Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices.
In this episode, Graham Cluley stops by the Tripwire podcast to discuss the importance of keeping cybersecurity awareness fresh in the minds of the non-security community. Episode excerpts:
Tim Erlin: Welcome to the Tripwire Cybersecurity Podcast. I am Tim Erlin, vice president of product management and strategy at Tripwire. Today, I am joined by the illustrious Graham Cluley, a highly acclaimed blogger who has his own podcast. He has been in the industry for more than 20 years, so he has a lot of knowledge and experience. Welcome, Graham.
Graham Cluley: Thank you very much, Tim. Pleasure to be here.
TE: Excellent. Today, we’ll be talking about security awareness. Graham, would you say that security awareness is something that you’re passionate about? Is that an accurate description?
GC: Well, as passionate as an Englishman can ever be about anything. But yeah, I think security awareness is really important. I started off as a programmer writing antivirus software back in the early 1990s, but as time went on, I realized that we needed to move beyond programmers and developers to raise general awareness of computer security issues because computers were entering our lives more and more. That sort of happened over the last 30 or 40 years.
TE: Is that a change in your attitude towards information security that you developed over time? Or was there an incident that occurred or something specific that drove you to sort of move away from programming towards more general awareness as a goal?
GC: I think it’s a variety of things. First of all, more and more people are using computers. Obviously, we now have this situation where everyone is carrying a small computer with them everywhere they go. They’re addicted to their phones. And so that from that point of view, it became important.
Second, at my very first job as a Windows programmer at Dr. Solomon software, the workplace philosophy was that all the programmers should spend at least one day every month at the Tech Support Desk. So you all job wasn’t to just write the software. Your job was to also understand the problems which customers were having.
And it may be that you heard those problems and said to yourself, “Oh, I can fix that with a piece of code.” But also you understood the implications of the mistakes and the design decisions which you made when you were writing that software. So it really put me in touch with the regular users. And I like to think that to this day I’m putting myself in that position. I’m putting myself into those shoes and thinking, “Well, what do they think? What’s the language they understand? What are their issues?” And, and hopefully, I’m able to address them and, like I said, make them more secure online.
TE: In terms of awareness, my perspective comes from the vendor. I’ve spent my career primarily talking to large enterprises about information security products. I’ll admit that gives me a bias towards technology solutions and a kind of anti-bias towards awareness. But you have essentially the opposite perspective. Do you think that technology plays a role there? How do you think the two interact, technology and awareness?
GC: I think technology is a vital component. I would not want anyone connecting to the internet without security solutions in place. I wouldn’t want anyone running their business without software and hardware, which are doing the hard job of filtering out most of the threats or warning you if something has gone wrong. Because you know, computer technology can do an awfully good job at that. It’s a bit like, you know, vaccinating yourself, for instance. It’s the responsible thing as part of the community to make sure that you don’t end up vulnerable and you don’t end up infected with something. So technology is fantastic from that point of view.
But technology is not the entire solution. Ultimately, a lot of breaches occur because of human error. It may be that people are offered a clever socially engineered link to click on. Or it may be that someone at your reception desk allowed a suspicious phone call to come through to your desk. We need to address that, as well.
You know, what occurs to me is that it’s not just technology versus awareness. There’s a business aspect to it, too. I think that the business’s response is often, “Well, I can’t make any money out of awareness.” There isn’t really a huge economic boon to educating the average public about information security topics. In the very least, it would be hard to put a monetary figure on that. But it’s certainly the case that more and more companies over time have begun to recognize the importance of securing their organizations and securing their staff as well as raising awareness of these threats partly because of the attention generated by data breaches in the media.
There’s no excuse now not to be asking questions of your CSO, and there’s no excuse not to be listening to them when they’re saying, “We really need some more budget to protect our organization.” Because there are plenty of tales now of companies who have been basically bankrupted or near as good enough because of data breaches. You know, one things I say is that you can spend an absolute lifetime building up the brand and reputation of your organization, but it may only take minutes to destroy it through a data breach. How many years, if at all, will it take to actually recover from it?
TE: It occurs to me that with security awareness, we’re in many ways fighting a type of confirmation bias. Everybody understands that the threats are out there, but they have a hard time believing that it could happen to them. You know that phone might be compromised, but my phone isn’t compromised, so what’s the big deal?
GC: Yeah. it is something that we certainly can be guilty of. The situation now is that we have all been breached multiple times. Chances are you just go to pwned.com and enter your email address there and Troy Hunt’s database will tell you how many data breaches you have been involved in in the past. It’s not as rare as it used to be when I started in this industry. I’m living in this world, you’re living in this world, so we’ve learned to be paranoid all of the time. But I think many people will forget about this unless they are regularly reminded with awareness sessions. There’s the need to keep it fresh and realize you don’t just do this when you induct people into the organization. You need to do it all of the time, and you need to regularly refresh the content so it doesn’t become dull.
TE: At the end of this conversation, I’m wondering: what difference does security awareness work make? We’ve been in this industry for 20+ years, and I don’t think we can say that things have gotten better. So are these efforts to make people aware making a difference? How can we tell if they are?
GC: I don’t know. I’d agree with you about things not getting better. I hate to be too downbeat. Suddenly, cybercrime has exploded like never before. I think that identity theft sounded like something from a science fiction novel about 10 years ago. But now they begin to understand about fraud. Because they have had bad experiences either personally or inside the office, I think they are becoming more aware of these things. Fortunately, more and more companies do have defenses in place. Sure, they’re not perfect, but awareness training can play its part as well in terms of raising awareness.
TE: The key question is how to get some real data that says awareness is working. I don’t really see a path to do that.
GC: I’m not sure I do, either. Maybe for bigger brains than mine to work out how we actually quantify this and whether it’s working, but at the same time, even if we can’t put a number on it, it feels to me like this is something that’s worth doing now.
There’s a lot of things when it comes to computer security where it can be hard to quantify your success. I think this is one of the challenges for IT teams generally. If you’re doing a really good job, there’s nothing to report to the bosses, and the bosses will think, “Well, we reduce your budget because we didn’t have any security incident last year. The reason we didn’t was because we had all these defenses in place.” So, it is a challenge, but I really hope more and more organizations do recognize that there is a benefit to doing this as well as the traditional security measures.
TE: I do too. All right, well I think we’re at the end of our time here. Graham, I really want to thank you for joining us. I think it was an interesting and enlightening conversation, and I appreciate your perspective. It’s been a pleasure to all our listeners.