Top Business Tech held caught up with Cybersecurity Specialist for ESET, Jake Moore, who emphasizes the need for a cybersecurity culture in the workplace.
Top Business Tech held its first webinar, ‘Cybersecurity: Fighting back with AI’ , where we, caught up with Cybersecurity Specialist for ESET, Jake Moore.
Moore previously worked for Dorset Police, spanning 14 years primarily investigating computer crime in the Digital Forensics Unit on a range of offences from fraud to murder. Within law enforcement powers, he learnt how to retrieve digital evidence from all devices whilst engaging in various ways to break security to help protect innocent victims of cybercrime ethically. He then became a cybersecurity consultant for the police delivering tailored advice to the public and local businesses to help protect the community and build upon their security foundations.
As IT leaders know all too well from the last year, cybersecurity threats have continued to climb at an exponential rate. In addition to this, the nature of the threats has changed. This shift has been attributed to the cybersecurity risks posed by remote work and cloud migrations that organizations carried out hurriedly.
Cyberattacks impact companies of all sizes
“It always comes down to the size of the company,” says Moore, “A smaller company does not expect to be the subject of an attack, and so they don’t put the resources into cybersecurity. Even if they’re aware of the resources, they don’t spend money on them, because they think they’re expensive.” He notes that employees in smaller companies often wear “multiple hats” and are often stretched thin or lacking in extensive security knowledge. He explains that cybersecurity strategy funding and implementation often falls to year two or three for a small company, but this leaves startups and scaleups extremely vulnerable to attacks. This is why its essential that smaller companies move from a reactive to a proactive mindset.
Moore says that larger companies often think that they are actually secure as they offer training, but the culture is missing from the workforce. “Staff are tired of hearing the same training every year. It just becomes a ‘tick-box’ exercise.” With this training fatigue often comes a decline in awareness of cybersecurity threats. When this is paired with the threat posed by attackers that harness AI to launch attacks on an organization, companies of all sizes are at risk. Larger companies will then have the ICO to consider in the wake of an attack. Moore acknowledges that there is a need for large companies to be held accountable for shortcomings in data protection, but also believes that fines should be spent on bettering cybersecurity capabilities. The third post-attack issue is the breach of customer trust, and the loss of potential customers.
Organizations of both sizes need to educate their employees, and ensure an active culture in cybersecurity awareness. Moore is fond of fishing simulations, but only when done right. “I think phishing simulations can have a double-edged sword attached to them.” He goes on: “Employees may not know how to report a phishing email when it comes through. In the event that they do fall victim to a scam, they should not be chastised over the mistake, as they will likely already feel terrible, and need to be educated instead of punished.”
Moore emphasizes that deep fakes are “amazing technology,” and have become exceptionally sophisticated, and the rise of ML has enabled attacks to scale drastically. Employees may not even know that technology of this kind exists, so organizations cannot punish them for an education that it failed to deliver. Machine learning in cyberattacks has also challenged organizations and their public data. Moore references the Facebook attack, that scoured public information from public Facebook profiles on a colossal scale. Though Facebook denied this as a breach, as the information taken was public, it certainly draws questions toward brand trust, and the need for organizations to educate their employees and customers.
Small organizations and tech giants are not immune to these ever-evolving attacks, and organizations and employees need to remember that this extends to communications platforms. Zoom, Slack and WhatApp all pose varying cybersecurity risks. Moore recommends Signal, a non a cross-platform centralized encrypted instant messaging service, where users can set images and texts to delete after a certain period. In addition to these new communication platforms, email remains at the heart of both communication and phishing attacks. “We may not all use Signal, or WhatApp, but we all use email,” says Moore. Long past are the days of poorly worded emails from Nigerian princes requesting banking details. Today’s phishing emails are created from algorithms, and often have an acute understanding of human psychology, the best of which can impersonate an employee’s boss, or play on a user’s personal weakness.
- Dot the I’s and cross the T’s: data management requirements for the legal sector
- Hackers target home Wi-Fi routers to steal data
- Data security and compliance: why prevention is better than cure
- 4 easy tips for to ensure data protection
Moore’s advice is simple: “remain cautious.” Any request for personal details should always be treated with scepticism. We are now in an age where attackers can even remove two-factor authentication. An attacker can steal a ‘one-time code’ for authentication once typed in. At this point, the user has invested in the belief that this is not a scam and is authentic, but Moore urges that even a flicker of doubt should halt the user from progressing forward. Of course, this is easier said than done when scams are so convincing, and Moore reiterates that employees should not be punished twice for falling for a phishing attack. “Though they can be annoying, quizzes are a good way to educate employees.” Remember that an organization will never be completely protected, and threats are ever-evolving, so defences need to evolve with them. An organization’s commitment to security must never stop.