This week, the Guru had a quick chat with SecuritySmart Founder and Editor, Robert Schifreen.
What is your background and history within IT and cybersecurity?
I’ve been in the industry a long time, on both sides of the fence. In the 1980s I was a hacker and was one of the defendants in the world’s first hacking-related jury trial. Myself and the late Steve Gold got into BT’s Prestel network, primarily because of basic mistakes that BT had made in its operation. In the absence of any relevant UK legislation against hacking, we were charged with forgery and convicted. We were acquitted on appeal, as a result of which the Computer Misuse Act of 1990 was introduced.
It was a very interesting couple of years for myself, Steve, our legal teams and the newly formed Computer Crime Unit of the Metropolitan Police. A few years later I was sharing conference platforms with the Detective Inspector who’d initially arrested me!
For those that don’t know, explain what securitysmart is?
I spend a lot of my time talking at conferences and seminars around the world, advising people on how to protect their IT systems from the sort of person that I used to be. But not just the standard precautions such as how to take proper backups, and why not to click on email attachments. There’s lots more to information security than keeping hackers out. It’s also about educating people not to leave confidential printouts on the train, or secret plans on the flipchart in the meeting room.
Did you know that one of the most commonly occurring data breaches in Local Government, for example, is someone accidentally stuffing 2 families’ housing benefit statements into the same envelope?
SecuritySmart is a security awareness training course designed for non-technical end users, to allow everyone to benefit from my 30+ years of experience and research. There’s no need to take time off work to attend a course, and there’s no complicated Learning Management System to log into. Instead, the training is delivered by email, right into people’s inboxes every week. Each lesson takes just 3 minutes to read, then the user can get on with the rest of their work.
A big criticism of conventional IT security training is that it’s really hard to measure its success, so we address that too. Every lesson ends with a multiple-choice question that the user answers with a single click. Incorrect answers are followed up with an additional email containing helpful feedback. And an analytics dashboard, available to the scheme manager in each company, allows that person to view details of how the questions were answered and thus verify the effectiveness of the ongoing training.
What do you hope to achieve from it?
I want to help companies to protect themselves from all types of IT threat. Not just the high-profile ones that the big product vendors like to concentrate on, such as ransomware and viruses, but also the more people-related ones too. CEO fraud, for example, which is huge right now.
I bought a hi-vis jacket with Security printed on it recently and you wouldn’t believe the places it gets me into! There’s no product you can buy off the shelf that will protect your business from an attack like that, except awareness training for your staff.
In your opinion, what is the biggest threat facing today’s enterprises? And through your awareness program could you nullify the threat?
The biggest threat is that people still regard IT security as an IT problem, and that the IT department will sort it. And that as long as we have security programs on our computers, we’re safe. That’s just not the case, and in truth it really never has been. In 1985 I became the defacto sysadmin of BT’s national network of Prestel mainframes because someone left a password somewhere where they shouldn’t have. WannaCry brought down the NHS because someone clicked an email attachment that they shouldn’t have, and because too many people didn’t heed the warnings about not continuing to use Windows XP.
Incidentally, half of the Met Police’s desktops still run XP. As does the brand new £3.5bn aircraft carrier, HMS Queen Elizabeth, which isn’t even due to enter full service for another few years.
It’s often said that security is an attitude rather than a product, and I totally agree. My goal for SecuritySmart is to instil that permanent security attitude, if not mild paranoia, into everyone!
What are the main challenges you face when trying to get people to be more cyber and security conscious? Do you have difficulty with boardroom level employees or are they more open to it?
End users are generally non-technical, and they’re happy with that. They don’t want to be IT experts, but they’re naturally worried about security. The key is to make the training relevant. Talk about wifi encryption and ransomware, and they won’t care. Talk about their kids’ safety online, or how they’d feel if they were reponsible for a corporate system outage, and they take notice. Ultimately, users want to gain knowledge that will allow them to help their colleagues in order to gain respect and kudos. So the important aim of any training is to give people that knowledge, so that they can use it.
It’s an old cliche, about boardroom members not taking security seriously, but it’s still true. As part of an exercise I was involved in recently, with a client, we sent a phishing simulation to a number of staff at some large companies. One of the messages was about a new pub opening in the area and offering special deals to local businesses if you downloaded the attached voucher. It wasn’t the end users who forwarded it to the whole company, but the CEO.
But board members are still vital to any training effort, even if just to get the end users to sign up for it. I insist that the request to sign up for SecuritySmart training comes from the managers at the client company, not from my or my staff. Sure, I could just import a client’s staff list into our system, but that’s not the right way to do it.
Over the last 10 years how has cybersecurity changed and how do you expect it to change in the next 10?
It’s changed very little, actually. Look at the I Love You virus, from many years ago. It spread because people did the wrong thing. WannaCry and Petya spread for the same reason. It wasn’t because of lack of products, or even lack of expenditure on security. It was because of people doing the wrong thing, through lack of training and awareness. Of not taking security seriously.
The next big thing in security, and which is already happening to a large degree, is IoT. Who would have thought that every fridge, coffee machine and light bulb would have its own IP address? And yet that’s what is happening. When you see someone hack an internet-connected kettle and make it turn on and off 50 times per second, which causes it to catch fire, you realise just how important IoT security is. And yet the manufacturers would rather concentrate on getting their products first to market, regardless of whether the firmware is actually ready.
Who are your main clients (If you can name company names then great, if not can you name the industries they are in? and What has the feedback been like?
Our clients include companies of all sizes, from SMEs to international financial organisations. We don’t publish names, but the areas where we’re seeing particular interest is finance, healthcare, legal, education and local government. Interestingly, it’s not just security people we’re talking to, but also compliance and HR departments too. My aim is for companies to require new joiners to sign up for the SecuritySmart training as part of the induction process.
Visit SecuritySmart by clicking here .