companies are expected to deliver solutions so quickly, that even testing and compliance can’t keep up with the speed of delivery.
The traditional approach to security just can’t keep up. Cyber criminals on the other hand, have the time and the resources to observe and exploit software vulnerabilities. The cases where AI participates in a cyber attack are also becoming common. Ransomware has been one of the biggest threats for the past two years (and more) and I don’t see such attacks going away anytime soon. Phishing attacks also remain effective for stealing credentials and identities, because they exploit something else — human error. Unless people become more educated and aware, such attacks will continue to be evergreen.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We have a lot of cases, where we’ve helped customers recover their data from ransomware attacks. Our service has two features — Extended File History and pCloud Rewind. EFH keeps track of all your file changes up to a year in the past. Meanwhile, with pCloud Rewind, you can bring back a past state of your account and restore whatever you need. Combined, these two features can help you restore your entire account to a state minutes before the attack. A lot of users have shared that they have used this feature combo to recover the latest version of their files before the attack. Needless to say, these are very happy customers.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I’ve had numerous instances where people ask me or the team to recommend a password manager. I say this every time — I don’t use a dedicated password manager, I store passwords in pCloud Encryption. I believe in the product my team and I are building, especially in the level of encryption.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
For a lot of companies, security is an afterthought. Depending on the size of the organization, implementing server/computer upgrades requires a business to shut down their systems for maintenance. Many industries cannot afford to experience this downtime. Hiring a Chief Information Security Officer, or creating a Security Operations Centers (SOCs) is a trend I’ve seen in large enterprises, and it seems to be paying off. Having people in the company that monitor security events and handle incident response lower the financial damage that could occur from a cyber attack. It’s a different story with small companies.
From my experience, smaller companies tend to not write down their cybersecurity policies or even not have any policies at all. They operate by word of mouth or rely on the security and data privacy policies of third-party services without actually researching the service in advance. That’s why they are easier to hack. It’s just more convenient to work with a service that’s easy-to-use, but not necessarily secure to use. I can understand how allocating budget to boost security can be a luxury for some companies. What can make a difference is the attitude towards security, especially among top management. Taking the time to educate employees, write down a good security and backup policy, monitor whether such policies are followed and have internal sanctions. Educating employees and being strict security-wise can make a difference.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
It starts with planning and being pro-active about it — observe and define what your “normal” traffic patterns are. Monitor for abnormal activity in your outbound network traffic or surges in service activity. Check the systems you use and whether there has been unexpected patching or any hotfixes.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
It’s a tough pill to swallow — being hacked and knowing that this can happen again in the future. Having an incident response plan and backup strategy are crucial in such cases. Make time for your team to evaluate the breach and the damage that has been done. Check for backdoors that would allow the cybercriminals to access your systems again in the future. Depending on the severity of the breach, I would suggest implementing penetration testing and security audits.
Also, make time for maintenance and server/system upgrades. If your team doesn’t have the budget to afford such measures, you can rely on a cloud service for your data, but you need to thoroughly research their security policies and level of encryption. Choosing a service with zero-knowledge privacy guarantees that even if the service gets breached, cybercriminals won’t have access to the data.
We’re a company based in Switzerland and we already comply with Swiss data privacy laws — one of the strongest in the world. Starting from the GDPR, data privacy regulations are going to become a standard not only for the European Union or the state of California. Such regulations aim to bring data privacy in the hands of the consumer. Data privacy regulations attention to the fact that encryption is important and it’s slowly becoming a benchmark for every reputable company. I believe that in the future we’ll see companies making the necessary updates to include any form of encryption into their services. pCloud is compliant with all current data privacy regulations and our clients appreciate that. Satisfied customers share their experience with other potential users, which increases our global reach.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I’ve mentioned this earlier — it really comes down to the attitude towards security. Some of the biggest mistakes I’ve seen are companies not having a good security policy, not following their own security policy and using services that are convenient, but not necessarily secure. Nobody likes updating passwords every three months, nobody likes creating new and unique passwords every time, but then again — nobody would like to have their account hacked.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
I believe that companies aren’t asking themselves the right questions when it comes to security. The question is not “if it will happen”, but “when it will happen” and “how well are we prepared”. I recently read Coalition’s “Cyber Insurance Claim report”. The report shows insight from incidents reported by small and medium-size businesses across the United States and Canada. There are interesting, but unfortunately not surprising numbers: at the beginning of covid, there was a 100% increase in ransomware attacks (compared to Q1 of 2019) with a 47% increase in attack severity.
This period also shows a 67% increase in the number of email attacks. While many businesses were gradually starting to embrace remote work, very few were actually prepared to operate that way. COVID reshaped the word “normal” for a business day very drastically and businesses weren’t given the time to prepare. Human error is more likely to happen when you’re working remotely. In order to support the remote work setup, companies are introducing even more services — giving cyber criminals more gateways to enter.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Personal Data Protection and Online Privacy — let’s keep it privatе, personal and secure. How about that.
How can our readers further follow your work online?
You can follow my Facebook profile, where I share relevant information, pCloud’s official Facebook page and our company newsletter.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!