#ExplainIT – Cyber security education

(Music)

Harley: Welcome to another episode of ExplainIT by activIT systems. I’m Harley and I’m here with Steve Edwards and Matt Rutter from activIT. How are you, boys?

Matt: Yeah good thanks mate, how are you Harley.

Steve: Waiting for Matt there – yeah I’m doing well too mate, it’s all going well. And yourself?

Harley: Yeah good, good. It’s finally sunny, again that’s always nice, but we’re gonna be talking about some unsunny subjects today. So let’s start off with that thing called cyber security again. So today, we’re talking about the most unreliable, inconsistent software to ever exist – humans. Our brains are brilliant, they’re unbelievable, they do amazing things and they have creativity that a computer cannot have – but they make mistakes. After all we’re only human. So it’s something that when you come to a company, you find that they can fall into cyber security threats as a result of these mistakes, and these little slip ups, that humans can make. So if we’re at total cyber security threat then we need education, but before we jump ahead to education and what that is and how you educate your staff I just want to talk about the mistakes themselves. Matt how do these mistakes happen, and why doesn’t our anti-virus software protect us from everything?

Matt: Yeah that’s a quite a common question I guess, we get that a little bit. The way your traditional antivirus or anti-malware software kind of works is, it looks for a specific signature in a threat that’s coming in, or it might look at a, you know, the newer anti-viruses will look at specific behaviours that are occurring, so you know events A, B, C occur, looks a little bit malicious, and it will stop it in its tracks. The mistakes that we see more commonly happening nowadays are things like credential harvesting and these come in through a malicious email that arrives in your inbox, it has a link that just looks like a normal sign-in page be it Office 365 or Gmail, and you click on that and a very real looking website loads and you go “oh this looks normal I’ll put in my details” you put it in and suddenly you know these threat actors have your credentials. Because these logins are extremely normal and quite common, it’s almost it’s nearly impossible to prevent them all from coming through.

Harley: Yeah I mean that’s it’s definitely something that you see in your inbox or at least in your spam inbox every day or every week that that you work in a business, these hackers are coming in numerous quantities, and they are unrelenting really. So when you do have this momentary lapse in judgment and some of us may have had it before, some of us may have almost had it, where you’ve looked at something and considered it thought “that’s real” but then something’s felt off. When you do have this momentary lapse in judgment, how big are the consequences? I’ll take that one to Steve.

Steve: Yeah mate they can be pretty substantial. So I guess as a, as an employee of a company you might not necessarily understand or realise the consequences. So let’s say for example if your email was hacked, so you have a business email compromise situation, so you have these bad guys floating around in your email system maybe for a week? Maybe a couple of months? What are they kind of looking at, they’re accessing your email system, maybe they are intercepting emails, maybe they’re masquerading as you and emailing people that you would normally email with for many different reasons. But some of the consequences that can kind of stem from that is you’ve got a lot of privacy implications that can stem from that very quickly. So imagine if you were like a marketing company and you were doing a direct mail out on behalf of one of your clients and you might have you know ten thousand, ten thousand people’s names and addresses and that data kind of got out, then the consequence of your company as well- you could be liable for you know a privacy breach and within the mandatory data breach notification laws that are in place as part of the privacy act. Then you would potentially need to go notify all of those people that you’ve had an issue. That’s not necessarily substantial in itself, but what happens if something occurs where you’re, as a result of a user or a staff member inadvertently letting the bad guys onto the network or the computer, what will happen if all of the data gets encrypted? So like a ransomware attack or something like that. A lot of businesses they kind of grind to a bit of a halt while that is restored, and you know contained. So you can have scenarios where a system gets breached, a ransomware attack occurs, the system is basically at a standstill. Nobody can really get a lot of work done, especially small-medium business where you don’t have, I suppose, segmentation of networks and things like that in a wide scale. The entire company can be very affected very fast and everyone’s sitting around twiddling their thumbs kind of doing nothing. Meanwhile the IT team, they’re working behind the scenes trying to contain the threat and give the all clear that we’re ready to rock and roll again, but as a boss of a company or an owner, you’ve got all your staff sitting there kind of doing nothing, you’ve still got to pay them, so you got a lot of lost productivity and so on that can come from that. You know maybe like lost opportunity costs and sales. But then you’ve also got to pay to get the ransomware issue fixed, and the forensic work that might need to go on to determine: do I need to now go and notify all of these people? Has there been a privacy breach so to speak? And it’s quite often a double whammy because you, you’re attacked from this perspective that we’re holding all of your data to ransom, pay us you know however many bitcoin, you know, thousands or in some recent cases you know millions of dollars of ransom fees. And at the same time you can’t do any work, so you’re kind of stuck in the middle and you’re getting between a rock and a hard place, getting hit from both sides. That’s one of the biggest kind of consequences or the ramifications that, that can occur to a, especially a small-medium business where if someone has just been clicking on the wrong thing that made the incorrect decision on something, you can have this very, very wide kind of consequence, very fast.

Matt: Yeah so I guess just to kind of follow on from that, I guess a couple of real world examples that we’ve seen fairly recently is, you may have seen the Twitter hack that occurred in the last month or so? That was the result of a phishing attempt that came in, and then an employee at Twitter clicked the link and put the credentials in. As a result, all of these high-profile accounts were compromised and all these you know tweets for bitcoins and stuff started spewing out. If you look at the Garmin ransomware that’s occurred just recently as well, you know, that’s cost them you know upwards of 10 million dollars to recover the data. So the consequences are massive, they’re detrimental to the business, and also you know the ripple-on effect. So again with Garmin as an example you know, all the smart devices they’ve got stopped working, but also Garmin provides GPS for a lot of planes and that stopped working. Yeah it’s always a ripple on effect that you might see at face value but you know it’s detrimental to the business massively.

Steve: Correct and without touching on it too much, that has this long term kind of trust and reputation issue that can kind of stem from it. You know, “why would we go trust this particular company? They’ve been breached and they weren’t reliable, we couldn’t rely on them when we needed them”

So big business they can probably recover from that, but you know small-medium business. that can really hurt.

Harley: Yeah definitely and these days a lot of customers are terrified about their data and how it gets used so the fact that it can fall into the wrong hands is just even more scary. And that’s the sort of stuff that obviously businesses can’t afford to happen, even just on a marketing and perception level, it’s a really, real big problem for them. So let’s look at the positives now so there isn’t there’s not so much a cure as much a preventative kind of measure, which is educating staff. So what is cyber security education and what does it really involve?

Matt: Yeah so I guess education is probably one of the biggest components, I mean we can throw technology solutions at a business left right and centre but unfortunately that’s not going to prevent people getting these emails coming in and clicking on links, and not being aware. So cyber education is making time to sit down with, you know, ideally the you know the business owners and the managers, those high level people who can you know push the solutions through the business, and just running through the different levels of threat. So explaining what phishing, is what spear phishing is, what examples look like, how they might get into the business, how to check an email for links. And then I guess the flip side that is also how to respond if a staff member does click on a link, you know what action should we take, you know, should we advise our IT company – which is always a yes – and just you know keeping everyone up to date and aware. I guess education has got to be ongoing, it’s not a you know, come to one session, learn a little bit and you’ll know everything. The threats are constantly changing, it’s getting worse and worse, so we need to you know, keep that training ongoing.

Harley: Cool so what’s the structure of that? Is it like one-on-one, is it a workshop, are we talking like an online course, like what’s what is education, literally?

Steve: Yeah it’s – we’ve tackled in in two ways, coming out of COVID-19 we were doing a lot of you know, virtual kind of webinars and so on, that was primarily aimed at management and owners of a small or medium business really to help them kind of understand the, you know the risks that their business are facing, the consequences from those, and also their legal obligations as well because they can be quite substantial. And a lot of the time business owners haven’t actually thought about all of these things, you know they’re busy trying to run a business so we’ve pretty much done our best to try and educate them on all of these things that they haven’t really thought about too much. A lot of them know that cyber security is a threat but not to the extent that it actually is. And that’s just been ramping up in in the last six months. But from a from like a staff member perspective, it’s all about trying to help individuals make better decisions when they’re faced with a choice. So let’s for example the email comes in. It looks legitimate I am expecting an email from Australia Post or something like that or a parcel, or I’m expecting an invoice or a purchase order to come in from a client. What are the tell-tale signs that this is not what it seems to be? So it’s all about trying to help them make that correct decision. Easier said than done because a lot of the time the bad guys are extremely clever, and they know what works and what doesn’t work. You know it’s all about law of averages, you know if I can if I can trick you know the x number of percentage of people, well I just need to send more of these copies of this email out, and eventually they’ll get someone. So it’s really about just trying to help the staff members make those correct decisions when faced with that choice. Should I click it? Is it suspect? What should I do in this scenario? Cyber security in itself is a very complex topic, so when we’ve been doing these sessions we’re trying to make them a bit of fun and have a bit of a laugh, try and get people involved. There’s no point in us just doing a lecture as such because the information is not going to sink in, so it’s got to be a little bit interactive and actually have practical examples. There’s only really a handful of threats which impact the end user or the staff member kind of directly? The ones that they can kind of let through? A lot of stuff happens behind the scenes but staff members don’t see that that information, like vulnerabilities on systems, they don’t need to know about it. It’s not across their day-to-day life, but it’s emails coming in, dodgy websites and things like that, the stuff that they have the potential to bring into a network or into an email system for example, yeah that’s the stuff that we really focus on. So there’s really like three or four main topics that get covered off and examples.

Harley: Cool. So when we’re talking about a business that might think they know enough, or just haven’t really thought they don’t know enough, how do they know that – when they need awareness and training. Are there signs that staff don’t know enough? Are there things that you can see, like if let’s say you asked your staff some questions and they came up with some certain answers, you’d go “wow we need to send them to a class”. What would they be?

Steve: Yeah I might grab that one. I think the one that we see all the time is, we get the call from like the you know the manager, or the supervisor at a company, “oh my staff member just clicked on this thing”, which is the bad way to go about it. We’d rather them to send it to us or you know send it to their IT provider, say “is this suspect?” even cos they’ve got, they’ve got this kind of little sceptical edge to their thinking and kind of questioning of whatever’s been placed in front of them. So when they go and question it that’s fantastic, that’s pretty much the first step. Then they can you know send it to their IT or even ask someone else in the office to have a bit of a quiz – “what do you reckon on this, does it look legit?” So they’re the signs that things are okay. But it’s when they’re clicking on things, or they ring up “Oh I just clicked on this link, it didn’t go anywhere, can you check it out and it is a dodgy link?” and they’ve popped in passwords already, then we’re going to do a potentially like a password sweep across you know various accounts and so on. So managers can – I suppose the ultimate answer is everyone needs education and awareness there are some certain I suppose roles that are more susceptible to receiving this type of information, so when you’re dealing with like the public or third-party suppliers, people in accounts and sales departments, they’re going to receive this stuff generally a lot more than someone that might be working in a warehouse for example.

Harley: Yeah got it, got it. That’s quite interesting it’s funny how people like tend to go take that step first and then they’re scared and they’ve done something wrong, and they need to wind it all back. So it’s a bit scary when it comes to it.

Steve: It is yeah, and especially over like the last six months where a lot of people are having to mobilise to work from home, the technical aspect of it doesn’t exist anymore in terms of this decision-making, because like in my own case you know I’ve got a couple of kids at home, I was trying to do work and home school kids at the same time, and that that is echoed across you know most of the world. You get stressed, you’re busy, you’re trying to accomplish things, the email comes through, it’s the end of the day, you’re ready to knock off but you know you’ve got to get these last few things done, and you’re not thinking straight. And you just click on the link because you just want to get work done, it’s quarter to five I need to hurry up and get and get done, so even with the best intentions, the you know the brain is easily tricked by some of these bad guys. And the bad guys test and measure, it’s just like marketing you know they test and measure what works and what doesn’t work. They’re not going to do what doesn’t work.

Matt: Yeah that’s spot on. They’re very crafty so a lot of you know these threat actors have learned that you know a large percentage of the workforce has started working from home, so you know, previously in an office your manager might sit in the same room as you so you might not usually getting an email from them because you know they can just speak to you. Now that everyone’s working from home, getting an email from your manager might be more common and those threat actors are capitalising on that, trying to impersonate upper management to get your staff to do certain things, click links, enter credentials. And that’s you know a lot more successful now, because yeah it’s not the norm yet.

Harley: Got it got it. So you guys are passionate about this and obviously you pick up a client that you’re doing their full IT service for and you’ve put all the stuff that you do from your end in. What would activIT systems do to educate clients? What do you do for your current clients now to make sure that these breaches don’t happen?

Steve: Yeah so it’s pretty much across three levels. I’ll – Matt can talk about I suppose the technical side, but I’ll go on – the two main levels where a lot of risk gets mitigated is the user education, so we have to be able to educate the managers and owners that the cyber security threat is real and substantial, and the potential consequences to their businesses if they don’t start to take some form of action. So that’s on one level, the second level is from the user education side, so you know we love getting people into our office here, we’ve got a room set up at the back where it’s fantastic for workshops and we can literally sit down and you know have a bit of a laugh, but actually talk about this very complex topic and how to help them make those correct decisions. It’s really giving them the information and the tools to make that decision-making process easier. So that’s a bit of fun and the feedback thus far has been really positive, helped with, I’ve probably seen I suppose anecdotally that we get involved with a lot more information? So a client who does the workshop, they’re a lot more sceptical of what’s going on within their inbox and the things that they’re clicking on. So their awareness is heightened, just as a pure result of attending it. Then I suppose on the next level it’s very boring policy and procedure, which is more like middle management kind of stuff. We set that up kind of behind the scenes and educate the managers and the staff on the important things to do and what not to do. That’s on a company kind of level. There’s a lot that we can do on the technical side which I’ll hand over to Matt to quickly bounce through.

Matt: Yeah no worries, thanks Steve. So from the technical aspect there’s a few things we want to want to get up and running fairly quickly, we also want to get a, some kind of email filtering or gateway in place, we want to be able to be aware of the kind of threats coming to people’s inboxes. We’re not going to catch all of them, but if we can catch you know 75 to 80% of the threats coming in that’s a massive map of chunk of security that we’ve dropped in one hit. We do a lot of phishing training so we’ll compile like a phish threat series, it’ll email the clients out at random with a potential phishing email, it’ll try to get them to enter their credentials, if it pops up we’ll get an alert saying you know “such and such has failed the test as such” and from there it gives us a nice curated list of saying you know “these 10 peopl,e we should probably look at doing one of our phishing training classes.”

It’s not it’s not a, you know, a name and shame type scenario, but it’s more of just being aware of you know “30 people got sent this email, 10 of them clicked on the link and entered their details -that’s a pretty high catch rate, we should really do something with that client fairly soon”. If you know, same scenario we sent 30 emails out only one or two of them clicked the email, well that’s pretty good and we’ll still do the you know the training with those staff, but we know that across the board they’re generally pretty aware of the threats going on and the things that are happening. We can also drop plugins into your Outlook which will, you know, if you get a suspect email and you know they’re a bit unsure about it. Instead of having to forward it to IT or pick up the phone and call us, they can click a button, send an alert to us and we can do an assessment of that email on the spot, confirm if it’s you know malicious or fine, and that will alert that staff member relatively quickly.

Harley: Wow, that’s really high tech.

Steve: The phishing simulation is actually it’s a bit of fun, because we basically we have to pretend that we’re bad guys, and you know kind of construct these phishing simulator, phishing campaigns that really we just want to trick people. There’s no like malicious harm that comes from the test other than maybe a bit of a battered ego or bruised pride or something like that, but it’s very useful to see “okay well like 30% of the emails that we sent to this particular company, they were opened very quickly and you know a large percentage of those people clicked on them – and two of them actually put in their username and password into it!”

So we can actually provide like this information back to management as well, say “okay this is the baseline of where your staff are at the moment, they’re click happy, or they’re really good” and then we can go through this training process, we actually measure a bit of improvement as well. So we run the same kind of you know simulator a couple of months down the track for example ,and they have not clicked on anywhere near the same volume. But that’s like an ongoing type thing it’s always like this gentle test and probing to basically try and trick them. There’s a bit of fun on our end, but probably not for the for the clients.

Harley: That’s genius, that’s genius, I love that idea.

Steve: And it’s surprisingly cheap, surprisingly cheap to do as well, and very very easy to set up.

Harley: Awesome stuff. So once you’ve done this training and these staff members who, you know perhaps didn’t know as much before now know more, what does that look like? What does the ‘successfully educated’ user look like?

Steve: I’ll tackle it. I suppose they become a lot more sceptical of what is going on, what’s placed in front of them gets questioned a lot more. They’re a bit less complacent with the things going on within their email inbox, within things like you know websites and so on. Their awareness is heightened because they understand that “the company that I’m working for takes cyber security seriously, I should therefore take cyber security seriously. They’ve sent me on the training course and the rest of the team have done this training as well, as a unit we are more aware of what’s going on.”

So not only on an individual level can then can they kind of you know have this level of scepticism and questioning of these kind of emails and contents, but the rest of their team is there to back them up as well. So they can ask the person sitting next to them “what do you reckon of this? Does this look suss to you?” And they’re going “well I’m not sure send it to IT” or yes. Things like that, and it basically adds a new kind of thought process or increases the frequency of that thought process. You can get some spam emails, which they obviously are dodgy, but you get some which look absolutely legitimate and it’s not without, not without very fine-tuned kind of, fine-tooth comb that you can actually spot that they are dodge.

Matt: Yeah we would rather a client ring up with, you know, report 10 false alarms, than to click on a link. So we would rather you call up just to question it, have us double check it, you know, that’s what we want to hear you know, we want to be able to go “no you know that’s completely fine but you know good on you for kind of second-guessing and then having a look” as opposed to just clicking a link and then kind of going “oops shouldn’t have done that!”

Harley: Yeah definitely. And some, like Steve was just saying, some are really convincing. I’ve heard one horror story – well almost horror story thankfully – where a client actually got an email that they were expecting saying “can you pay to this these details instead” and he was old school, so he was going to go to the bank the next day and pay it and so he had the whole day to mull it over and he thought “no one was cc’d in that email? That’s weird, usually there’s four or five CC’d people in that email?” So he just had this hunch and he sent an email to the person and said “hey, did you get this approved by this person?” and she said “what email did I send you?” and suddenly the investigation was on, the IT swept in and basically like the police, and sorted everything out and thankfully nothing was handed over, but there had been a breach. So it can get really scary in that in that situation.

Steve: That’s right and then there’s two elements to that. So obviously somewhere along the way there’s been an email system compromised. So not only are they trying to do like invoice fraud or purchase order fraud, which we see quite often, how long have they actually been in that email system and what other information have they gleaned out of it? Have they been silently forwarding all of you your emails off somewhere else? So the ramifications could be kind of twofold on that side, but that’s something we see quite a lot is, you’ve got the, somewhere along the way an email system has been compromised, there somebody’s impersonating somebody else and it happens a lot. And the general public yeah.

Harley: Yeah definitely. so just to cap off today, one final piece of advice to a business thinking about educating their staff, what would you say your one, let’s say your silver bullet of advice is? We know there’s never a silver bullet, but if I’m gonna force you into one?

Matt: Oh, come to one of our workshops? You know comes to our office, maybe just give us a call, chat about cyber security. But yeah come sit down at one of our workshops, see some real life examples on what could happen and the consequences. I know it’s a bit of a bit of a cop out there Harley, but I’ll stick with that one.

Harley: No, self-promotion, that’s what we’re doing, that’s what we love.

Steve: And I suppose mine Harley, would be that the single biggest way to mitigate or minimise the cyber security risk to an organisation is to get all of the staff on board, and understand what’s going on. If you can increase their awareness and education surrounding it you’ve done a massive improvement or a reduction in the general risk that’s being faced.

Harley: Awesome. Thanks gentlemen this has been an eye-opening 30 or so minutes that we’ve spent here on ExplainIT, another great episode. So if anyone’s interested in looking at an educational sort of workshop on cyber security, please get in touch with us, aitsys.com.au, head to our website and let’s have a chat! Thanks guys and we’ll see you next time!

Steve: Thanks Harley

Matt: Thanks Harley, appreciate it

Steve: Cheers