Spill the IT Ep16: Security at the expense of usability comes at the expense of security

Intro (00:05):

Welcome to the Fasthosts ProActive Podcast: Spill the IT. Each episode we'll sit down with some of the amazing ProActive team and chat through their experiences of the ups and downs of IT infrastructure management in small businesses. There's always plenty to chat about.

Charlotte (00:27):

[inaudible 00:00:28]. Hello and welcome to the latest ProActive Podcast episode. I'm here with CJ, who is senior principal engineer at ProActive, and we're here to talk today about security's missing link, which is all about how you engage users, how you educate users, to help reduce security risks. But before we get into that, CJ, I think you'll do a much better job of introducing yourself than I possibly could. So please go ahead.

CJ (00:55):

Wonderful. Yeah, so I'm CJ. One of my job titles is senior principal engineer. That's my main role, but I'm also the information security manager for the wider group in the UK, for TechOps. So that leads me very much into, I live and breathe technical security, but I'm also heavily involved in org sec, which is things like ISO27k compliance and other items like that. So yeah, this is my bread and butter.

Charlotte (01:20):

I bet you've got a lot of interesting war stories you could share.

CJ (01:23):

Unfortunately I can't share them.

Charlotte (01:24):

I know. We won't name the innocent or the guilty. So just generally talk us through the overall landscape here because we all work in companies, we all inherently know what goes on and what the risks are, but just what does the overall landscape look like in this area?

CJ (01:45):

So it's ever-changing and it's ever-evolving, and this is part of the thing that keeps people like me in business, but also makes things really tricky on occasion. We've seen many different trends, certainly over the past three, four years, certainly with global events like the pandemic and so forth, which have changed the security landscape, changed how things happen. Just switching back to that topic for a moment, the whole, everybody working from home, suddenly changed a lot of dynamics in the office environment. A lot of the security controls and protocols that may have been in place, and at the drop of the hat, they had to all be changed, and be updated, and try and get users engaged with that. Because as we said at the beginning, this is very much the missing link.

(02:25):

You can have all of the technical controls and technical great bits of hardware that do everything for you, all of this monitoring, you can have all of these policies, and all of this documentation that says what you should do when and so forth, but if the people in between can't link the two, or can't react to one or the other, then we've got a big problem. And it is a really tricky thing to solve, and certainly we found that moving much more into a culture whereby... I was about to say we make security fun, we don't, but trying to remove, and it's certainly something to come on to later, trying to remove some of the blame culture around security reporting and topics. Trying to get people to understand why it's there.

(03:05):

It's so easy and I've seen it so many times, people like, "Why do I have to do this? It's stopping me from getting this done." It's like, because if we don't do it, there's all of these potential repercussions. One thing that's really helped in the landscape over the past few years has been some really big high profile incidents. Obviously I'm not going to name any of the third party external companies, but there's been some multimillion pound incidents which have occurred through a lack of adopting just basic security practises in some cases. And when you start seeing those kind of fines coming in or those kind of damages, and certainly when you add reputational damage on top, it's huge.

Charlotte (03:41):

It is huge, isn't it? Yeah, and it covers a wide spectrum, doesn't it?

CJ (03:44):

Yeah.

Charlotte (03:44):

Because you've got data protection, obviously the equivalent of GDPR, you've got ransomware, you've got all sorts of different threats that are, as you say, ever-evolving, which makes the landscape much more complicated, I would assume.

CJ (03:58):

Yes. Yeah, absolutely. Ransomware, it's a great topic. We could spend the next three hours talking about how that's evolved, but again, we've seen really big companies hit by this kind of stuff. And certainly if you look at general media, there's a lot of conflicting stories about what people should be doing if they come under attack, and how they should handle it, and so forth. There are some really simple things you can do that help protect you against ransomware attacks from a security, technical point of view. But there's also some really, really good things of just educating users of the age-old, don't click on links you don't recognise and all that kind of stuff. Excuse me. But then again, that's another one whereby you can just say that to people and you can even make them click through a security questionnaire once a year so you've got a tick box, but until somebody actually realises and understands what could happen when it goes wrong, because everybody always thinks, "Never happen to me," right?

Charlotte (04:53):

Well, it's human nature, isn't it?

CJ (04:54):

Yeah.

Charlotte (04:54):

We all coast along quite nicely until something does happen and then we go, "Oh, why didn't we do something about that?"

CJ (05:00):

I've got this wonderful thing that I like to say to people is, I never got into security to make friends because we're never the people that everybody wants to come and talk to, until there's a problem. And then suddenly everybody wants to be your friend. Everybody wants to get you on board. And what we are trying to do, or have been doing much more over the past few years, is it's just moving that relationship just a little bit further on in that engagement and getting people to understand, hey, I know it's a bit of a pain, but this could be so much better for you if we do this in this manner. And sometimes it's just not even a lack of wanting to do these kind of things, just a complete blank spot around a particular topic. And until you go through that reasoning as to why something's happening, it's not always clear.

Charlotte (05:45):

No, it's not. And again, it's human nature, isn't it? It's understanding the why, is so important, but you have to relate it to that individual in a way that makes sense to them. I've seen it, across the board, when you've got two-factor authentication for example, which is obviously now being, well, it's pretty widely adopted, but people get cross with it.

CJ (06:12):

People get angered. I'm so glad you brought this up. It was a topic we were talking about internally the other day, and part of the issue we got, although certainly for those of us in security and tech, we understand why 2FA is a great thing, but the concept of what 2FA is, and how it works, and why it protects you is very often just not understood. If I talk to my parents and say, "Hey, have you enabled 2FA?" They'll say, "Well, I've heard of this 2FA thing. I've got no idea what it is. It sounds like a pain, I'm not going to do it."

Charlotte (06:41):

Yeah, exactly.

CJ (06:43):

One of my other favourite phrases in security, and I think I said this in the last podcast, is security at the expense of usability comes at the expense of security. If you make something too hard and too difficult, people just stop using it. So one of the other things we certainly do is we just try and simplify everything, make it as easy to use as possible while still remaining secure. And certainly with things like 2FA, we're still working this out in the industry, right? Because it's still not always straightforward to get 2FA working.

Charlotte (07:11):

It's not.

CJ (07:11):

But the benefits are so huge, we need to solve this problem and we need to get it so that people are using this kind of thing on an everyday basis.

Charlotte (07:17):

And that is a really good point because there are some 2FAs that require you to download an authenticator app. Now, if you're tech-savvy, you know what that is.

CJ (07:28):

Absolutely.

Charlotte (07:29):

To a general user, they're going to have no idea why they had to download this app and how the magic numbers in the app connect to the QR code that they're trying to download.

CJ (07:38):

And it gets even worse than that, in that if you are a malicious actor, then it becomes very, very simple. It's like, hey, I've put up this phishing page and go, "And by the way, you need to download this app. I'll send you the link to this app, download it to your phone, and everything will be secure." And again, just getting to user's minds, certainly those kinds of things, you just need to look twice at them and understand, well, hang on a minute, what am I actually downloading to my phone? Let's just have a look and see what this particular app is trying to do. Is it from a reputable source?

(08:05):

All of that, I hate to use word paranoid, but those of us in security, the reason we've got into this is we're paranoid about these kind of things. We triple check them all the time, and we're still trying to come up with this way to make this a user default. Certainly when it comes to a techie business or, well, any business, but it's much simpler in a techie business, to get people understanding, hey, this is what you ought to be doing. And what we have found is once people are doing it on a regular basis, it just becomes second nature and that really solves the problem.

Charlotte (08:36):

Definitely, because it's all about usability, isn't it?

CJ (08:38):

Yeah.

Charlotte (08:38):

And it's, like you were saying about malicious actors as well, what we've seen historically over the life of IT, is they're often the ones that pioneer the really easy ways of doing things-

CJ (08:48):

[inaudible 00:08:49].

Charlotte (08:48):

... because they get more responses, don't they?

CJ (08:50):

And this is where you find some of the... So we engage with pen testers, certainly on really important stuff, and we'll use sometimes internal pen testers, we'll use external ones and so forth. If we really want to test something, we'll engage one of a set of companies we use that use people who used to be the bad guys because they're the best. And when that roll turns around and we've got these people [inaudible 00:09:15], those are really interesting conversations. And this is an artillery approach to a subject that most people won't need to do, but it's a really interesting thing to get into.

Charlotte (09:27):

Definitely, and going back to what you were saying earlier about blame culture because I think a lot of these malicious attacks are very sophisticated. We've seen it where you've got the CEO is being mimicked in an email, and telling somebody to make a payment, and it's written in their tone. And there there's lots of... It can be quite difficult to tell malicious from standard, and I think people sometimes feel a bit silly and a bit ashamed when they fall for it.

CJ (09:59):

Yeah, absolutely. It's a business email compromise, exact scenario you're talking about. Those tend to be quite personal and quite sophisticated, and those are the really hard ones to get people to own up to because, yeah, people will generally feel quite embarrassed that they've been caught out by it. And again, if you've got people who are security savvy that you can talk to, they'll run through a few things that you can do to check these kind of things out. But people get caught out all the time. That's why they're so lucrative. By and large, your normal people, your everyday, aren't going to typically get these personalised attempts to get large amounts of money out of a corporation. As I say, they do happen, but they are much less frequent because they involve a lot of time on the threat actors' behalf. Most often, most people are getting things through to them typically via email, which are a complete scatter gun approach.

(10:52):

It's not personal, it's not targeted. Somebody has a list of two and a half million email addresses and they're sending it, and if 0.01% fall for it, they make a lot of money. And this is another important part in this blame culture is, you have not been targeted. This is not personal. You don't need to feel that somebody is having [inaudible 00:11:10]. How many enemies do you have, that you [inaudible 00:11:12]? But by owning up to it, if you do make that mistake, it makes, certainly us in the security scene, our jobs is so much easier because we've caught the thing much earlier on and we can start looking at, okay, where did this come from? How can we fix this? Right? Change your passwords, change your credentials here. All of these kind of things can be brought into place really early on. And the other important thing is, somebody will find out eventually, it's just one of those, if you just hold your hands up, everybody there's like, "We all make mistakes. We can fix this. Just help us out, make our job easier, everything will be better."

Charlotte (11:47):

Yeah. Well, and organisations play a role in that, don't they?

CJ (11:49):

Yeah.

Charlotte (11:50):

By not penalising people for-

CJ (11:51):

Yes, absolutely.

Charlotte (11:54):

... like in the airline industry, for example, pilots have a three-week amnesty to report incidences, and that is designed to stop that blame culture. [inaudible 00:12:07] organisations have a role there, don't they?

CJ (12:08):

Yeah, and I like it when other industries mimic the same sort of ethos because, for me, it proves that it's the right way to go. If other people, certainly things like the airline industry, you make a mistake there, we're not just talking about, oh no, we've got a fine. There's lives at risk, there's lots more at stake. And if they're using this ethos of, if you spot something or you do something and it's wrong, and you own up, we will fix this, we will go through it with you and you're not to blame. Now, don't get me wrong, there's a big difference between just random acts of... What's the right word? Accidental issues and so forth. Gross negligence on a regular basis. That's a whole different thing.

Charlotte (12:49):

That's different. Yeah, absolutely. Yeah.

CJ (12:51):

But for all of us, normal, and I use that inverted commas, all of us normal people, it's just report it. Just let people know and we'll get it fixed.

Charlotte (13:01):

Yeah, just sort it out. So continuing the theme of talking about organization's role in these areas, what's the best way for them to manage all of this security element, in terms of user engagement?

CJ (13:16):

So if you can, offload some of it to somebody who knows all of this stuff inside out. So if there's a part of your business that you don't need to manage yourself and somebody else will manage, not only that part of the business for you but all of the security topics on top of it. Obviously you can see where I'm going here, I work for a company that does this kind of stuff, but it is a genuine point. It's like any other part of your day-to-day business. If you don't know how to tile a floor, get somebody professional in who will just do it and will just do a much better job than you, much, much quicker because they do this all the time. They live and breathe it. They've got experience, they've got all this kind of stuff. But that doesn't mean that using, again, the DIY analogy, if a light bulb needs changing, you should be able to change a light bulb.

(14:02):

So there's some basic things that you should be getting your staff, your users to get on board with. Certainly, credential management is such a huge one, and I joked with one of the marketing team here is like, hey, let's do two hours on password managers. It's a big favourite topic of mine. [inaudible 00:14:19]-

Charlotte (14:19):

I can't see why they didn't go for that. [inaudible 00:14:21]-

CJ (14:21):

Yeah, it's surprising. But it's a big, huge thing, and there are some really easy, points A, B and C, that a company can do that massively improves how credentials are managed and what will happen if somebody gets hold of some of those credentials. And we'll just use the top one. If you are using the same credentials for every single login and you've got the same password and the same, let's say, Gmail account, or other providers are available. If you are using the same credentials, as soon as one of those is compromised, they have access to everything of yours. That's your social media profiles, any of your online shopping, all of these kind of things. They have access to everything. And that's a really tempting target for the bad people.

Charlotte (15:05):

Definitely. Definitely. I'll just make a note. So how do you get users to do what they're supposed to do? Because we're all people, human beings like to find shortcuts and avoid blockers. So how do you do that?

CJ (15:20):

So part of it is providing tooling. So back to the technical aspect, there are certain things that can be provided which will massively help out with things like, again, credential management. Use a decent password manager, it will solve 90% of this for you because you'll then get to a point the usability is back. I want to log into online shopping, and you go to the webpage, and you do your face ID or whatever, and it will just put in those unique credentials for just that one particular site that you're visiting. If that online shopping vendor gets compromised, gets ransomwared... Ransomware is less of an issue in... Let me rewind there slightly, ransomware doesn't count for this.

(16:00):

If that online vendor gets compromised and your credentials are then stolen because they haven't stored them in a secure manner, they've only got access to that one online shopping account, they don't have access to the rest of your life, and it's just such a big huge one. But the other part is, again, just getting people, same with every other aspect of your life. It can be daunting to start with. It can be a pain to start with. When you first start driving a car, every time you go out, it's like I'm having to think about so many things all the time going on. I just wish it was easier. After 10 years of driving, it's second nature. You're thinking about other things on the way to work and it's just becomes something that's habitual and is no longer a problem.

Charlotte (16:43):

Yeah. Yeah, and yeah, it's a good point, isn't it? Because, and I think it is all about communication and education, isn't it?

CJ (16:52):

Yeah.

Charlotte (16:52):

I think just constantly not making it difficult to understand or scary, and like you say, and addressing the blame culture.

CJ (17:00):

Yeah.

Charlotte (17:01):

I think that's good.

CJ (17:01):

And I think part of that is also adding on a personal touch because, and I've seen this certainly in companies whereby, yes, the education's there, but it really is a log onto this online web portal and fill out this quiz. There are 27 slides for part one. Each one will take five minutes to read through and you just switch off. Whereas if you can make it certainly something you're either engaging on a personal level, just over the getting a cup of coffee chat, or something else like that. But also just, excuse me, but also just on things like whereby getting people to watch the right webinars, with the people who are actually personable and engaging, and actually show you real world examples and not just some randomised online portal-

Charlotte (17:49):

Yeah, theory.

CJ (17:49):

... that's making up scenarios that aren't going to happen. And one of the other things we quite often see, is people will go through those, because they have to be a tick box exercise, everything is like, "Oh, well, Marie has stored her password on a post-it note on her monitor. Can you spot in this picture what might be the [inaudible 00:18:05]"

Charlotte (18:04):

Yeah, it's very obvious, isn't it?

CJ (18:08):

Yeah, even the least security focused people are going to get it and they switch off. Whereas with a personal approach, you can just find those spots which are missing, and just tackle those ones, and then just get users [inaudible 00:18:19] to upskill, and to get engaged in it. And depending on the sort of business you're in and the staff you've got, you can even gamify it. You can just start getting people, right, okay, let's just go through it. What's happening here? Who's working out this the best? Who's going to develop A, B or C for me because that will sort that out? So it can be a fun thing.

Charlotte (18:40):

Mm-hmm. Yeah. Yeah. Good. And so just to finish then, and I think this would be useful, particularly for SMEs, because obviously that's the core target audience for ProActive and who I think are probably most vulnerable to security threats. And I think all of this has been great, but if they do, especially ransomware, because I think it's the one that people are scared of, what should they do if the worst happens?

CJ (19:12):

So some of this is my personal opinion as against anything else, and some of it is industry standard practise. And the biggest win you have here is having a really, really good backup routine, which is tested regularly. And I talked about this on the last podcast that I was on. It's so critically important and by a good backup routine, that's regular backups, which are stored, not connected to the same network, and this is an important part. And there's different ways of doing that from USB sticks in a drawer, which is segregated from everything else, to using online cloud backup things where you can only send it, can't pull it, you can't destroy it, and all this kind of stuff. So having a really good backup routine means that if you get ransomwared, your critical data is still saved from at least let's say 24 hours ago. And that doesn't tend to cripple businesses to the point of no return.

Charlotte (20:03):

No.

CJ (20:04):

That's the important part is, if malware hits you, and it's ransomware, and it takes all of your data, will that make your business collapse? And if the answer is yes, you need to do something about it. If you are unlucky enough to get ransomwared, the industry guidance at the moment is, you don't pay them and you also don't pay any third parties to say they can do it for you. The third parties who reportedly will say, "Hey, don't worry, we can work this out for you." By and large, they are people who will then communicate with the ransomware providers on your behalf, get a discount, and then just basically charge you 50% of that.

Charlotte (20:38):

Oh, right.

CJ (20:39):

Yes.

Charlotte (20:39):

Oh, that's interesting, and very devious. Gosh, I feel [inaudible 00:20:44], I was not expecting you to say that.

CJ (20:46):

Okay.

Charlotte (20:47):

Yeah, that's really interesting. I think, and backup, that's a good point actually, isn't it? Because I think a lot of people assume that, just because stuff is hosted, it's being backed up, but that's not always the case, is it?

CJ (20:58):

Absolutely not, and again, certainly with the services we provide, there's various different backup concepts that they're in. Use the right backup concept that's right for your product. If it's something ephemeral, it doesn't really matter if you lose a week's worth of work. We don't need to go down the absolute belts and braces. But if, as I say, if it's business critical, then that's super important. On that same basis, you need to make sure that [inaudible 00:21:24] that backup all the data you've got. If you stop using it, you need to make sure it's securely destroyed as well. This is another really important attack vector whereby people are just pulling age-old backups off of some cloud platform somewhere, which hasn't been encrypted, hasn't been stored correctly and safely.

(21:39):

One of my other favourite stories, and you can cut this bit out if we don't have time for it, of a company who was very careful about shredding their physical documentation. And they made sure that all the business critical stuff went through the shredder. Two people made sure that it went through the shredder, and this was fine. And then they found they had a leak, and this documentation, which they had been physically shredding, some of it was coming to light at some of their competitors. And this was obviously a major issue, and it wasn't until they called in somebody from a security firm, who very quickly then found that some nefarious party had installed the strip of a scanner into the input of the shredding machine.

Charlotte (22:18):

Oh my gosh.

CJ (22:19):

Which then had WiFi, which then sent the paperwork off to somebody else. So every time I went through the shredder, the first leading page was sent off to one of their competitors.

Charlotte (22:26):

That's insane. Yeah, see, it's very sneaky, isn't it?

CJ (22:29):

Very, very sneaky.

Charlotte (22:30):

And if you don't think like that, you wouldn't ever consider that, would you? You'd think, "Oh, I'm shredding. I'm doing the right thing."

CJ (22:34):

Yeah.

Charlotte (22:35):

Oh my God. That's crazy. Well, thank you, CJ.

CJ (22:38):

[inaudible 00:22:39].

Charlotte (22:39):

That was great. Very insightful, and I've definitely, I think it's prompted me to go and do some things, especially change some passwords.

CJ (22:46):

Wonderful. We won.

Charlotte (22:48):

I know. I suddenly feel a bit scared, but no, thanks for your time.

CJ (22:51):

Thank you.

Charlotte (22:51):

And look forward to seeing you again soon.

CJ (22:52):

Absolutely.

Charlotte (22:53):

Thank you.

Outro (22:54):

Thank you for listening. We hope you enjoyed this episode. You can subscribe on Spotify or Apple Podcast, or visit proactive.fasthost.co.uk for more info. See you next time.