WEBVTT 1 00:00:00.450 --> 00:00:04.530 Nick Holland: Hello, this is Nick Holland with Information Security Media Group. I'm joined today 2 00:00:04.530 --> 00:00:09.660 by Theo Zafirakos, who is the CISO with Terranova. Theo, thank you for joining me. 3 00:00:10.770 --> 00:00:11.910 Theo Zafirakos: Hello, Nick, thank you for having me. 4 00:00:12.620 --> 00:00:16.190 Nick Holland: So we've got an interesting roundtable discussion coming up in a couple of 5 00:00:16.190 --> 00:00:21.650 weeks. The title is People-Centric Security Awareness - Safeguarding Remote Worker Threats for 6 00:00:21.650 --> 00:00:27.650 Financial Services. This is going to be in conjunction with Microsoft, and obviously 7 00:00:27.650 --> 00:00:33.170 Terranova. And so I wanted to do this as sort of a pre-call interview just to sort of get some of 8 00:00:33.170 --> 00:00:38.960 that a taste of the conversation we're going to be having. And so first question for you, Theo is to 9 00:00:38.960 --> 00:00:44.900 what extent do you think security and compliance training needs have been addressed since COVID-19 10 00:00:44.900 --> 00:00:49.460 happened? I think obviously, people are working remotely as has the security and compliance side 11 00:00:49.460 --> 00:00:50.960 of things taking a bit of a backseat. 12 00:00:53.180 --> 00:00:59.300 Theo Zafirakos: Well, well, some organizations fell behind in their program, obviously because of 13 00:00:59.300 --> 00:01:05.840 the situation and the position their employees were put in. Others put their initiatives on hold 14 00:01:06.410 --> 00:01:11.690 because of financial reasons. In other cases, we saw a significant increase in the number of 15 00:01:11.690 --> 00:01:16.970 organizations that were deploying an awareness program for the very first time, or other 16 00:01:16.970 --> 00:01:23.210 organizations that needed to update their program, because of the new threats that came about with 17 00:01:23.210 --> 00:01:28.790 this remote working environment. Obviously, everybody saw the pandemic-related phishing 18 00:01:28.790 --> 00:01:34.940 attacks that were targeting the employees. And also there was new risks introduced with the new 19 00:01:34.940 --> 00:01:40.010 technologies when it came to working from home. So for example, risks related to video and conference 20 00:01:40.010 --> 00:01:49.160 calls, or the need to share files and file sharing services outside of the office. Also, we saw 21 00:01:49.160 --> 00:01:56.900 employees using maybe personal devices to conduct business activities and organizations had to 22 00:01:56.900 --> 00:02:04.700 deploy the remote working force, you know, very quickly, so they didn't have time to train those 23 00:02:04.700 --> 00:02:10.910 employees before they left for home. So they had to do the training afterwards. Compliance-related 24 00:02:10.910 --> 00:02:18.290 training is typically mandatory. So I sure hope that organizations maintain those activities in 25 00:02:18.290 --> 00:02:22.130 order to prove the regulators that they have provided the training necessary. 26 00:02:22.670 --> 00:02:29.510 Nick Holland: Hmm. Okay, very good. So I mean, in terms of, again, this remote workforce, where do 27 00:02:29.510 --> 00:02:33.080 you see the greatest weaknesses are in the training needs for for employees? 28 00:02:34.980 --> 00:02:39.300 Theo Zafirakos: Well, you like we like to say here at Terranova, it all starts with the phish. So a 29 00:02:39.300 --> 00:02:46.140 lot of social engineering happens. And it happens in various forms. It could come through email, 30 00:02:46.320 --> 00:02:53.640 text, phone calls, and sometimes even in person, right. social engineering is another form of con, 31 00:02:53.940 --> 00:03:00.360 just using electronic means to deliver its payload. So I want organizations to know how to be 32 00:03:00.360 --> 00:03:06.330 careful with the proper handling, also of information and technology assets. So when these 33 00:03:06.330 --> 00:03:14.220 assets are taking away from the office where we lose certain physical security aspects, well, how 34 00:03:14.220 --> 00:03:20.190 do you protect those technology and information assets outside of the office? And also incident 35 00:03:20.190 --> 00:03:26.190 reporting becomes very important. So when the individuals see something suspicious, or something 36 00:03:26.190 --> 00:03:31.710 out of place, it's very important to alert someone. Now, it may be a little bit easier to do 37 00:03:31.710 --> 00:03:35.850 it when you're in the office, and maybe a little bit more difficult to pick up the phone and call 38 00:03:35.850 --> 00:03:37.440 someone when you're not the office. 39 00:03:38.110 --> 00:03:41.980 Nick Holland: Okay, very good. So this, the discussion we're going to be having a couple of 40 00:03:41.980 --> 00:03:47.830 weeks this this roundtable is focused on the financial services. So what are the specific 41 00:03:47.830 --> 00:03:51.490 threats to financial institutions from remote employees? 42 00:03:53.310 --> 00:03:57.540 Theo Zafirakos: Well, the specific threats have to do with the type of information that financial 43 00:03:57.540 --> 00:04:02.670 institutions have access to, they have a lot of personal Information and financial data like so 44 00:04:02.670 --> 00:04:10.170 they have to protect this information, whether from outsiders or insiders. This also could happen 45 00:04:10.170 --> 00:04:16.200 through a business email compromise, when someone steals the credentials to an attack or to a 46 00:04:16.200 --> 00:04:23.040 keylogger. And has access to be this information in this email. And they could use those details to 47 00:04:23.040 --> 00:04:29.040 conduct further attacks within the rest of the organization and the other individuals. And also, 48 00:04:29.490 --> 00:04:35.970 you have to be careful also with devices that may not connect as often, therefore not receiving the 49 00:04:35.970 --> 00:04:41.130 latest updates and security patches. So it's important to remind employees that once you 50 00:04:41.130 --> 00:04:46.080 connect your devices, make sure that all the proper updates have been installed before 51 00:04:46.080 --> 00:04:47.520 conducting business activities. 52 00:04:47.970 --> 00:04:52.560 Nick Holland: Okay, very good. Let's also look at them again. There's obviously compliance and 53 00:04:52.560 --> 00:04:58.830 regulations haven't gone away working from home but it's it's still you know, it's the significant 54 00:04:58.830 --> 00:05:03.690 movement in that space. So how can you ensure your employees meet these shifting compliance and 55 00:05:03.690 --> 00:05:06.930 regulation requirements as well when they're working obviously remotely? 56 00:05:08.580 --> 00:05:13.080 Theo Zafirakos: Well, first you have to identify which employees you have to train. So you may have 57 00:05:13.080 --> 00:05:20.490 to train a subset, or all employees, and then you may not have to train them at the same level. So 58 00:05:20.490 --> 00:05:25.260 that's the first step is to define your audience, then you have to determine on the type of training 59 00:05:25.260 --> 00:05:30.750 that you need to do. First, you have to do their compliance training, because you need to inform 60 00:05:30.750 --> 00:05:36.930 your employees about the different requirements, the regulation has, right, different activities, 61 00:05:36.930 --> 00:05:41.940 different procedures that you have to put in place. But that doesn't stop the breaches. Right? 62 00:05:41.970 --> 00:05:48.660 You have to also provide security-related training because the security-related training will prevent 63 00:05:48.870 --> 00:05:55.170 a breach of regulated data. So identify your audience and identify the type of training that 64 00:05:55.170 --> 00:05:55.920 you need to deliver. 65 00:05:56.310 --> 00:05:59.460 Nick Holland: Okay. And then finally, I mean, again, I think there's there's an understanding 66 00:05:59.460 --> 00:06:05.190 now that the remote employee is going to be the normal situation for most organizations going 67 00:06:05.190 --> 00:06:09.360 forward. So how do you meet this ongoing training need for the remote workforce? 68 00:06:11.100 --> 00:06:16.260 Theo Zafirakos: Online training is very important. Now that the people are working from home, maybe 69 00:06:16.260 --> 00:06:22.470 you want to do training in a shorter time length and bits and bites where the information could be 70 00:06:22.470 --> 00:06:28.590 easily consumed, and remembered. Also, it's very important to train your employees using phishing 71 00:06:28.590 --> 00:06:34.590 simulations. If you're not ready to deploy phishing simulations, at least inform your 72 00:06:34.590 --> 00:06:39.930 employees of the latest phishing scenarios and fishing trends, right? So you don't necessarily 73 00:06:39.930 --> 00:06:45.240 have to test them, but you have to inform them using the actual scenarios that the attackers are 74 00:06:45.240 --> 00:06:52.470 using. Educate your employees about corporate policies, procedures, controls that you have in 75 00:06:52.470 --> 00:06:58.380 place. They're important in applying them and how to apply them in order to respect the security 76 00:06:58.380 --> 00:07:06.210 controls. And then keep providing constant updates of the latest correct and the latest strength that 77 00:07:06.240 --> 00:07:12.240 may be affecting them. We take information security awareness is a program is an ongoing 78 00:07:12.240 --> 00:07:15.390 journey. There is no end. Just continue doing it. 79 00:07:15.720 --> 00:07:20.370 Nick Holland: Very good. So thank you very much through that is Theo Zafirakos who is the seaso 80 00:07:20.370 --> 00:07:24.330 with Terranova, and for Information Security Group, I'm Nick Holland.