KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
I'm speaking here to you now from actually my lovely home in near Munich. And today I will be speaking with you about a topic. There's also very close to what Bo was already said, but I wanted to, to just provide maybe a more broad angle about where, what I see with security awareness and also the factor of humans within cyber security. And this is why for today, my presentation here is also called the humans, the exhaust port of security. Sorry for if you saw that in a different kind of way. So a quick overview of what we're going to talk about.
I'll give you a quick intro into my person then why exhaust ports? Right. So the reference to star wars here is always good where we are the layer eight problem, which kind of solutions are there in the market or anywhere in the world overall. And also three outlooks that we have in terms of security awareness for, for humans and what we can do from a cybersecurity perspective, two train people to make them more aware. So one is of course an optimistic 0.1 is a more pessimistic outlook. And one is really something that forges together.
The words of both and gives a more, I would say, realistic outlook into the future. So again, my name is max IBI. I'm a former senior information cybersecurity consultant. I am currently the deputy CSO of a large European bank, and I'm also a trainer coach and speaker under my umbrella ahead, security. I need to provide this quick and short disclaimer as I act here under my head security banner, the, the information assessments and evaluations communicated by the speaker during the event and container, this document represent the personal opinion of the speaker author of this document.
They are expressed as a private individual and are therefore in no way to be attributed to the related position of the speaker author within uni credit group or uni credit itself. So if you were wondering at which European bank I'm working, you are now probably aware of that. So cyber and star wars, right? Why and where does that reference come from?
So, I mean, basically if we look at the story of star wars, right, we see so many aspects that are absolutely being reflected within the world of cybersecurity, right? So if we look at an angle where the empire are, the good guys, of course, right? And the resistance, the rebels are the ones that are the hackers they want to hack into the system. We could see early on and within the very first movies that there are so many references that we can see now in cybersecurity.
It's, it's almost blatant how, how transparent that is. For example, the death star itself, right, had state of the art defense mechanisms lasers on top of it, everywhere defense mechanisms with other ships that they were releasing to, to defend of the, the incoming rebels and so on and so forth, but still one single fatal attack was possible on one side due to a human error. And there was even this malicious insider that manipulated the Empire's core system to make this exhaust port even available. Right?
I mean, we have only learned that during one of the more recent movies, but still, I mean, they had a system that was very good in place, but there was one single point of error. And that era basically really came from a human that intruded them made them acted as a malicious insider. But of course, still on the other hand, the empire did not check frequently enough what this malicious insider was doing and how something like that could be exploited.
Also, as we have seen in, in the, in the movies, right? And the rebels were for example, acting as stone troopers or sitting within starships of the empire and was, were basically going through security systems by using old codes. Right. I think there's even the quote, it's an old code, but it checks out. So what is the security awareness of, of the guide checking out the security code here?
I mean, it's pretty bad, right? So there is a clear lack of employee awareness of awareness of the empire regarding security measures that you need to take care of. And that needs to be put in place before you run an exercise or an operation like the death star itself. And this is where we come to the layer a problem, right?
I mean, you probably all have seen this picture before we have in cybersecurity firewalls encryption. We have anti-malware solutions. We have U EBAs. We have the same. We have basically all kinds of fancy stuff in the pockets of our hands. And still in the other corner, we have a user that just wants to do the business. It must be running right. A user doesn't have time for validating everything. So that's one of the key things that is always coming back to me, also in my work and, and where I'm frequently working at people telling me I have so much stuff to do. I cannot check everything.
And I thought we have security tools in place for that. So why are we even attackable here? Why are we defenseless? And it was just so convincing, right?
I mean, today's by today's standards. Social engineering attacks are not being conducted anymore with emails from a south African princes that wants just to share his wealth with you, right? Nowadays the, the, the fishing emails, the fishing attacks that are being conducted are way more personalized and are really going down on, on details about people that makes it really convincing. And I mean, you can even buy on the dart web translation services for your fishing emails so that they have no grammatical or, or other errors within the text. So it looks really, really good, really convincing.
And people are always saying, how could I have known better? Right. So what do we do? And this is perfectly showing again also what, what Bo was just presented from, from an eon perspective, right? How can we bring this problem up to the users, to the humans? Because they are the ones that are really the first ones to reach for, for a malicious person, right? The people are the ones that are the easiest to target and are the ones that could fall behind an attack quite, quite easily. So what kind of solutions do we have in place?
Billboard here wants brought up a solution also for, for passwords, right? So someone doesn't have his password back up and doesn't know where to go. So he's asking for help and what do he needs to, to reset his password?
Well, he needs another password or a pin, and that is just even more confusing. So the solutions we need to put in place here for the people, for the humans is something that needs to be simple and direct as a first measure. So if you do not have anything at hand, right. And I mean, it was already being told that sometimes you, of course have audits coming in that need to see that you're doing some kind of awareness campaigns. So what you need to do here right. Is try to figure out what again is your business, your business area, how many people do you have within your company?
Are you split it apart from, from on, on different locations while you all centralized within one HQ, but then still of course, Corona comes in, right. And we're all working from home.
So these, these methods here that have been pointed out on the second part, like posters and printouts, right. They worked way before, when we started, when we all have worked in, in one location and we all have those buildings in, in specific kind of ways, and we always passed certain floors. And by that with a poster or with a printout, you could always reach people on a specific level, right. Short and simple messages. But nowadays with many people working from home, just like I do here, we need to think about different, a different approach.
So either it's being through email newsletters that can send to, to your employees quite easily, or your thinking about also notification tools that you could use for the PCs that your employees are using. So the, the thing here that you need to really look into is you need to start with something that is short and simple, right? So warn them about UN incoming threats regarding, for example, now with upcoming December Christmas fishing attacks, right? So this will be becoming frequent again, and you need to do something at least to help your employees on that level that this could happen.
Now, this could be more frequent. Please look out, do not click on everything, right?
Short, simple messages that could already help here. And also if you do that, you need to figure out afterwards is what you are doing. Also really bringing in the change that you would expect on the social behavior. Right? If you tell your people don't click a link, but if you see something that is suspicious, send it over to, to your SOC your security operations center or use.
If you have one, a, a fishing button that you can use for automatically reporting it and then deleting it from your mailbox, right, is that reaching your people is that behavior increasing into a direction that you are really focusing on and that you are targeting. If that's the case, then very good. You have made a very good first step. If you do not see this, increase, this change in the social behavior, well, then you need to go back to the drawing table maybe, and reiterate on what you're doing. And if you need to improve on one of your methods, just as we had with the cycle, right?
And so you need to invest, evaluate your investments again. So how can you increase furthermore, the awareness, especially when we go to, to fishing. And there is one specific thing here that is also on the reference list.
Later, you can implement specific, let's say formulas to calculate KPIs for that, right? Because that's always something that you should look out for using KPIs to track your progress, right? Because how you should, you then able be able to track your progress. If you do not calculate it against something that you might use. So within the reference list, you can see one example how you can, for example, track the, the KPIs for fishing and how a fishing campaign that you go through within your company could really be beneficial for, for you and for your employees.
And so if you do all this, right, you still need to think about how can you improve and identify new methods for your awareness campaigns, because just sending out emails is not enough, right?
Should you do something in an automated kind of way regularly every month, every two months, once a quarter, should you target specific groups specifically, for example, because a database administrative could easily be a more, more, better target than someone else within the security department or a, an assistant of a board management colleague that could easily be targeted as well as for, for CEO fraud. Right? So think about also targeting your, your awareness campaigns more on, on specific groups, also like secure coding, right? Secure coding training for developers.
If you do not teach them how they should write secure code, which is an awareness topic, how should they ever know? Right.
I mean, of course you can write it down in your policies, but still you need to train them somehow, because this is how you then can really bring in the change that you wanna see. So, as you can see, awareness is not only on, on the level of I'm being attacked by awareness, also on the level of what I'm doing at work every single day and how I can implement security here also on a level that it's helping and leveraging the company.
So if we look at all of these things that we could do, and there's, I mean, a tremendous amount more, that is, that is being possible to do anyway, we, we have an optimistic outlook, right? That could basically mean the employee awareness rises and potential vulnerabilities. So our exhaust ports are being closed through increased attention and notification behavior. Right?
So a for example, again, right, a, a tester that has just recently seen your secure coding web-based training is now looking at a specific application that is about to test and is seeing vulnerabilities in there that should have been closed based on this secure coding training that you provide for them. So, perfect check mark here. He's notifying a penetration test that's being conducted.
It's seen, okay, this is a vulnerability. We can close it within the next change. Great. And also the investment in expensive tools can be lowered because if you are just trying to focus on remediating potential attacks with costly tools, again, you're missing out the point on the, on the humans. But if you train the humans, if you make 'em aware, you can also reiterate the investment that you do in those tools.
And maybe even say, okay, we don't need that much licenses for this specific border parameter control entity, because we are now having people that are more eagerly aware and are not clicking on any single link, right. And also what is always good is if you do this in a, in a way that you receive positive feedback from your employees, they will speak about this, not only directly to you, but they will value these investments when they are reaching out to other customers, to, to friends of theirs, to their family.
And so what you can see then is you are getting an increase in, in your potential growth and also in, in hiring additional people, right? Because I mean, we're a security com community we're talking in between. And now we know, for example, our company XYZ is really doing great with these awareness initiatives. It's really a place to grow and we can all leverage here. So why don't come in? We have open positions, we're reaching really out in terms of our security awareness.
And also this will rise your recognition in the market because again, within the community and outside of the community, people will speak about it. And so the reserves, again, also on the, on the monetary basis, the reserves for potential data breaches or loss and rents and payouts can potentially be decreased if you calculate everything based on your risk potential, because the probability for a successful attack like that is probably lowering, right? It's decreasing because you are investing in your awareness. You can track through KPIs.
That awareness is rising, that people are not clicking on malicious links all the time. So you can potentially lower your, your reserves for those cases as well. A pessimistic outlook is something that we of course also need to look at because it could also always go the other way. So employee awareness is not high enough to be fully protected against that's. That's something that we just need to tell everyone within the security world, it doesn't matter what you do, but you will never reach 100% security. This is just not realistic, right?
This is, this is not true. And attacks will happen. And especially if they are targeted, right, if we talk about spear fishing and stuff like that, or really targeting fishing attacks, they will at some point be successful. So also again, you cannot just look only at, on awareness, but you of course need also to look into what your investments in security and resilience tools and methods are to handle everything that is successful on an, on an tech level. So again, from a pessimistic, but also still kind of realistic outlook, you will be fished or fished or impersonated or deceived.
It's only a matter of time, but you can stretch this time by doing proper awareness campaigns. So, and the realistic outlook again, will be the employee awareness will protect you better, right?
And it's, but it's still not that good for direct spear fishing things, but for not for widespread attacks. Right? So a phishing email that has been sent out to, to 2003, through 3000 people is probably being recognized and, and, and will not be successful. Right?
But again, these targeted attacks at some point will make, you will make you weak. But with the increased awareness, attackers might also think about you as a more irrelevant target, because it's not so easy to get you and your follow up measures.
Again, security incident management, your lessons learned the demo cycle. Everything should still be in place. And you need to work on that because only with awareness, you will not get anything. And there is no miracle cure, no blue pill, no magic want, but we have multiple things in place that we can use that are not that expensive, but you need to invest in your security. So I would say, start with your people because that's really the, the first layer that someone will attack for the future. So thanks everyone. You can reach me on, on the, these URLs and emails and my, my Twitter handle.
And also here, again, reference list for, for calculating a KPI on fishing awareness and all the star was movies and shows. Thanks.