Andrey Sorokin. Head of DAAC digital information security department
Andrei, good afternoon. I want your advice. I have a little experience of interviews related to information security. They were aimed not at specialists, but at an untrained audience. And often there was a gap. The information is important, but the reader is not very interested in it. As a result, the effectiveness of the interview is low. How would you convey information about information security to the audience in such a way that it would also be interesting?
This is exactly what I am always talking about. If information security training is not interesting and engaging, it is of little use. Employees are always busy with other issues and rarely focus on security training or lectures.
So is there a way out or not?
Of course there is. Just one example. Imagine that you are watching a TV series about office life, where a pretty girl, using her looks and charm, goes together with an office employee through the doors with access system, and then, under the guise of a new security officer, removes on a flash drive information from office computers….
If the actors are good and the plot is dynamic, I will watch it with pleasure. But what does such a show have to do with security training?
I specifically told you about it. Because this series is one of the elements of the modern security training platform that we recommend to our clients. And the training on this platform is also gamified in many ways.
This platform is developed Daac Digital?
No, it’s KnowBe4, the world’s largest integrated platform for security training combined with phishing attack simulation. More than 50,000 customers use it to solve the persistent problem of social engineering. Like most modern projects KnowBe4 offers a number of free options to test your organization’s level of information security, but of course it is more convenient to work with the platform through official partners, one of which is Daac Digital.
When you talked about the TV series, there was an element of “physical” office break-ins, and when you talked about KnowBe4 you mentioned phishing attacks. What would you like to emphasize to the reader now?
Of course, all aspects of information security are important. I could tell you about a scenario where an attacker intentionally leaves a flash drive in a prominent place in front of the entrance to an office of interest, with the expectation that someone in the office will be interested in the flash drive and connect it to their computer, allowing the attacker unauthorized access to the office network….
And people fall for these options?
You don’t realize how careless some of your employees can be, especially if you’ve never required your team to take an information security course or training. Nevertheless, you’re right. Today, let’s focus on phishing as the most common form of social engineering that we all have to deal with from time to time.
Let’s start by defining phishing for the layman….
Phishing is a type of Internet fraud that aims to obtain sensitive user data. This includes stealing passwords, credit card numbers, bank account numbers and other information.
Phishing is fake email notifications from banks, providers, payment systems and other organizations stating that for some reason the recipient urgently needs to transfer/update personal data. Various reasons can be given. It may be data loss, system failure, etc.
Judging by my mail, the authors of these “chain letters” have become very active lately…..
This type of fraud is called “social engineering” for a reason. Fraudsters use the basic motives of human behavior. This is the desire to help “their” bank to correct a mistake and get the “right” information, sometimes it is curiosity, sometimes it is fear of violating something. But one of the motives works and then it turns out that 30% of banal phishing mailings end up being effective. Fraudsters get the necessary data and passwords. And then corporate networks are hacked, money is stolen from bank and card accounts, and confidential information is leaked.
And are you training organizations and their employees on how not to “fall for” phishing?
Yes. And a security training platform such as KnowBe4 is very helpful in this. By the way, one of the most famous hackers of our time, Kevin Mitnick, took part in its creation. But no longer as a hacker, but as a professional who has thoroughly studied and experienced all the tricks that hackers are ready to resort to.
How does the platform help?
With it, you can train and phish your users, watch their phishing propensity percentages decrease over time, and get measurable results. Essentially you get interactive, engaging on-demand training on a browser combined with unlimited simulated social engineering attacks via email, phone, and text message. Your KnowBe4 subscription gives you access to the world’s largest security training library with constantly updated content. You can also choose from dozens of categories with thousands of real, known-to-work phishing patterns in 34 languages.
So you, as a specialist, can use the platform to simulate phishing attacks and then present to the head of the organization how their security is doing and how it can be improved?
That’s exactly right. I like the expression human firewall. A human being is the last line of defense when all technical levels of protection have been overcome. If, suddenly, a person is not ready psychologically and in terms of general education and critical thinking to process an e-mail, a message in a messenger or a phone call, then no amount of technical means and technologies will deter attackers. All of us, and the leaders of organizations in the first place, need to completely change the very approach to this problem.
And Daac Digital ready to help?
This is our job. Moreover, it is the firm position of our company’s management that we must contribute to improving the overall level of information security in the country. And this is not an abstract concept, but a constant requirement. That is why we very often provide security services even free of charge. So we cooperated, for example, with a project to develop a national library system, in which a large number of meetings with librarians were held, and it was absolutely free of charge.
This emphasizes your attitude to social responsibility. But business, in my opinion, simply has to fix an item in its expenditures on information security. Because the losses can be incomparable to the costs.
All the more reason to close by telling you that for most customers, an annual subscription to use KnowBe4 costs no more than a cup of coffee a day.