Max Havey [00:00:02] Hello and welcome to another edition of the Security Visionaries Podcast, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world across domains. I'm your host today, Max Havey, and today we're talking cyber hygiene with our guest, Rich Davis, director of Product solutions marketing here at Netskope. How's it going today, Rich?
Rich Davis [00:00:21] Yeah. Hey, Max. Great to be here. Looking forward to today's conversation. Certainly one that's dear to my heart, having previously, in, in great detail, around the human factor and and how humans can affect things. And certainly the today's topic very much aligns with that.
Max Havey [00:00:36] No doubt. So yeah, let's jump in here. So as the year starts off, we tend to see a lot of cyber related awareness days. Things like National Change Your Password Day, which is on February 1st or today when it's coming out is Safer internet day. But in your experience, have you found that these sorts of awareness days are really that effective? Like, what do you see them sort of driving the change that security professionals are really looking for when it comes to dealing with that human element?
Rich Davis [00:01:05] Yeah, I mean, these are of course a bit of a double edged sword. Firstly, we can't fault any publicity. Any publicity in any awareness is great. I think the problem is that, as with all of these sort of things, it can become a bit of a, "okay, I'll do it today and I'll forget it another day." And of course, this needs to be a year round effort, certainly when it comes to our, our users and that people, they're the first line of defense. And therefore they need to be thinking about this and they need to thinking about security and what they're doing day in, day out. So again, great that we focus on it on a particular day. Not so good that, it may then lead to them forgetting about it another times. And this is often seen in data as well. Just if you look at some of the, the historic data around user behavior, you actually see that, if, you know, a week or two after, security awareness training happens, you get a better result, you get lower click rates through, content. There were more likely to do those things. They remember things like DLP alerts drop as well, but then it tails off. And yeah, that's why these sort of things to be pretty effective. Yeah. Organizations really need to be thinking about this is a constant evolution. Day on day, week on week.
Max Havey [00:02:16] Definitely. The half life of security training is pretty low based on everything I've ever heard from our various members of the CSO team here. So finding ways to keep it going in the consciousness throughout the year is very good. But just single day it seems to be kind of ineffective overall.
Rich Davis [00:02:32] Yeah, yeah, most definitely. And I think, I think these, these safer internet days and change your password days really should be in a way resigned to that bin of yesteryear. And really, we should be thinking about this, you know, far more holistically.
Max Havey [00:02:47] Definitely more of a year round cyber hygiene conversation as opposed to, you know, just just single days where they're well intentioned. But the results aren't always exactly what we want.
Rich Davis [00:02:56] We should be calling it safer internet life. Really?
Max Havey [00:02:59] Most definitely. And I guess that brings us to our first real big question here is thinking about cyber hygiene. Why do you find that cyber hygiene can be a difficult, sometimes tedious task for organizations to really take on and make kind of a year round objective?
Rich Davis [00:03:12] Yeah, I think part of it is there a historic aspect. So I we've all been there, we've all had that email through that we dread, and it's that yearly time to go until your training and you think, oh, this is eight hours, I haven't got time for this. And we've automatically got this negative opinion. And I think as individuals, I think we also have this inbuilt sense that we don't need to do this, that yeah, we have common sense, we know what we're doing. So I think those do definitely play a part. And I think that's part of the problem. I also think that all too often it's driven around the benefits to the organization and not the benefits to the individual. And I think there's a lot and we've seen this really be successful is when it's focused around the individual in their families. If you can extend it to, you know, how to keep you and your family safe. Then organizations, I think, have more impact because you make it relevant to that individual.
Max Havey [00:04:01] Definitely appealing to the personal side of the user kind of feels like the way to make it real to them. And it's not just, you know, speaking about broad, abstract, sensitive data. It's your Social Security number. It's making sure that your passwords are safe and your banking information is safe, like it is personal, identifiable information for a reason. In that same vein, here in your roles, how have you found ways to promote better cyber hygiene practices within your organization? Maybe better emphasizing that sort of personal element that is a part of all of this?
Rich Davis [00:04:30] Yeah. And I think it really comes down to a couple of things. Firstly, kind of how you're designing that training. And yes, we're focused, you know, specifically on identity and passwords to an extent, but of course much broader than that. I think it's about that, as you say, making it personal. And that means giving real life examples that may happen to you both in a business sense, but then releasing it to something that they can understand, maybe in, in a personal sense. So relating that stealing of your own personal credit cards to stealing of company PIA or, intellectual property. And the effect that can have. Because again, you make it personal, you make it real, and you make it kind of linkable to what they think about day in, day out and what what they might personally, care about. I think if we think about it in terms of, the other side, which is the time. And when we do this, I think this is really about just drip feeding it through the year. I think organizations only have a certain amount of time that they can spend training their users in a year, and too many organizations will go "Okay. Right. Eight hours. We're going to do or once you on this date." And actually a far more effective way is to break that up. Yes, you might have, for compliance reasons, the need to take certain training on a yearly basis because you have to meet those requirements, but outside that far better use of time. It is to drip feed it and have that just in time training, but also make it relevant to situations that the company is facing. If you can actually, inform the, the, the user, your people as to the types of threats that are relevant to your organization rather than making it too generic. Then again, it gives you that link to the organization. They can understand why they're being asked to take certain training. And therefore you're going to get an overall better response to that training. And I've seen this, you know, firsthand in my past life working with organizations and trying to track the changes in the behavior, moving from this kind of once a year to, a much more targeted training program that rolls over the period of the year where you drip feed content, you just be training, and you make it much, much broader than just that, e-learning that occurs, once a year on that portal.
Max Havey [00:06:44] Definitely. And just to dig in a little bit more, as you sort of talked about, you know, finding ways to make these sorts of trainings relevant to the specific user in their family, in their daily life. Well, can you give us some sort of examples of what that sort of looks like and how that sort of how that sort of plays out?
Rich Davis [00:07:00] Yeah. Let me give you a relevant example to myself. I've got, children that have just turned to become teenagers for the first time they've started to have control of their own bank accounts. We've gone from looking after them oueselves to giving them access to having apps on their phones and, be able to use Apple Pay. So this is personal to me directly, but this then focuses around, well, how do you protect that? You don't want your hard earned money that may have been earned through chores in the house disappearing overnight because you've been careless with your information. And therefore, you know, at a young age, we started to talk to them about staying safe. They both got password managers that they can store their their key credentials in. I've talked through why this is needed and, and tried to make it relevant to that situation they're in. So I think it's just, you know, one great example of where you can try to, to make that relevant. So they're now using password managers day in, day out. It means that they've only got that one credential that they need to remember. It can be complex because there's only that one thing to to remember. And this is a 13 and a 15 year old. So if they can do it then, you know, there's no reason why every person from a business perspective can't do the same thing. My daughter now forwards me, smish through and she's like, oh, dad, look how obvious this one is. And, you know, it's just a great example of where we can actually see, you know, the benefit of what we're doing. I think another great example is making it relevant to what people understand day to day. So, if you look at YouTube, there's been a huge series of hacks on really very well known YouTube channels, including some of the biggest tech and security channels out there. Linus Tech tTips. One of the biggest kind of tips that a lot of people watch in this area. They they had their YouTube account compromised, and they're very much somebody that has the best security practices that uses password managers, uses 2FA, yet there's still a way around it. And this is where that human element, again, has to come in, is that this isn't just about protecting and stopping people gaining access, but it's about spotting and informing that organization very quickly. And in that particular case, somebody spotted some unusual behavior. And instead of trying to covering up and thinking they've done something wrong, they contacted somebody within the organization straightaway and they were able to deal with it much, much more quickly. And again, that then gets into the realms of, well, what is your exposure? Even if somebody has managed to breach an organization, what other tools have you got in place? Because this isn't just about authentication alone. And certainly when we're talking to users, this isn't just about identity aspect. It's other things that they can do to make sure that they're safeguarding information.
Max Havey [00:09:50] Definitely. And to to double click on what you just brought up there. How do multi-factor authentication and zero trust principles, another term we tend to use a lot on this show and broadly out in the world in cybersecurity conversations. How do those sorts of things sort of play into this as tools that organizations can be using to help better promote cyber hygiene and keep that conversation going?
Rich Davis [00:10:12] Yeah, there's been a lot of motion for multi-factor authentication, and many organizations are now using that. They're also using privileged access management to actually take an even deeper approach for a lot of that privileged access. I think the thing is, there's always a way around, whilst there's a human involved, there's always a way around they're able to steal multifactor tokens, by getting you to input them into fake credential pages and then immediately logging in. And then they can, of course, set up their own MFA. There's other way around a lot of these techniques as well. And so it's not, quite as simple, as putting in all of those best practices. Organizations really need to be thinking about the concept of, well, how do I prevent data loss should the worst happen? I'm going to assume that at some point, one of my users is going to have their credentials stolen. Somebody is going to gain access. I've got to limit that loss radius. I've got to limit that attack surface. And that's where things like zero trust principles come into play. Because if you're thinking about any user just working day in, day out, in an ideal world, they should just have the lowest anxious they need to do their job and nothing more. So if their job is to go into a financial platform and do data entry. Then they should have access to just that application. You should have rules in place to tie down how and when they can access. But more importantly, there's a whole bunch of actions that they could perform. There's no need for them to pull down reports. There's no need for them to be able to pull down data and send that data to, public file sharing services, etc. which, of course, is exactly what that attack is going to get when they're trying to steal that, they're going to try to pull information down, and they're going to try to use remote services to exfiltrate that data. And this is where this whole concept of really having an adaptive trust, I don't like the term zero trust. It's grounded on good principles, but it's really continual adaptive trust. It's about looking at the current situation, looking at the actions, looking at various different criteria, including the user's authentication, the user's location, user's actions, historic actions versus current actions to all make that decision. Should that or should that not occur. And therefore, using this kind of approach, you can limit your your attack surface should that worst happen. You can also use those types of policies to then trigger alerts when organizations start seeing a difference in behavior. For instance, UEBA or user entity behavioral analytics is a great tool, an even better tool when it's actually deeply embedded into a lot of other policy elements to drive that kind of alerting and incident response processes.
Max Havey [00:12:55] Definitely. And I think the degree of like alerting users when they're doing something risky and sort of catching that sort of stuff, that that sort of data protection is so key. There was a series of articles that Steve Riley from our, from our CSO team wrote a while back talking about leaky SAS apps that folks are using, whether that's, you know, web mail or Amazon S3 buckets or Azure blobs, like not having having the proper permissions set up for these different services that people are using day in, day out, making sure that they are keeping things relatively locked down and not accidentally exposing data because they don't realize that they've left this open to anyone on the internet who has this link. Anyone who brute forces their way in or has found a way into all of this. It's very easy to like just misconfigure something one way and not even realize what you've done.
Rich Davis [00:13:45] Yeah, and if we look at a lot of the incidents we've had over the last couple of years, is it's been just that it's been organizations that haven't necessarily had an account compromise and access in that way, but just data that has been sitting in the wrong location that somebody has access to that they shouldn't have. Whether that be public or whether that be somebody within your organization who has access to content that they perhaps shouldn't do and then puts it somewhere that they shouldn't be putting it, they shouldn't have access to it in the first place, and then it moves somewhere that it shouldn't. And this is, of course, the other aspect of the human factor, which is training and helping our users understand the best way to use systems and where they should and should not be putting data. Of course, this moves onto an entirely different topic that we could talk about all day around users, and whether or not we're making it easy for the users to do their job. You know, people use tools because it's easy, right? Because it's easy to get things done. And that's a whole topic in itself around putting in solutions, putting in access methodologies that make it easy for the user to do their job. If you can put those mechanisms in there, make it easy for the user to do their job, but still stay within the bounds of what that company allows and the security controls that are in place. They won't go down these other avenues to try to circumvent those tools. So again, topic we could talk about for for hours and hours, but very much ties into this whole philosophy of, authentication just being one aspect of this whole concept of continual adaptive trust.
Max Havey [00:15:14] Well, and it specifically introduces it sort of brings us full circle here, where, you know, a change your password day is a good excuse for people to change their password, but a lot of people are going to get that change your password notification, and they're going to put it off till the next day and the next day and the next day, and then they're not going to change their password until they absolutely have to. And so it kind of becomes a frustration for some users. And I think that's an interesting way to sort of bring this all together here, where having that sort of cyber hygiene practice throughout the year, keeping these things going along, it's not going to solve every issue here, but keeping that conversation ever churning, ever going with your organization ultimately means you don't have just these single days. You know, I only think about cybersecurity this one day a year where I definitely have to change my passwords.
Rich Davis [00:15:59] And of course, the one thing we don't want them to do is to go and change their password to something that's easy to remember, that they're right in the back of their book. Or throw in an Excel spreadsheet. Which is the other downside of changing passwords, right? And requiring passwords across multiple systems. So yeah, it's why I very much advocate for a password manager. You have one key complex password that you can remember. You rotate that regularly. And of course we do rotate passwords also as because, it's a good practice, it locks somebody out. So if somebody does have access, then it locks them out on account. And that's primarily one of the reasons that we do it. But ultimately it comes down to that user. We've got to make things easy for the users. We've got to explain to, people why this is so important, and we've got to put tools in place that really help them make that good decision and not fall back to those bad practices.
Max Havey [00:16:54] Absolutely. And kind of bring us to the end of our questions here. Rich, if you had to impart one sort of piece of advice for security practitioners when it comes to cyber hygiene and, you know, making that easy and improving those processes overall to make it a conversation throughout the year, what would that piece of advice be?
Rich Davis [00:17:10] Well, I've talked to a lot of leaders beyond just the security part of the organization. And where I see organizations having the best approach here is where this becomes a business initiative. So many people see this as a security initiative, but this is a businesses initiative. So getting buy in from your execs, getting sponsorship, actually having a CEO actually do a little video intro as to why this is important, having the business leaders take ownership of their own tools and and helping disseminate that down to their staff is all key to making this happen. So my one piece of advice here is to consider that if you're not already doing that, consider how you can move this from a security initiative to a wider, broader business initiative.
Max Havey [00:17:55] Absolutely. The thing that will get the most eyes on this, that will get the most people involved in this. So this doesn't become a broader issue. Nobody wants to end up in the headlines for a breach or anything as a result of a cybersecurity issue. So it's ultimately for the good of the entire organization you're working for to make this effort.
Rich Davis [00:18:11] Yeah, 100%.
Max Havey [00:18:12] Excellent. Well, Rich, I imagine you and I could probably keep talking about this for an hour or so, but I think we are coming up at time here. So thank you so much for joining us. This was such a great talk, and you had a lot of great insight to offer here.
Rich Davis [00:18:24] Max, I just have to say it's been a pleasure to to join you today. I do hope that, some of our listeners will have at least, you know, 1 or 2 tidbits, 1 or 2 things that they can take out of today's, podcast and take you back to their organization.
Max Havey [00:18:37] Excellent. And you've been listening to the Security Visionaries podcast, and I've been your host, Max Havey if you've enjoyed this episode, please share it with a friend and subscribe to Security Visionaries on your favorite podcast platform of choice. There you can listen to our back catalog of episodes and keep an eye out for new ones dropping every other week, hosted either by me or my co-host, the wonderful Emily Wearmouth. We will catch you on the next episode.