Cyber Security Buffs conducted a webinar on 25th March 2021. This webinar was focused on how the increase in cyber criminal activities is putting organizations around the world at risk. The webinar discussed the measures organizations can take to protect their employees and customers against cyber threats.
In this interactive session, esteemed cyber security experts, Joe Stewart-Rattray, Director of Security & Technology at BRM Advisory, Australia, and Pavan Kushwaha, Founder and CEO at Kratikal, took the viewers through the best ways to stop the growth of cyber crimes.
You can watch the entire webinar here:
Given below are the key points covered in the discussion:
Pavan Kushwaha: Among security professionals, there is a lot of talk about the DMARC protocol, which helps companies protect their people including both employees and customers. So, when we talk about this email authentication protocol, the talk of BEC and VEC attacks is inevitable.
What is your take on BEC and VEC attacks and what must people do to avoid falling for these attacks?
Joe Stewart-Rattray: There is a wide range of social engineering scams that are just becoming more sophisticated. They are also looking more realistic. There are definitely some good products out there that you can use to look out for “risky click behavior”.
You know, there are people in every organization who click on links even though they are repeatedly told not to do so. Somebody will always fall for it because it looks good, looks realistic. So, you have to have some way of monitoring what’s going on…some way to make them say “Oh sir! I want to report it”.
Like in Outlook, you’ve got that phishing button. If I think an email looks a bit dodgy, then I can click on that button. That’s really important. The other thing is the educational aspect behind it. You have to keep educating people. You can’t just educate them on induction and forget about it. This has to be ongoing in nature.
I think that’s where a lot of organizations fall short. When they don’t continually educate employees, don’t make their staff aware of the latest trends. Also, the very senior people in an organization are very much at risk. And then, there is potential brand fraud and so it goes on.
So, we have to educate from the top of the tree all the way down to the person who is least involved in the technology but still needs to be educated.
Pavan Kushwaha: The button that you are talking about offers an easy way of understanding how many employees are reporting suspicious emails or what kinds of emails are being reported.
When you report an email without a proper incident response mechanism, it can take up to 121 days to investigate that email. That’s a huge thing as a threat actor takes less than five minutes to gain access to your valuable data.
People should really implement such mechanisms or buy such tools. We, at Kratikal, offer a tool called Threat Alert Button (TAB), where you can report an email to get it investigated in real-time. The tool analyzes the email and assigns it a score to determine its threat level.
So, as a renowned cyber security expert, what measures do you think an organization should take to protect its employees from cyber threats?
Joe Stewart-Rattray: Employees are the weakest link in an organization. It is important to transform this weakest link into a human firewall. So how do we do that? We have to make them conscious of their actions. We need to enshrine the notion of security into the day-to-day practices of the organization through policy, education, protocol and taking a “security first” approach.
Sometimes that’s difficult in organizations where technology is not core to their business. So, you actually have to bring them on the journey with you to get buy-in from across the business, from all areas of the business and to ensure that they understand the impact of not having good security in place.
This helps them understand the potential damage to an organization not just financially but also its brand reputation. So, in my opinion, education, education, education, communication, communication, communication are the six most important words in a CISO’s lexicon.
Pavan Kushwaha: We also work in the security awareness space. We have a product called ThreatCop, which offers hundreds of modules from a security awareness standpoint. We customize security awareness training as per a particular person.
For instance, we simulate a phishing attack. If the person clicks on the phishing link, he/she is redirected to an automated training page. The product allows complete customization of the simulated attacks, landing pages and email templates.
So, what are your thoughts on giving security awareness training to employees and how to encourage them to engage in it?
Joe Stewart-Rattray: It’s pretty simple. You have to tie it to some sort of Key Performance Indicator (KPI). There has to be something in it for the person who’s doing the training. There is no point in telling them “you’ve got to do it”. That’s like saying “you’ve got to eat something that you really dislike”.
They are not gonna do it. It has to be made palatable for them. It has to be made something that they actually want to do. You can link the outcome of that training to performance indicators in some way. Offer multiple modalities type of training.
For instance, I might like a gamified sort of training environment but you might want something quite different like the old-fashioned quiz-style test. Somebody else might want to see an animation. So, you need to have different types of training available to people.
Pavan Kushwaha: That’s an interesting idea. Tying the training to the KPIs or some kind of reward system can motivate the employees to take it seriously.
So, what kind of major phishing attack have you witnessed yet and what was your approach to it?
Joe Stewart-Rattray: It doesn’t matter if it’s phishing or some other kind of scam, it’s about always making sure that the CISO’s door is always open. One of the things we do is make sure we are approachable. So, if somebody thinks they’ve got any issue, they can approach us and we talk about it.
We explain to them where they may have gone wrong or what they can do to rectify the situation and what we’re going to do from this point. At no point do we threaten them or make them fear that they are going to lose their job unless they have done it on purpose of course.
Generally, we try to make it so people will report these things to us. If the door is always closed or if you take a very aggressive approach, people are not going to come to you with these things. So, you end up with phishing going wild throughout the organization, resulting in credentials being compromised. If you don’t get onto this stuff quickly, the bad guys can really worm their way into your organization and that’s what we’re trying to avoid at all costs.
Pavan Kushwaha: That’s some great advice! Make yourself approachable. Don’t be so busy that you are unable to listen to your people. Make sure that people are able to reach out to you on time.
Here’s the follow-up question. What do you think is the most disastrous consequence of suffering a cyber attack?
Joe Stewart-Rattray: There is a range of things and the end of your company is one of them. If we look at the Equifax attack in 2017, very senior people lost their jobs even if they were not responsible for it. So, that’s the other thing, loss of jobs and loss of income.
There are other things as well. With some of the breaches that we’ve seen, people’s credit ratings have gone down the drain, identities have been lost. These things are still small potatoes in comparison to actual real physical harm being done to individuals. Loss of an organization, money and its reputation is one thing but to lose a human life, as a result, is the most catastrophic thing.
Pavan Kushwaha: In India, we recently witnessed a cyber attack, where one of the power grids was targeted. It is believed to be a state-sponsored cyber attack. What is your take on state-sponsored attacks?
Joe Stewart-Rattray: I see these attacks as modern warfare. As a CISO, you have to think about what is hackable, how can the bad guys get into my organization. Well, it might be through a refrigerator that’s internet-connected. That could be the way in. Or it could be the heating ventilation and air conditioning system.
Let’s be serious, in state-sponsored attacks, the attackers have all of the tools and computing power that they need. They will just keep finding the way in. If they really want to get into that company, they will. I think we will see much more of these attacks in the future.
In Australia, we’ve seen what looked like it could have been a state-sponsored intrusion into one of the large university network systems. This attack may have been about watching the citizens of a particular country who are studying in Australia. So, that’s the sort of stuff I think we have to be really concerned about. Because it’s really pervasive and intrusive.
Pavan Kushwaha: I just wanted to highlight that when a threat actor hacks one organization, they can easily attack the next organization based on the data stolen from the first organization. We have received a lot of information about data breaches from several companies. These companies reach out to us to figure out what they should do when their data has been breached.
In one instance, there’s a website called 000webhost.com, which got hacked. Its developer made an account on GitHub using the same credentials that he was using on his website. When the website got hacked, the threat actors gained the credentials to his GitHub account and then the next company got hacked. That’s how this chain goes on. So, it’s very important to make sure that you have enabled two-step verification.
What do you suggest organizations should implement as security mechanisms to avoid data breaches?
Joe Stewart-Rattray: No matter what you do, no matter what measures you put in place, no matter how sophisticated your tools are, you have to recognize that it could still happen to you. We’ve lived in the environment of what’s going to happen to somebody else, not me. It could happen to you and you have to be prepared.
You have to have a fast incident response plan in place. You have to make your people suspicious. In certain industries, people are taught to be thoughtful, kind and helpful. They’re taught to listen to the client and be helpful to the client. However, it is necessary to also teach them to be suspicious. You want them to ask questions like “Is that person really who they say they are?”. So, you have to embrace that little bit of suspicion in people.
Pavan Kushwaha: How has the transformation to remote work culture affected the cyber threat landscape?
Joe Stewart-Rattray: The pandemic has changed the way we work, probably forever. A lot of organizations found it very difficult to suddenly let go because they had this mentality that you had to be sitting in your seats. There was this belief that people wouldn’t work or be productive if they weren’t in the office.
What was discovered fairly quickly was that people working from home in Australia ended up being more productive, they were taking fewer comfort breaks and they were taking far fewer sick leaves. But we also had to change the thinking of the individuals working from home in relation to security.
Simple things like your laptop is only for work and should not be used by your entire family. So, it’s about changing individuals’ mindsets. Of course, we do have to consider the other elements as well. We have to really protect the corporate data.
Pavan Kushwaha: Over the last few years, there have been a lot of companies that got hacked because of the vendors, SolarWinds is one of the biggest examples. How should organizations handle third-party vendors in regard to cyber security?
Joe Stewart-Rattray: Good supplier management is the key. With good supplier management, you need to make sure that they sign up for your policies. If they don’t sign up to your information security policies and comply with them, it’s time to say “Goodbye Vendor”.
Besides that, ensure vendors don’t have generic accounts. They have to have named accounts with time limits on them so they can be timed out once their work is done. You need to ensure you know who is in your system, what they’re doing in your system and when they’re going to be there. You should apply the principle of least privilege.
Make sure they only have the access they need to do the job that you have employed them to do. Also, you need to constantly monitor them and regularly communicate with them. Tie down all the third-party vendors to a contract stating what they can and can’t do and what is expected of them.
You need to make sure that the vendors you are working with are reputable. Also, ensure that you have the right to perform a vulnerability assessment on them.
Pavan Kushwaha: How can organizations ensure the safety of their employees in the cyber world?
Joe Stewart-Rattray: It’s all about communicating with them and making them understand their rights, roles and responsibilities in relation to the information that they are handling, creating, storing and transmitting.
They have to understand the criticality, sensitivity and life cycle of the data they handle. You really have to make them aware of all the pitfalls in their way. The easiest place to start is generating awareness.
The webinar ended with the experts answering some of the questions posed by the viewers.
So, stay tuned with ‘Cyber Security Buffs’ by Kratikal for other interactive webinars with distinguished cyber security experts.
Turn Your Employees Into A Cyber Threat Shield
Make your employees proactive against prevailing cyber attacks with ThreatCop!