Welcome to the Art of services series around cybersecurity risk management.
My name is Ivanka Menken and today’s conversation is with Mr. Mike Ouwerkerk. Mike has been in I.T. since 1998 working across roles such as it support, business analyst, system administrator, I.T. manager, I.T. consultant and virtual C.I.O. It was from the virtual C.I.O. role that the interest in cybersecurity developed, as many of his clients were repeatedly incurring significant costs due to cybersecurity breaches. He developed a short fun and engaging onsite training course, found that it was well received and formalized it as an offering in its own right as “Web Safe Staff”.
His core focus now is cyber security awareness for staff, and if you like Mike’s approach to cyber security and would like to reach out to him after this video. His website is www.websafestaff.com.au. I hope you enjoy this conversation and welcome Mike.
Ivanka: Thank you so much for your time and for agreeing to have a chat with me. So, tell me a little bit more. You were a virtual C.I.O. and that sort of sparked your interest in cybersecurity.
Mike: Yeah. I got into virtual C.I.O.’s and I.T. management, going to consulting and then started off as virtual C.I.O. myself. And it probably started a few years ago that I started noticing that my clients are getting hacked, a lot. I mean, A LOT. Some of them like, not serious or anything, but even potentially unwanted programs and a bit of malware, the cost of that was pretty cumulative by the time you actually added up the cost for all that stuff. It was pretty scary.
So even like small companies, like five people I did a little bit of work for, the costs for the I.T. support to come in and fix that stuff was about $3,000 a year. So I said I’ll put something together for you and see how it goes together. So I chucked a course together and had a reasonable think about it. Turned out, it was pretty good. I liked it. I did a study on it, worked out that they saved quite a bit of money. Just by doing that course. The unfortunate thing was, of course, one person didn’t turn up to the course that they kept getting breached through that person. Um, other than that it went really well and they did save a lot of money. So yeah, I turned it into Web Safe Staff. There’s a need out there for this stuff was just enough awareness of my own.
Ivanka: Saving quite a bit of money through that course… is that where most organizations can save most money is really the awareness of, of people awareness around cyber security?
Mike: The stats are pretty compelling around this stuff. It varies depending on what you look at. But up to 85% of breaches are because of staff clicking on something they shouldn’t.
That’s a pretty massive stat. So you work out the cost of that, it’s pretty eerie. You know, you’ve got your malware and you’ve got your phishing and you’ve got your physical active security threats. But most of the stuff, comes through the staff now. The cost is kind of pretty staggering when you actually add it up. So like I said before, even the little bits when you add those up, it just comes to a big amount. What people don’t realize is, you know, you’ve got your staff and they’ve been sitting there with a virus on the computer or maybe a few people are impacted. You’ve got downtime costs, you’re paying for that.
Then you’ve got things like, you know, someone rings up the client “Hang on. I’m just on with I.T. support I’ve got a virus on the computer.” You know, people like to talk about stuff like that. Suddenly you’ve told your clients that you’re not good at managing their data. The down time costs, it’s just made it about 3.4 times the actual repair costs. You’ve got a whole range of costs that basically, you know, total up to something not nice. And then where it gets really nasty is when you get a major breach. And then you say basically “Look, now we’re going to go to our D.R. and B.C.P.” So, disaster recovery, business continuity planning.
- Do our backups actually work?
- Have we been testing that they worked?
- Now we’re going to do a restore. Does the restore process work?
This is where companies get called out. They have a major breach, they don’t know that their backups work, they don’t test their restores, they find they can’t restore and the company is nothing right now, its data. So then they go bankrupt. That’s a big deal to think that someone can click on something and suddenly you’ve got no company a few months later.
Ivanka: So in your experience as virtual C.I.O., is this an occurrence that happens often, or you know, when you are an organization that has a C.I.O. role, does that organization have an I.T. department that is robust enough to deal with most of these types of attacks?
Mike: It really varies depending on the organization and how seriously they take this stuff. Some organizations, especially if they mean smaller ones, they’re got to just put on the free antivirus and have this service and just kind of pray. They say now, it’s not a matter of if it will happen but when and how bad.
This is where I’m slowly getting to with my Web Safe Staff offerings. It’s almost a cultural shift for companies now. You can’t just think it in isolation. So I say here’s your cybersecurity awareness stuff and staff. And that’s really important. But obviously there’s other paths that tie into that. They have to have the good tech, they have to have management on board for this stuff. They have to have risk management frameworks and everything’s going to be tight to get it. You’ve got to have champions of that stuff to make it a cultural shift in the organization. So that’s, you know, if a company’s doing everything right, then they’ll still get breached. It’s going to happen. The hackers are always ahead of us. That’s the way it works. What you have to do is try and minimize the chance of being breached and when it does happen, be prepared for it so that you can recover. So yeah, it’s, it’s not a matter of if, it’s just when.
Ivanka: Yeah. And do you have a different approach depending on the size of the organization? Like when you work with small to medium enterprises as opposed to a company with 150, 200 or 500 staff.
Mike: So my course is pretty structured in that it’s a base of about two hours. And in that two hours I cover pretty much everything people need to know. And like I said, you can’t train for everything. What you can do is you can try and keep people engaged for two hours so they learn something. So, you know, I know the bigger companies they say “we’ll do an online course.” I don’t do that because you can’t engage people. So if I get a bigger company saying, you know, “what do you do for us?” Same thing. But you need your people alert. So, they need to be engaged it’s going to be fun, it’s going to be interactive. The part we’ll change maybe is, you know, they might want metrics around, some of them might want phishing simulations. They might want certificates, they might want tests at the end. So that stuff is easy. But, it’s the base thing, just teaching people stop, think, act; giving them rules around how to think before they act and making sure that they, unfortunately, are suspicious by default. Which is a horrible place to be, but we kind of have to be there.
Ivanka: So, suspicion by default. So how do you train people to do that? Because when you get emails in from trusted vendors or partners or suppliers you’ve been working with for a really long time, how do you teach people to no longer trust that email conversation?
Mike: There’s a whole host of rules that you can use. So some things don’t change, right? So you’ve got things like email credibility. You can work out if an email is likely credible or not credible. “What’s the from address? Is it recognized? Has it got links that are different to what it shows in the text link? Does it ask for information?” So you can balance that up in two columns and you can make reasonable decisions. You can also look at the URL’s on emails and make a decision there. What gets harder, like you mentioned, is the trust factor.
This is where the social engineering comes in. So you get companies that might ring up and say, “Hi, look, I’m Bob from this company that you deal with. Just introducing myself.” There’s a bit of trust. They haven’t asked for any information, I haven’t given you any information. I might do that five times before they actually say “Hey, we’re going through a financial restructuring. We’re going to be changing our bank account. I’ll get back to you in a week.” By that time you’ve spoken to Bob, you know, quite a few times and you haven’t checked whether he has a dog and stuff. And suddenly it’s like ” We don’t trust Bob” and he rings up. “ok, cool. Here are our bank account changes.” That sort of stuff you handle procedurally. I talked about this is information flows. The way you flow inflammation out of your organization, there are rules around it. The white inflammation comes into your organization there are rules around it. So if that information has major impact or potential major impact on your organization, you have to have a policy that says “This is what we do to clarify that information is ok.” So you’re basically going to bring up some funded public number, ring up to the finance department, “can I speak to…Blah, blah, blah? I’m the head of accounts”, or whatever. And just confirm the details. So that’s an example of a procedure you would have for that. It comes back to the organization stage, to go through a process of working out that sort of stuff and decide how we’re going to handle it.
Ivanka: So when you walk people through your course, what’s the biggest “ah-ha” moment for your students? What is the biggest item of piece of content or knowledge that you give them? Where they go “I never even thought of that!”
Mike: I wouldn’t say this actually just one because there’s a whole lot of them, unfortunately. And it’s really quite scary. I mean ,most people are kind of reasonably aware now that there are scam emails but they still get tricked. So you know, one of the good ones is like how to read a URL. A lot of people don’t know how to read that. There are three step rules around here to read it. So you know, if it says www.Paypal.com.au- … something or other, it’s not going to Paypal.com.au. You have to go to http// country code, come back three dots. And its all between there. So, I show them that stuff. They’re like, “oh, okay”. They’re looking at this thing going “oh, it goes to paypal.” not realizing it goes to, you know, iu.com– or something or other. There’s a whole heap of stuff. It’s, it’s a weakness for a reason because people aren’t aware of it. It’s quite staggering the way, the number of ways they’ll try and scam you. There are so many different ways, and I think the social engineering stuff, that’s the scary stuff now.
The fact that they’re actually manipulating people via psychology.
They gain your trust and getting you to divulge information or use information. It’s not, that hard to do. Like, I actually did it myself. So I’ve got an article on one of my blogs. I actually looked at how to steal a card. I’ll give you a real brief rundown. I was getting my tires changed on my car and you know, basically guy drives a car out and was going to hand the keys to me because I looked confident. I looked like I knew I was supposed to be there. So it could’ve been anyone’s car is the point. So this is what you get with, with the physical and social engineering stuff. There’s a extreme level of confidence there and like you are supposed to be there and they trick people with that. So these things a hard because human psychology, people are quite trusting. Especially once you’ve had a few chats with someone around you. And so it’s hard to get around and it’s hard to teach people not to do that.
Ivanka: Yeah. So it’s really a bad manipulation of people, isn’t it? Because inherently people want to help. They want to assist , they want to provide information. So they tap into that. So in your courses, do you also focus on the younger generation like teenagers or people that have just started out in the workforce?
Mike: It’s relevant for anyone who is at that company. It all sort of relates to their home use as well because there’s a lot of cross level with this stuff. I’m talking about some phishing stuff that comes in through the website, through emails and people are exposed to that. You got a dodgy website so you’re going to get phished more. It is geared for the corporate market. The younger you go, the more the course needs to change, something I considered. But the issue is the younger you go, the more it becomes about parents, the more it becomes about technology, how to manage the kids. But it hasn’t, it hasn’t been something I’ve thought about too much. It’s kind of a bit of a scary thing. I know with my kids there’s a bit of work with that and it’s all specific to the infrastructure that I’ve got and how I want to handle things. It’s about the corporates, for me.
Ivanka: So, in your view, is there a strong link between the technology and cybersecurity risk management or is there a strong connection between the knowledge that you use and cybersecurity risk management. Or are they completely separate; as in you need to do a, b, c, d for cybersecurity risk management, irrespective of the type of technology or infrastructure that you use?
Mike: So cyber security risk management, essentially it ties into, it quite heavily. I guess if I thought about cyber security risk management, you’re breaking into a few different things. You can break it into the risk identification, risk assessment and the mitigation response. So that’s a big deal. You know, that’s awareness. I think it’s a pretty hefty tie with that. Beyond that, you know, when you think about “hey, you’ve got to handle risk management stuff, you’ve got to have someone to formalize your documentation, build a response plan.” That’s obviously cyber security as well. You’ve got to have people that are own process. So, this is like a cultural thing we talked about that. You’ve got to have someone who’s coordinating things, who’s actually driving this, monitoring current risks. So this is that cultural side. And then the champions. You’ve got to have people that are basically selling this to the top of the organization, the board and the execs. Making sure they’re not pushing it down. So yeah, it all ties in. It’s all a wonderful harmonious, beautiful thing.
Ivanka: And how do you see cybersecurity changing at the moment? During your courses you meet a lot of people and you speak about creating awareness around cyber security and cyber crime, but how is cyber security changing at the moment? How is cyber crime changing at the moment? What is the future? What does it look like?
Mike: The biggest thing is that, cyber security used to be about hacking through your tech. So you have little, your hackers there, could be 12 year old script kitties or they could be professionals trying to make a lot of money or someone that works at ransom ware. But, you know, it used to come through the tech. They used to hack you hardware and your firewalls that was a great way of doing it. Tech is pretty good these days and if companies can keep stuff patched, or there’s plenty of services that you can use around this stuff to make things better, then it just makes it too hard for them. So the trend at the moment is as per everyone, take the easy way out and hit the easy target. So they’re hitting the staff. So that’s why we’re seeing phishing emails. It’s a massive part of it. 85% I think I mentioned it but maybe I didn’t, 85% of the breaches come through staff. So that’s, that’s a big deal. So, you know, honestly, that’s the trend. If your staff have been hit really bad, you’ve got to do something about it. They are, well, I think there’s also a trend that the staff are getting blind, which is a bit unfair. It kind of starts offline. We all have a biggest weakness and blah, blah blah. And “Naughty Bob” for clicking on this and that. But I think companies also need to realize that they are an incredible asset. So you can go for a weakness, we can’t deny that. It’s not their fault, they’re not trained. You don’t just give someone a car and say “go and drive a car without a license and training.” But you take it from there, you give them training, you turn them into your biggest cyber security asset. That’s a big deal.
Ivanka: I’m very aware of the time that we have as we only have half an hour. So, to wrap it up, what is your number one thing that business professionals or I.T. professionals or business owners should teach their staff in relation to cybersecurity?
Mike: Honestly, If you asked me for the number one thing, I’m going to say it’s security awareness. And you need a good cost and you need to structure it into all these wonderful areas that you’ve got to engage them and if you want to do online stuff, well that’s hard because it’s not engaging. And you know, don’t treat this as a compliance thing. It’s not tech in a box, this is a big deal. But I would think the number one thing beyond that is a cultural shift. So you need to have awareness around this stuff. Your I.T. people, they need to be kicking the goals on this stuff as well. And they also need awareness because they don’t know all of this stuff. The board, the execs, they need to, part of the party with us. They’re going to be driving it. You need to have your risk mitigation processes, you need to have planning or responses made, policies and procedures that it doesn’t have to be horrifically complex, but you should think about it. Tying into that, is people taking their disaster recovery more seriously. You know, I mentioned this before, do you have backups actually work? Are your backups safe from being hacked? Do you test restores with them? If you can’t do that, you’ve got no business. So it’s a big picture and I think it’s a cultural thing. I think it just needs to be awareness across the whole organization and that will drive every other activity.
Ivanka: In respect to the backup and restore process you were talking about, you know, you mentioned to make sure that your backups are actually working. Do you envisage, and I’m talking about small business predominantly now, do you envisage that small businesses will be more safe when they have all their data uploaded into the cloud or use a cloud service provider?
Mike: Well the general rule of backups is you don’t rely on one location. So like for me I’ve got a home office. I have network attached storage network. Every day at four o’clock another attached storage device lines up and it doesn’t copy anything that shuts down. So that can’t be touched. I also do regular backups. The hard drives, they go off site every week and every night I do a backup to Amazon’s free storage. So something bad happens to my stuff, I’m cool, it doesn’t matter. I might lose a day of data, you know, but I’m fine. So I think, you know, to say “to store it in the cloud, you’re all cool”, you know the general rule of backups is you have multiple sources, multiple locations. You know, and the backup stuff’s got structure. Then you’ve got your grandfather, father, son, backup regime and you know, you’ve got your three, two, one, whatever. As long as you roughly going along with “hey youre supposed to do it” you should be fine. But I would never rely on my Amazon backup by itself. Because at the end of day, Amazon is a web face and company. If they get hacked, my backup could be gone. It could happen. So you just treat things seriously. And your data is the most important thing.
Ivanka: I read in an MIT article that the main target in 2018 for ransom ware attacks actually, were the cloud storage providers. You know, the Amazons and dropbox and you know, the big storage providers.
Mike: Yeah there’s plenty of money there, lots of information. I mean if they manage to shut down the whole place, and really cause some disruption, you lose customers from that. People go “I don’t trust you with my data anymore. I’m going to go somewhere else. ” One of the reasons why companies go broke. Your customers find out about this and go “I don’t like it. I’m out”.
Ivanka: So, let’s wrap it up there. So thank you very much for your time Mike and I really appreciate you taking the time out of your day to have a chat with me about cyber security and specifically how important it is to make your staff aware of the risks of cyber security and cyber crime. So if people that are watching this or listening to this are interested in knowing more, wanting to know more about you or your business they can go to and I’ll read it up. WebSafeStaff.Com.Au. So www.websafestaff.com.au. Is there any other way they can reach out to you and get in touch with you?
Mike: Is there any other way they can chat to me? The day time phone number comes direct to me. I’m a pretty approachable and coffees.
Ivanka: Coffee is always a good idea, so let’s wrap it up there, so thank you very much Mike. Thank you again for taking out the time.
And that concludes this discussion about the awareness need for cybersecurity for your staff. My name is Ivanka Menken from The Art of Service and I look forward to talk to you or see you very soon. Bye.