It’s every security team’s nightmare scenario: a malicious cyberattack that puts valuable company assets at risk. But when the worst has already happened, what should come next? Cyber-resilience allows companies to quickly bounce back from digital events — and it has never been more vital for modern organizations.
In this episode of Under CTRL, Tresorit’s Chief Technology Officer, Péter Budai, joins ICA Consultancy’s Ben De La Salle to discuss how organizations can not only withstand cyberattacks, but also recover from them.
For truly resilient companies, cyber security isn’t just seen as an IT issue, but as everyone’s responsibility. That’s because the fallout from a digital attack can be felt across an organization, from disrupting workflows to damaging customer trust.
We look at how IT teams can prepare for potential cyber events by getting serious about risk assessment, as well as collaborating and building strong company-wide connections.
We’ll also talk about the benefits the companies can gain by prioritizing their assets, no matter their organization’s size or budget.
[00:00:01.130] - Péter Budai
Good afternoon, everyone. Welcome to the next part of our Who's Next webinar series on various cybersecurity topics. This time, we are going to talk about strategies for cyber resilience together with Ben De La Salle, our guest speaker today. I'm Péter Budai. I'm the Chief Technology Officer of Tresorit. And here at Tresorit, I have actively been participating in developing our end to end encrypted cloud collaboration products for our customers to help them protect their valuable digital assets in the cloud. In my current role, I'm also overseeing the works of our IT team, IT security teams, and product security teams. So, it is a great pleasure to me to welcome my partner for today, Ben De La Salle. Ben is the founder of the ICA Consultancy, a firm that provides information and cybersecurity information, cybersecurity and data protection, consultancy services, interim and fractional resourcing, and specialist security services. Ben, thank you very much for joining us today. Please tell a few words about yourself and what are your areas of focus or special interest today or nowadays?
[00:01:28.770] - Ben De La Salle
Thank you, Péter. Yes, I've been working in security and data protection for just over 25 years now. Back when cybersecurity was IT security and we didn't quite have the media support and board support that we have today. Our firm is focused on providing what we call capability as a service. So, we help organizations on the topic of cyber resilience, helping them focus what budget they do have on the priorities that are specific to their business and the way that they operate. More recently, a lot of our work has been around strategy development, both in terms of tactical initiatives, but also in some of those longer-term initiatives to help organizations improve their maturity.
[00:02:19.550] - Péter Budai
Okay, that's really cool. So, before we begin our talk today, I'd like to turn to our audience for a moment and I'd like to invite them to ask your questions throughout the webinar in the Q A window that you can find in zoom. And we'll try to answer your questions towards the end of this webinar. And I already see someone has posted a question, so keep this up, everyone. Okay, so our topic for today is our strategies for cyber resilience. But let's have a step backwards and talk about cyber resilience on its own. How would you define cyber resilience? Ben? What additional aspects does cyber resilience bring to other areas of cybersecurity?
[00:03:20.370] - Ben De La Salle
I think the important thing to consider is that cyber resilience doesn't mean that we are going to manage all risks down to zero, that we're not going to be dealing with cyber threats and incidents. What we mean by cyber resilience and I think the bank of England do a really good job of expressing this is our ability to withstand cyber threats, to absorb any of the impacts that might be experienced from that and to recover quickly. And I think that expresses it really well when we're talking about cyber resilience because very few organizations will have zero tolerance and the funding to support zero tolerance to cyber risk. Therefore, we do need to look at how do we reduce the likelihood of key threats and risks to organizations? And if they do happen, and more often when they do happen, how do we withstand, absorb and recover. I think putting it in those terms and expressing that in those terms and getting people to understand that's what we mean by resilience will certainly help any future conversations and requests for support and funding.
[00:04:34.150] - Péter Budai
At this point, I think we need to reiterate a bit of why do we think or why it is important to talk about this topic at all. So obviously, cyber resilience and cybersecurity can mandate it by regulations, can be mandated by a requirement for compliance for given regulations. That is in an important factor. But I think there's another reason for dealing it, and it's a much better one, is that when we became aware of the business impact and the impact on any kind of cybersecurity threat to our company, it became obvious that this is something that we need to deal with. And I'm pretty sure, Ben, that you have a lot of experiences with your clients about cybersecurity threats and their effects. Could you please share us some generic examples or general trends that you need to be aware when it comes to a cybersecurity attack?
[00:05:49.230] - Ben De La Salle
Yes, obviously, the world is changing and moving at quite a pace, and actually regulation is trying to keep up with that. So, a lot of organizations, whether it's as simple as us talking about data protection regulations or through to highly regulated industries, are starting to feel the pressure from regulators and the need to the requirement to notify if they do have a cyber incident. Some of that that we're seeing now at the moment, some of the notification windows are becoming ever smaller. So, India now has a six-hour notification window from the point you become aware of an incident. But I think it's important that organizations understand that cyber isn't just an IT issue. A lot of the answers to cyber seem to fall into technology or people and process around that technology. But actually, the impacts are much further, much more widespread felt across an organization. So, when we look at assessing potential impacts of cyber risk, realizing, we tend to consider things like the operational impact, the reputational impact, the people impact, and then financial revenue impacts that could come from that. And some of those are linked. Obviously, a loss of trust through poor reputation following that could lead to loss of revenue, loss of earnings.
[00:07:07.030] - Ben De La Salle
And actually, when you start to think about how you respond to these incidents, again, there's a technical response to it, but there's also a business response to it as well. And that's something we work with organizations on to help them practice. So, when they're thinking about should everyone's worst nightmare happen and data be lost. And that be in the control of some malicious individuals who are demanding a ransom from you to not publish this information, that's not a technical decision to pay the ransom. It might be fed by technical elements like whether you can recover from backups, whether you have that data still at hand. But the decision to make that payment is very much a business decision and therefore we need to consider cyber as an organization wide issue. And when we think about cyber resilience, we have to have multiple stakeholders involved in how we manage that.
[00:07:59.530] - Péter Budai
So, we could say that you mentioned service impacts, data impacts, operation impacts. So, you might not be able to provide your services during the cybersecurity incident. You might not be able to, or as you mentioned, you might be able to pay a ransomware fee if you're not prepared. Or you might need to spend a lot of human resources and effort on preparing the report for the authorities when you need to report within six days. And you will need to plan with those. And I think we can agree on that indirectly. So directly or indirectly, this will have an effect on your revenue or on your cost. In the simplest term, this is the business reason that any cybersecurity threat at the end of the day will cost you a loss of revenue or loss of business or increased cost.
[00:09:01.520] - Ben De La Salle
And sometimes, and we've experienced this in organizations, it's not the direct cyberattack that means that you're unable to service your customers, it's the actions you're taking to protect your business mean that you might have to shut down the systems which are unaffected to protect them from being affected. So actually, there's a lot of ripples from a successful cyberattack that during your response and the time afterwards an organization has to consider. And it's not just technology issues.
[00:09:31.270] - Péter Budai
Okay, so now that we are aligned on the importance, of course we do always align, but fortunately the audience is also aligned. Let's shift our focus and let's talk about how to prepare against these risks and threats, not why, sorry, where should one start to building up cyber resilience?
[00:10:01.890] - Ben De La Salle
I think it's important for any organization of any scale to start with understanding what's important to them. So, I don't think it really matters how large a business you are and how big your budget is. You never have enough money to protect absolutely everything in the organization. So, you need to understand its criticality and its value. And actually, that's one of the kinds of building blocks of good security, even to the point of actually good IT management is understanding what you have, understanding where it is and understanding its value. And I think there were two school of thoughts. I think when GDPR came out, there were those that thought actually it was very onerous and it was going to be very complex. It was very hard for businesses to implement and there were those of us, and I was one of them that was pleased, we were having an opportunity to actually map out our data and work out what's really important and start to understand a bit more about the business. So, I think if we can get to a position of understanding where your data is, understanding what's important to you, is it within your control, is it within a third party, understanding that lifecycle?
[00:11:09.390] - Ben De La Salle
You can then start to apply targeted controls to manage the security of those assets. And then I think it's about understanding that if something does go wrong, how are we going to know and how are we going to be able to respond to that? Often when we talk to organizations around improving their maturity, we say, look, you can't be well, firstly, most organizations can't be the best in class, right, because actually they don't have enough money and they have plenty of other things to be doing other than building Rolls-Royce security solutions. So, we do say to them, look, we've really got to think about where we focus. And we tend to say to them, look, using the NIST Cybersecurity framework as a model, there's some quality work that we can do in identify. So, we understand the risk to the business and we understand the impacts to It. There's some focus we can put around detection and making sure that we can identify when our controls fail and there's something malicious happening. And then we focus into the respond piece because actually if we go back to the kind of withstand, absorb and recover, those three areas will feed the rest of that.
[00:12:18.570] - Ben De La Salle
So, if you identify a risk, you will identify controls to manage that risk, you'll implement them. If you detect when those controls have failed, you can then respond and do something about it. So, for us, that's kind of where we'd like to start is know what you've got, know what the risks are to It, and understand how you can respond to incidents should they occur.
[00:12:37.170] - Péter Budai
Yeah, I also agree that's important. And I would like to at this point reflect back to the regulations and compliance that mean then because as someone responsible for it security and compliance partly responsible for compliance at our company, as well. I see that the regulations and these compliance requirements help you to be much more rigorous on how to have all your critical systems in an inventory and write down your procedures and practice your and reiterate them. So that's how I see the benefits of compliance, is that they force you to do this type of stuff.
[00:13:35.170] - Ben De La Salle
We're not going to get into a conversation today about regulations and about the details. We can have conversations about the difference between the kind of stuff that we see in the UK and the kind of stuff that we see in the financial services market in Singapore, for example. But generally what regulations do is provide a framework through which organizations can start to do the things they need to do. They don't always go about it in the right way or the right way for every business. But it does build a structure that basically says, look, you need to know what's important to you. You need to protect it, and you need to let us know when that protection has failed, because we want to check you're doing the right things and responding to it. I think we're not going to debate whether regulation is right or not, but I think it is one of the tools in our toolbox to ensure that actually we do the right things by data.
[00:14:23.590] - Péter Budai
Let's move to less controversial areas. So, you mentioned that knowing what's important is one of the most important things. It's cyber resilience and critical systems or critical valuable things are not just data obviously, but we can have critical systems as well. Nowadays we see that more and more of companies digital assets are in the cloud and moved to the cloud, which may making this inventory much harder than earlier. How did our approach to cybersecurity changed with the emerged of cloud-based services and software as a service component?
[00:15:14.530] - Ben De La Salle
Yeah, it's interesting, I was probably part of the original school of thought that cloud is just someone else's computer and I remember we had plenty of stickers around the office when cloud was coming out to that effect. But it did change the way that we had to think about security. So, if you think about our traditional security and an analogy for it is we'd often pull the analogy of a castle, we could build the high walls, we could build the moat, we'd have a drawbridge which is the only authorized access point and everything of value of the crown jewels are within that castle. And actually, what happened as we started to rely not just on cloud providers but more third parties, more outsourcing then the introduction of SaaS IAS software as a service infrastructure, service platform as a service. Our data started to leave the walls and the confines of that castle and we look at that very much now like as a theoretical perimeter. Whereas previously, to use another analogy, we would talk about layers of an onion and keeping everything in the center and just building layers around to protect it. This move to greater use of third parties where we have no real direct control over the security controls and how they manage it, means we've fundamentally got to change the way that we look at how we protect that.
[00:16:34.100] - Ben De La Salle
And that again bring regulation back into it is being reflected in some of the regulations we're starting to see now in those more regulated markets like financial services which will eventually start to trickle down into other industries. And there's a big focus at the moment on ensuring that our resilience goes across both our own organization and all the third parties and that resilience includes cyber controls. And actually, we do kind of pass over the baton to these third parties when we give them their data and we do trust that their ISO certificate means that they're actually taking it seriously and God forbid, not just going through a tick pockets exercise so they can get a marketing tool in an ISO certificate. More and more people should be looking at placing reliance on things like SoC two type two for SaaS solutions because that gives much more ongoing assurance over control effectiveness in our view, compared to something like 27,000. But actually, you are handing over your crown jewels and saying both in terms of transit to you and whilst you've got it and who you share it with as a third party, I'm trusting you to keep that secure.
[00:17:46.150] - Ben De La Salle
And I think just need to pick up the paper or look online at the news and see that organizations which are third parties providing services to other people are just as target rich environments and the industry in which they serve as well. So, the approach has to change and has been changing. I think third party supplier assurance has got a long way to go to mature. I think we're still just picking at small indicators to see whether an organization is secure or not. It's very difficult, I think without full blown audits and inspections to get to a position of comfort and I'm hopeful that will change.
[00:18:28.530] - Péter Budai
Yeah, so it's not just securing your own office infrastructure and the current point, but it's much more diverse job nowadays. And at this point I think it's important to highlight that you mentioned earlier that knowing the risk and what's important, that it's not an exercise of solely the It security. So, this is at the end of the day, like the value of the data, the value of the systems that make some business processes flow and work will be derived or will be assessed by the value and the impact on the business itself. So, the whole organization needs to be involved in creating this security inventory and this cyber resilience inventory, I'd say. So, do I assess correctly based on this, that there is nowadays a significant shift in the role of It security in the life of a company?
[00:19:39.910] - Ben De La Salle
Yeah, I mean in the 25 plus years I've been working in this space, we've seen the kind of the movement of the IT team in the basement of an organization to being present at the board and the same is true of security as well. And the fact that actually more mature organizations are giving security a seat at the table in terms of the exco and at board meetings because it is a key strategic risk for most organizations. And with that comes some different challenges. So firstly, the security team need to be engaging with the business and supporting the business. And in fact, actually as I listen to myself use the word business, it feels a little bit fake because quite frankly, the security team is part of the business. So, what they need to be doing is engaging with the stakeholders across their organization and saying, okay, look, there's a bunch of stuff that we do to protect you against threats and risks that we're coming in and there's some stuff that we need you to do as people in the organization, and we talk a bit about the front line and how we can get them to help us secure the organization.
[00:20:52.030] - Ben De La Salle
But actually, we need to remember that it's often the business activities that are introducing the risks into the organization as well. Moving into new markets, offering new products and services, looking at innovation through automation or artificial intelligence. It's these things that the business will be leading the charge on, that the business leaders will be leading the charge on that security team needs to support. And you're only going to be able to do that to build the relationships now with those stakeholders and make sure that they see you as a team that they can go to and ask for support and we help them find a solution. And I think it's been a long time past since the security team was seen as the engine of no or I heard recently Chief Business Prevention Officers was one of the terms I heard in one of our customers about a previous reflection on the security team. That's long gone. In my experience, there might be some pockets of it left, but in the main, it's long gone. And we still need to be a bit more proactive in our experience and what we see in going out, engaging with business stakeholders and saying, how can we support you in your next innovation, in your next great business idea in improving revenue?
[00:22:00.430] - Ben De La Salle
So that's a bit of a change and a shift that we're seeing in the team and I think that then moves into the leader of those teams. Right? And again, I don't want to get into a chat about the CISO, the job title and what the role means because that's a whole podcast and conversation at its own. But whether you're ahead of security, security manager, a CISO by title or a CISO by role, you're going to be engaging with more senior members of the organization and you're going to need to be able to talk to them in a way that they understand and most boards understand risk and revenue and cost. So, we would always talk to them in terms of what is the risk presented by this new business initiative, this lack of funding, this doing this initiative or not doing this initiative, will it protect revenue, will it increase costs, will it lead to a substantial fine? And once we start to engage and talk to people like that, then actually we do get involved more. And I know from my own experience of working in industry before I started this company, that the more you engage with those people and the more that you support them in their goals then the more likely they are to support you.
[00:23:11.050] - Ben De La Salle
And I certainly felt that in budget bounds when we're all trying to agree where money is going to be spent and who would support security spend and who wouldn't. So, I think that's a big thing and I think the other thing is we need to make sure that as a security team that we are approachable so when something does go wrong, we want the business teams stakeholders to reach out. And I was with a client just yesterday actually, where fortunately it turned out to not be a security incident, but a couple of members of staff were very worried about a number of emails that come in and a potential call as well. And actually, they just came and mentioned it to the security team and said we're very worried about this and immediately we move into investigation, we start looking at the emails that have come in, pool records and everything else. Very quickly got to a position where we realized it was a false positive but we wouldn't have been aware that it was happening if the members of those team hadn't come to us and seen us as part of their support in dealing with this risk.
[00:24:18.600] - Ben De La Salle
So, we often see both sides of it but certainly starting to see that shift and the more approachable side of security was great.
[00:24:32.070] - Péter Budai
That's what I experienced myself is that in my view, security is always almost universally will be a compromise between different factors. Most of the time it's security versus usability, speed of business processes, employee satisfaction, et cetera. So, it's really important and also this is the point when we need to interact more with the rest of the business to make these compromises and choose our compromises together with the relevant stakeholders, not just deciding in the High Castle or down in the basement as we would say.
[00:25:13.490] - Ben De La Salle
I agree. And we go back to the point that everything in business is about risk. Whether the risk is a threat presents some threat or impact, negative impacts to the organization, or whether taking that risk is an opportunity. And we've got to support that as a security team and we shouldn't look at ourselves in isolation.
[00:25:30.410] - Péter Budai
Yes, by now we mostly talked about the preparations like how to assess our cyber threat repository like value repository or critical systems repository, how to convince stakeholders on the importance of cybersecurity. For the rest of the last seven, eight minutes, let's talk about the mitigation part. So, in my view it's not just the preparation where business needs to be deeply involved, but it's also the mitigation fails. And for what we are earlier talking about like kind of a layered approach of security, it's a universal approach, it always comes to layers of security and one of the layers of mitigation and protection is the very basic It security practices and the other one will be the staff itself and all the employees. And this is the area that if not overlooked, but this is something that cannot be repeated enough. The security starts here. What's your opinion on this?
[00:27:04.470] - Ben De La Salle
Yeah, I have to say I'm guilty of this myself, but we often talk about security basics or security hygiene as if actually these are really simple things to do, but they're often not right. So, patching an entire estate and keeping it up to date on patching seems like something really easy to do on the face of it. But then when you add in complexities around legacy environments, legacy applications, the fact that there might be maintenance windows which do not suit patch releases, or there may be changes going in which mean that the business or business stakeholders do not want systems patched during that time, or they could be change free. There's all kinds of different reasons why patching might not work and the complexities around legacy environments, supported environments and things. So, I think the first thing to understand is when we talk about security basics, security hygiene, we accept the fact that they can be complex to implement, but it doesn't change the fact that these are the things that we need to manage. So, we've already spoken about knowing what you have, where it is and what its value is that helps you prioritize your efforts.
[00:28:18.030] - Ben De La Salle
The next thing is to make sure that things are maintained, they're maintained in terms of supportability. So, you get updates from your vendors, be that OS or applications and that you can apply them. And again, you should look at some prioritization of that. So being able to assess vulnerabilities in your environment, prioritize them based on their score and whether they're being exploited in the wild and then applying the patches on, that helps. But you need to keep on top of it and again, fully understand that it's not as simple as it sounds and that there are challenges with it. I think the other thing is, if we look at ransomware is big risk for everybody at the moment. There's kind of some key things we talk about in terms of ransomware preparedness. So multifactor authentication to all of your services, strong authentication, that's a must because right now we don't again have the high walls of the castle and everyone crosses the moat, comes in to use the data. It's now everywhere and the people using it are everywhere. And they're sat at home or they're sat in an office, or indeed one of the colleagues I was speaking to earlier today, they're sat in a boat in a canal in Europe, traveling around, working whilst getting some beautiful scenery.
[00:29:30.700] - Ben De La Salle
So, we just don't know where the people are going to be and we need some strong authentication around that as well. We then need to make sure that we back up our data so that we have immutable copies of the critical data that we need in case anything happens to it again. Sounds simple, but can sometimes be very complex depending on the data environment. The other thing is making sure you know what to do when something goes wrong, and that you practice those right. So, it's all very well writing a security instant process or a crisis management plan and then putting on a shelf. And once a year when you get due diligence from one of your customers, they go, have you got response plans? You go, yes, I have, I've dusted it off, I've reviewed it there and put it back and something happened. Everyone needs to know their roles. They also need to know what their role isn't. So, one of the big things we see when we run crisis exercises with organizations is people use a phrase I don't particularly like, not staying in their lane. So, there's people trying to make decisions which actually are outside of their remit, and then that causes confusion or sometimes debate, which you just don't have time for during one of these incidents.
[00:30:43.790] - Ben De La Salle
And then I think, like with anything else, it's making sure that the awareness, the security awareness across the organization is up. You will see, and I hear it more often than I like, that actually staff are your weakest link because people will position it. We spent all this money on email filtering and IDs and IPS and all the other acronyms that we can mention in security, and then what happened was one day someone clicked on a link and then we got ransomware. And it's like, well, because people are your weakest link, completely wrong. Staff are your strongest defense. They're absolutely the front line. They are the people that are the easiest route into the organization, because they have emotions, because they have SLAs they have to meet in their role because they've got a number of emails they have to process in a day. And attackers know this. And phishing is still by far the simplest way to gain access into an organization, still the most common. And actually, we're only seeing it going up. So, if you look at the anti-phishing working group, they track the number of phishing emails every quarter. It was Q one last year was the first time it went over a million.
[00:31:58.060] - Ben De La Salle
We've already seen 150% increase in the first half of this year over the whole of last year. The phishing is not going away. It's also one of the three ways running into an organization key thing. And where does that phishing go? It goes to staff. And what are your staff doing? They're trying to do their job, probably under pressure. They're probably in a role where they expect to receive emails from people they don't know. So, training them to say, if you don't know who it's from and it's got an attachment, don't open. It doesn't really work because that's their role. But we need to give them the right skills. We need to give them the awareness of the kind of threat, the understanding of the impact, both personally, because let's be clear, they can get fished at home just as well as they can get fished at work. The tools they need to understand what to do if they do see a phishing email, who do they report it to? What steps do they take? Do they delete it? Do they report it? Which deletes it? Do they forward it? Do they have to forward it as an attachment?
[00:32:55.390] - Ben De La Salle
It's all these things that you have to kind of work out and make sure they understand and give them that approachable security team that we spoke about earlier. And I can tell you from my own experience, both in industry and with the customers we work with, if you get a good brand around your security team, and unfortunately, there is a brand you need around it, because people respond to that. And you show that you are open and willing to help, and you'll answer questions about, we've had it before. Where? How do I secure my home? Wi-Fi? How do I stop my children looking at certain things? It takes us about five to ten minutes to answer those kinds of things that my security team would do it right because it built up the relationship with the employees in the organization. You get that and then what you get is a very quick response. Often, we find quicker than some of our detection tools in terms of when the first email lands. So, we haven't had velocity at this point. It's a single email and it lands with someone who understands phishing and they see that it's a possible threat and they report it to us, then we can do something with it and we've successfully I remember in one organization we spent rather a lot of money doing a red testing exercise.
[00:34:05.940] - Ben De La Salle
So, this is where ethical hackers follow the route that malicious actors would do to find a way into your organization. So, it's bit like pen testing on steroids in simple terms. And they failed to get in through phishing because of how well we had trained our staff, which was great on one hand, but cost a lot of money on the other. I kind of felt a bit put out that we spent all this money to demonstrate what we already knew. But you can get the front line into the right place, get them into where there's no culture. They feel like even if they get it wrong, it's not phishing often get a lot of people forwarding LinkedIn requests going. It looks dodgy. It's not. You've just got your email address on your profile. Get them into that place where they want to just go. I think something's gone wrong, so we can help them. That's the key thing.
[00:34:57.010] - Péter Budai
I really like this lets you turn this stuff is the weakest link into upside down and say it is the strongest defence if they are managed correctly. And in my experience, it's not just the security, the ID security where you can leverage this knowledge and your connection with your staff. But also, for example, we get a lot of help from all around the company when it comes to testing our product or spotting outages of the product. So, they can help. If there's this healthy relationship, they can help. Unfortunately, we are approaching the end of the webinar. So, I think at this time it's time to summarize some key takeaways and let's talk about what we've been talking about. So, we talked about cyber resilience itself, how we define it, why is it important? We talked about the importance to having an inventory of all your variable systems and data. And we also talked about how It security teams need to change their approach of talking to business and also how they need to change their approach when it comes to defining the security boundary of the company with the emerge of cloud services. And we talked about a lot about towards the end, about the human factor, how staff can be your strongest line of defence instead of your weakest link.
[00:36:55.510] - Péter Budai
And we prepared or actually Ben was kind enough to prepare some key takeaways for our lovely audience today. Would you mind, Ben, sharing these with our listeners?
[00:37:13.730] - Ben De La Salle
Yeah, as we were just talking about the importance of educating your staff so protect the front line. I think it's almost protecting it arming them, giving them the knowledge they need to be able to understand what the threats are, know how to report them and what actions they need to take. The Never Trust, always verify kind of stolen that from the Zero trust principles. But I think it's a great one, certainly where we're moving to this very devolved control over data in the terms of we're no longer keeping it all within our own grass, we're sharing it with third parties and cloud providers. When people want to access those data or services, we need to verify their identity, strong authentication, conditional access policies, whatever it happens to be, we need to make sure that we are comfortable that they're a legitimate user with the right rights to come in and access that information. Service legacy is a huge issue for a lot of large organizations and for smaller organizations, keeping on top of patching of their end user estate becomes complex and certainly with more and more third-party software. But maintaining or removing those things which are not supportable is critical.
[00:38:40.030] - Ben De La Salle
And again, when you look at the we've always got this way and certainly the media has got this way of talking a lot about sophisticated, advanced, persistent threats that we have that we have to defend against in security. Actually, there's some wild statistics going around at the moment, but in some of the reports I'm seeing, we're talking over 80% of attacks were preventable with the technology they had if they had maintained it properly. Actually, there are very few attacks that are sophisticated in nature. Some of them are persistent, I absolutely grant that. But when you look into it these are known vulnerabilities more often than not. They might not be widely known apologies, but they are known vulnerabilities that are being exploited. Compromised credentials, MFA, missing on VPN, people not aware of their full asset list. So, whilst they put security controls on it, they haven't put it on all of it. So, make sure you know you got to maintain it or remove it. Ensure that your critical data is backed up in a way that means that it cannot be impacted by something like ransomware. Again, met an organization who was extremely proud of the fact that they stored their backup in three locations to ensure that they can maintain the integrity.
[00:40:04.770] - Ben De La Salle
Unfortunately, all three of those locations were connected to the network that got hit by ransomware. So, we ended up in a situation where they didn't have a viable backup to restore from and be aware, be prepared and improve. And this goes back to know what your risks are, the threats and what that impact will be to your business. Prepare a plan to again go back to withstand, absorb and recover from it. So, think about your recovery plans, your security instant plan, crisis management plan, your business continuity plans, your DR plans. Practice them. Practice the technology ones with the It ones with the It teams. Crisis management. Practice that with the leaders within the business, the people that are going to be doing the external comms, working with legal, making decisions around paying ransom, and get lessons from that and feed that back into those processes. And don't just practice it once. As much as people may moan and groan about it, get into periodic practices looking at changes that might happen to your business that need to be reflected within those plans. And if you kind of follow those five pieces then actually you start to remove a lot of the key risks that are often exploited or rather realized through the exploitation of vulnerabilities from malicious external users.
[00:41:28.410] - Ben De La Salle
When you look at ransomware they either get in through phishing for a compromised account that doesn't have MFA on it or through a vulnerability in your perimeter. And there are three main ways they get in. If you're maintaining your software and it's up to date, you won't be presenting less likely to be presenting vulnerabilities on the perimeter. If you're educating your staff around protecting their accounts and you've implemented MFA, compromised accounts becomes less of a problem. And if you're educating your staff around phishing and showing them how to respond to it quickly, that becomes less of a risk as well. Doesn't mean there's no silver bullet. There's no way we're going to mitigate all cyber risk to the point that you will never have an impact. But the idea is about reducing the likelihood as much as possible and then managing the impact through your plan.
[00:42:14.890] - Péter Budai
Thank you. Thank you very much, Ben. It was a really good conversation. I really enjoyed it and we touched many important topics. And the good thing is that we still have some time from some questions from the audience. So, the first question would be right away, you almost answered that on the previous slide, that can you ever be on top of all your security risk? So, I may jump this one and let's see another one. Yeah, we talked about stuff and to have a good relationship of the staff and someone asked that, how do you get people interested in security when they do not see it as part of their job role?
[00:43:04.810] - Ben De La Salle
So not subject them to a 30 minutes death by slide training once a year with ten randomized questions after. It'd be a good start. And unfortunately, organizations are still taking that approach because they need to tick a box that says, we do security training. I am very opposed to that approach based on the amount of training that we have to go through when we work as an extension to our clients team. And the irony is, when you're supporting clients in security, when you become an extension of their team, you have to do their training. So, all of my team and myself, with some clients, we have to sit there and go through these slides. And I like security. I mean, I've been doing it for 25 plus years, right? So, I enjoy the topic, but even I get turned off. We kind of go through those training. It's all about let's be clear, if someone works in finance, or someone works in a contact center, or someone works on a shop floor, they're not there because they want to be the most secure member of their team. They're there because they've probably hopefully got an interest in the job that they're doing.
[00:44:12.980] - Ben De La Salle
Like all of us, they're financially driven and they've got bills to pay and they're going to want to do the job as well as they can. Hopefully, the first thing they're thinking is not, do I do this in the most secure way? And actually, as unpalatable as it is, lots of people will not understand the value of someone else's personal data or the company's data while they're using it to do their job, because they're just trying to get their job done. So, the best way we found, and it's something we've been talking about for years, is you train people on the threats that they face as individuals. You make them understand the impacts they could face as people if their personal data was lost or used by criminals for identity theft or impersonation. And it's at that point you then bring it back to, well, now we have all of this data in our organization and we need to protect it from exactly the same kind of thing. And again, as we've spoken about making the security team approachable, giving them someone they can ask there's multiple ways you can do that. There's platforms, awareness platforms that have that kind of both an FAQ and an ability to interact and ask questions on it can be faceless and they're just asking a team and the team responds.
[00:45:36.290] - Ben De La Salle
Or depending on the kind of people you have in people you have in those security teams you could actually nominate some people to be that interface between your team and the rest of the business but give them someone they can ask questions to. How do I ensure that my data on my iPhone is on my personal iPhone is encrypted? Oh well we've got a little cheat sheet over here that tells you how to do that. What's the risks of me? We used to do something in financial services with our fraud team who took the lead on it, where they used to do the twelve frauds of Christmas. And we used to hand that out to everyone in the organization at Christmas to say, Christmas is coming. This is a great time for identity theft and financial loss. These are the kind of things that you need to look out for. Give them stuff that's relevant to them. Then you'll soon find they go, actually, that's quite worrying that all of this stuff can happen to me. And then you start finding they tell you more about practices they're seeing at work that they might not think are secure.
[00:46:32.590] - Ben De La Salle
And again, you might want to give them a whistleblowing, an anonymous forum in which they can go, I've seen this behavior and I would like it addressed. It's all about engagement. You get people to realize the short answer to this very long answer that I'm giving you get people to realize the risk they face they're going to be much more interested in protecting data.
[00:46:52.950] - Péter Budai
Yeah, I think I agree with that. What I see as a tendency in treasury as well that as we are a privacy conscious company conscious of the privacy of our users or customers then sometimes this lends as our employees being much more conscious of their own privacy in their private life. So, I really see how this approach could work because if it works the other way around then it should work this way as you described. So, let's see another question yeah successful breach someone would like to ask about do you see any commonalities observed between successful breaches? There are some common themes that we touched on some of those for ransomware as we mentioned the three entry points it's phishing, compromised accounts and lack of MFA or weaknesses in the perimeter and actually as I mentioned before phishing is still in there as one of the top ways of gaining entry to an organization. It's simple, it plays on human nature. It can be a motive in theme. So, these things are simple. We see high volumes of it. We're currently seeing an increase in QR phishing and QR phishing is quite interesting. So, it's an email with a QR code in it saying to get your document or to access your files, scan this QR code. The reason they do that is you do it on your phone. Your phone isn't connected to the same corporate network. It's probably on a guest network. If it's connected to a network at all, it might be on 4G or five G. It doesn't have the same corporate controls on that network. So therefore, they can start to land malicious links and malicious software. Much easier than trying to get you to click on a link on your endpoint. They're starting to realize that some of the endpoint protection software is getting very clever and the URL rewriting stuff as well.
[00:48:54.570] - Ben De La Salle
But generally, you will find that the entry points as described would be the way they've got in MFA. Lack of MFA is a real key reason for it. And then lack of patching, lack of stopping on top, staying on top of those vulnerabilities and not understanding the assets you need to protect. So, you might have protected 99% of your estate and then they're going to play in that 1% because you haven't got visibility, you haven't got EDR on it, you're not patching it, whatever the reason is. And we've seen an instance that we've been part of the response team to. You can see the threat actor logging onto a machine going oh that's got an EDR solution on it. It's one of the latest versions of the operating system that's patched and they back out and then they land on another machine and they go interesting this one doesn't have EDR on it. It's an older version of operating system and it's missing a whole load of patches. And they stay there longer, much longer. And actually, in most cases camp out on systems like that because they're in the shadow at that point. So, for us MFA, it's user awareness, managing vulnerabilities, asset management.
[00:50:05.430] - Ben De La Salle
They're the kind of top commonalities weaknesses.
[00:50:09.010] - Péter Budai
Yeah. Interesting. And it's not that surprising if you think about it. Okay, thank you very much Ben. Unfortunately, our time is up. We have a couple of more questions in the Q A section. I will make sure that we will answer these questions in writing later today or for tomorrow. So, your question will be answered and you will find the responses later on. So, I really like to thank you, thank our audience for their questions and their interest in our topic. And Ben, I would like to thank you again for being here with us today. And I would like to draw your attention to our next webinar in this series. It's going to be on the 2 November, same time as today. And I also would like to draw your attention to our website and the ICA consultancy website as well, where you can find and discover more information on what we are doing, what Ben's company is doing and also you can find also the on-demand recordings of this webinar and all our previous webinars as well. Thank you very much for your attention and thank you Ben for being with us today.
[00:51:50.050] - Ben De La Salle
My pleasure. Thank you very much.