Christine Izuakor: Welcome to the Veriato Insider, a podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, which is an award-winning employee monitoring and insider threat detection software provider. So to learn more about how Veriato can help protect your company, check out veriato.com. I'm Dr. Christine Izuakor, your host for today's segment. And on this episode, we are covering expert reactions on five cyber trends and statistics from the last year that we all need to be thinking about.
Christine Izuakor: And we have a special guest with us here today. I'm happy to introduce you all to Frank McGovern. Frank is a former US intelligence analyst, now a leading cybersecurity architect with more than a decade of experience in cybersecurity. He is also a Certified Information Systems Security Professional, and that fun fact was recently featured as an expert in the Tribe of Hackers Blue Team publication. His areas of expertise include everything from enterprise risk management, education, and awareness, vulnerability management, compliance and audit incident response, and much more. And so this broad range of expertise is perfect for the randomness that comes with our topic today. So we're excited to jump into this. Frank, welcome to the Veriato Insider podcast.
Frank McGovern: Thank you for having me.
Christine Izuakor: Awesome. So before we get into stats, please tell us a little bit more about your background.
Frank McGovern: Yeah, I think you nailed most of it. So currently I'm a cybersecurity architect, but I have a lot of cybersecurity background. I've had roles where I could wear many hats and that's kind of what I like. I don't really like being siloed. That's let me grow pretty quickly and very vastly into what I can learn. So right now, I work for a financial company doing architecture work, and I also lead a cybersecurity conference called Blue Team Con that is new, where I'm trying to help train people on cybersecurity, more as well, the offender side.
Dissecting the human element of cybersecurity
Christine Izuakor: Yeah. That's super important as well. I know we both share that passion of being able to train and help build future professionals as well. So jumping into reactions and thoughts on some of these trends, the first one here I have is according to cybersecurity ventures, the human element of cybersecurity, of course, can't be ignored. The human attack surface will reach 6 billion people by 2022. So what are your thoughts or reactions there?
Frank McGovern: My reaction is this is the common thing that a lot of people say is where the human is the weakest link. It's accurate, but I think it tries to shift blame too much and people focus and forget that humans are also what we can put a control on. If your firewall fails because you didn't configure it properly, is that the firewall's failure or is that the security team's failure? I would say it's the security team's failure. So I think people often forget that if your humans are failing in your organization, it's because you haven't properly prepared them for what they're facing. This is the value of security trading and security awareness and these types of endeavors that you need to be doing at companies and training your people.
Education is a key component to a robust security strategy
Frank McGovern: But I would say that it's greater than just individual organizations. I think this falls back on what we talk about... I'm sure you've heard and had these discussions with your friends, but you talk about in school and high school, eighth grade, before, we should've had these life skills classes where we were taught about taxes and mortgages and how to actually be an adult. That's where school really seems to fail. Some schools do it, but it's not part of general public education. And I think having classes like that, you would incorporate things like cybersecurity and teaching students about this.
Christine Izuakor: Yeah, I agree, a super important fundamental to have, especially as the population continues to grow. Now, jumping into the next one, according to the Verizon 2020 breach report, organized cybercrime remains an issue and criminal rings often use insiders to do their dirty work, especially in this remote era. And so another interesting stat here, in 2020 organized criminal groups were behind 55% of breaches, so more than half of them. And then on top of that, 30% involved internal actors. So what do you think about that one?
Frank McGovern: That's high. It's a high number. 30% involved internal actors. It's kind of scary, makes you wonder whom we're hiring. Are we vetting properly? I think this falls though... From a cybersecurity perspective and what leaders can do in there, I think just treating your employees properly and getting executive buy-in to treat them properly. The biggest thing here is obviously pay. Money is incentivizing. If you're underpaying and somebody comes along to pay one of your internal people to siphon data out, $20,000 shouldn't be appeasing. If you're paying them properly, something like 20, 30 grand shouldn't be appealing enough for them to risk going to jail.
Financial gain is a powerful incentive for Insider Threat behavior
Frank McGovern: But if they're getting paid $30,000 for a position that should get paid $90,000, that 20 to 30,000 is very appetizing when they're currently struggling to put food on the table. And in addition to things like that, no micromanagement is very important. It's just really about treating your people well, I think can help lower that 30% number. Obviously, there's always going to be people that come in with the purpose of malicious intent in the beginning. That's their whole goal. But I feel like a lot of that 30% is people that become disgruntled after time when being at a company.
Christine Izuakor: Yeah, a good point. I think in today's day and age, especially with the recent events and the volatility in the economy as well, it's a lot easier to consider things that you wouldn't have in the past when your family is struggling financially, or when some spouse has lost a job or whatever the case may be. And I know people are still navigating a lot of that uncertainty as well. And so I'm sure that can play into it as well.
Christine Izuakor: And so I think your point is spot on in that it's important to care for people and make them feel valued. And a lot of times that can help avoid some of those fates as well. So jumping into the next one here, being able to detect threats as well is paramount, of course. So according to the US World Economic Forum, the likelihood of organized cybercrime entities being detected and prosecuted is estimated to be as low as, and this number shocked me so much, it's estimated to be as low as 0.05% in the US, so almost non-existent. What do you think about that one?
Frank McGovern: Yeah. I'm going to hit two points here. I'm going to start with the first part about detecting threats being paramount. I think this really falls under the zero trust model. I know that's a marketing gimmick to a lot of people, but I think it's one of the good phrases that we should stick around with and keep. Traditionally we always worried about the north-south traffic, inbound to outbound, to the internet to my company, and as long as it's behind the firewall, it's good. I mean, I've heard that recently, my own company said that. But I think people forgot about the east-west traffic. And we need to start focusing on that, my computer to your computer and we both work in the same company.
Frank McGovern: Traditionally, we've just ignored that. And we need to move to the zero trust model, whereas we just don't trust anything and we just follow the principle of least privilege to everything. Yeah, 0.05%, I don't think it's shocking to me because attribution's hard. And most of the time I would say the crime is outside of the country. So this is 0.05 in the US. Probably most of our cybercrime, where it's prosecutable, is coming from outside entities. So like good luck to the FBI trying to arrest somebody that's in Eastern Europe.
Christine Izuakor: Got it. Makes sense. Good point. And I love that you brought up zero trust. It's a good lead into this next step here, which is that companies are still, of course, making some of the rookie mistakes that lead to these significant yet potentially avoidable consequences. For example, according to a global risk report, 58% of companies have over 1,000 inactive user accounts. Thoughts?
Frank McGovern: Yeah. I'm going to do two things here. So a big point that I try to push on a lot of people is I really see the value in identity being a part of security. And I think a lot of people are missing the mark on that. I think some people realize identity should be the centralized focus of security, but not enough people really grasp what I'm saying and our focus on that in their organizations. So I really want to push that you kind of really get a good identity provider, get a good identity store, and really build your entire solutions around identity and applications. And then this leads into this like rookie mistakes and more where it's we need to mature organizations faster because a lot of people are still doing this tool-based approach or infrastructure-based approach. They're buying a tool like CrowdStrike, and then deciding, how do I build my security posture around CrowdStrike?
The modern-day security team employs a risk-based approach to cybersecurity
Frank McGovern: It's not the proper way to look at things. We need to... getting people doing proper risk management and building your program around what are your actual risks in the company and doing this risk-based approach, and what should exist and where are my gaps? I think by doing that, that will highlight what you're rookie mistakes are. Because let's face it, the biggest rookie mistake is asset management. Nobody's doing it well enough. So just putting that on a risk register, it's going to be one of the highest risks, and it's going to be there in your face every day saying you're not doing asset management, that's your biggest risk. So it'll push you to stop making these rookie mistakes by just pushing things to the side and kind of ignoring them.
Christine Izuakor: Yeah. Makes sense. So we're in our last quote here. The consequences of failing to address cybersecurity risks are costly, of course. So there's a lot of dollars involved. According to Cybersecurity Ventures, cybercrime as a whole is expected to inflict a total of $6 trillion in damages globally by the end of this year. And then it's estimated that that could rise to 10.5 trillion by 2025. And so super expensive, very large numbers there. What are your thoughts?
Frank McGovern: Yeah, these are massive numbers. It kind of makes people sit back sometimes and think, why am I doing this when I could just send a phishing email and make $5 million and I can retire now? I think though, it's not surprising. I think this is a good final question, numbers-wise to everything we've discussed before. Because it's not surprising what the rookie mistakes, insider threats, people not being treated properly, people not training their organizations properly, I think this all ties into doing that risk-based approach to cybersecurity and just trying to do everything you can to figure out what your actual risks are, and that's where you need to be spending your money, not cherry-picking solutions out of the sky because, oh, CrowdStrike's cool, or, oh, this product's cool. It's you need to... What do you actually need in your environment?
Frank McGovern: And then obviously, people need to be focusing on cyber insurance now, I think. Don't forget that you can transfer risk and there's value in doing so. It's a business decision, but I think having insurance is going to be critical. Not only that, but insurance companies, this has been a long... This is not my talking point. A lot of people say this. But I believe cyber insurance is what's going to be the driver of making companies more secure because it's just going to be like your car and your home. You're going to have to meet obligations in order to get payouts. You can't just speed on the highway, 150 miles per hour, crash into something, and think you're going to get paid out for all the damage you just caused. So it's the same with a business. Insurance is going to start probably dictating and making companies mature in a lot of places because it's, "Hey, we're not going to pay out unless you're running anti-virus or XX, doing all these different things."
Christine Izuakor: Yeah. Really good point. Love that. So as we wrap up, any final thoughts you want to share?
Frank McGovern: I would say there are three things that make us a successful cybersecurity program, and it doesn't involve... It's not people, tools, and processes. I know people probably think that's what I'm going to say. It's documentation, organization, and reduced complexity. If you just write those three things down, documentation, organization, and reduced complexity, and try and do your whole strategy and roadmap and look at those three things while you're doing it, you'll build a good cybersecurity program in every company.
Christine Izuakor: Thank you for that. As someone who always talks about people, processes, and technology, I have learned a different perspective here, so I love it. Well, hey, thanks so much for sharing your insight with us today. That concludes the very Veriato Insider podcast for this week. This podcast is brought to you by Veriato, which is an award-winning cybersecurity company whose solutions are anchored around four core pillars of cybersecurity protection, including employee monitoring and web filtering, insider threat detection, employee investigations, and ransomware support. So to learn more about how Veriato can help protect your company, check out veriato.com. Thanks so much, everyone for tuning in. And thank you so much again, Frank, for joining and sharing your perspective.
Frank McGovern: Yeah. Thank you very much.
Christine Izuakor: I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up, and it has been our pleasure to share these insights with you. So until next time, stay safe and secure, insider.