Companies need to know it is no longer enough to teach the corporate policies on cybersecurity and data privacy to new employees on their first day with just an annual or semi-annual refresh. Security awareness needs to be maintained throughout the year. Changes in technology and working conditions demand that policies and controls be updated, and changes must be communicated to staff, contractors, and suppliers. This was true well before the pandemic dramatically altered the threat landscape and multiplied the attack vectors.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Stephen Cobb, an independent cybersecurity researcher and public-interest technologist with four decades of experience at the nexus of technology and criminal activity. A bestselling author and recipient of the CompTIA Tech Champion Award, Cobb has been a Certified Information Systems Security Professional since 1996. Currently based in the UK, Cobb holds a masters in security and risk management from the University of Leicester.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I have spent much of my adult life in the US but was born and raised in Coventry, England, a city synonymous with innovations in industrial technology, like the pedal chain bicycle and the turbojet engine, and manufacturers like Jaguar, Land Rover, and Triumph. My father was an engineer, as were my grandfathers. As a teenager in the 60s I aspired to be a celebrated poet and songwriter, but the oil crisis of 1973 crushed funding for the arts and I pivoted into petroleum accounting, tax auditing, and from there to computing; that’s how I became enthralled by the clash of technology and ethics that is at the heart of cybersecurity.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
By the late 1980s I had taught hundreds of personal computing classes for IBM and authored several books on how to use PC software. A local business owner who’d been in one of my classes called me for advice when his PC was stolen. I had already seen how seriously mainframe computer folks took security, but that office burglary told me PCs could be just as “mission critical” and were going to need protecting. That prompted me to write The Stephen Cobb Handbook of PC and LAN Security which was published in 1991.
Can you share the most interesting story that happened to you since you began this fascinating career?
In 1995, a friend in the computer security industry encouraged me to attend a meeting of hackers that had started to become an annual event in Las Vegas. That’s how I came to deliver a talk at the third DEFCON and engage with most of the attendees — there were a few hundred then, not the tens of thousands seen at recent DEFCONs — and from them I gained valuable insights that continue to help me today.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My 1991 computer security book was a publishing disaster; fewer copies were purchased in the first 12 months than one of “how to use a spreadsheet” books would sell in a week. However, in 1994, I was invited by Richard Ford, now Dr. Richard Ford, to speak at Virus Bulletin, one of the most prestigious conferences for antimalware researchers. There I met a lot of industry pioneers, some of whom had read my book and encouraged me to stay focused on cybersecurity.
Are you working on any exciting new projects now? How do you think that will help people?
This year I started a project called The Malware Factor to help people outside the cybersecurity profession understand how the rampant abuse of digital technology — typically through some form of malicious code — threatens to undermine everything from online shopping to space exploration, from working at home to telemedicine and vaccine trials.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Get a pet, preferably one that likes to cuddle. Or find some other way to immerse yourself in the natural world, something that doesn’t require batteries (like a walk in the park, but without your phone).
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I have always been excited to work with people who offer a variety of perspectives and the cybersecurity industry was created by people who came at things from many different angles such as physics, medicine, biology, electronics, mathematics, and the arts. As the industry became more corporate, the benefits of diversity seemed to be at risk, but in recent years I’ve been excited to see, and participate in, efforts to embrace diversity. A third source of my excitement: more industry pioneers are taking an active role in public policy, an essential but neglected angle of attack against all forms of cyberbadness.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The more that companies rely on automation, the more likely it is that criminals will look for ways to monetize abuse of the code that runs automated processes. Look for blurring of the lines between cybercrime and physical crime in areas such as Industry 4.0, supply chain automation, building automation (siegeware), and autonomous vehicles (jackware). A closely related threat is criminal abuse of the Internet of Things which now permeates many offices and the homes from which more and more employees may be working.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
One Monday morning my first security consulting firm got an urgent call from a very large financial services company that was a client. During Sunday evening one of their sysadmins had detected suspicious traffic between several servers in their data center. We had just that morning started a network security review at the head offices of a different client. We had to ask that client for a meeting room where we could put our technical lead on a conference call to the client with the server traffic problem. Thankfully our host accommodated us and, over the new few hours, our expert helped the client determine that the suspicious traffic, while unusual, was in fact legitimate. That company learned the hard way that if you don’t have in-depth knowledge of your own systems, it is hard to tell whether or not they’ve been owned.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
While many security experts moan about antivirus software — some going so far as to say it doesn’t work — I make sure that all the systems I look after are running a reputable endpoint protection software suite, which is what antivirus software has evolved into. On top of that any organization of any size should be running an endpoint detection and response solution. And of course, a good network security auditing tool becomes more and more essential the larger and more dispersed the company’s information systems become.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Unless your company has people on staff who are skilled and up-to-date in cybersecurity, you either need to hire some people like that or engage a cybersecurity specialist. Fortunately, smaller companies may be able to tap their Managed Services Provider for security expertise. On the other hand, management should never assume that their IT provider is going to adequately take care of security. If you don’t have a recent appraisal of your company’s cybersecurity and data privacy status from independent outside consultants, get one now. That will help you identify any gaps and decide the best approach to fill them, in-house or via a qualified service provider.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
You should investigate any systems or connections that are suddenly slower for no apparent reason, or appear from the logs to be unusually busy at odd times. You should also be alert to unusual or suspicious employee behavior. This could indicate they are hiding knowledge of a breach, caused by mistake or on purpose, by themselves or in collusion with an external actor.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first call should be to legal counsel to ensure you protect privileged discussions and documents. The crisis response team should then be activated and the nature and parameters of the breach matched to the appropriate game plan in your incident response playbook. (This assumes your company has a crisis response team and an incident response plan and playbook, and it really should).
The impact of these laws varies widely between different industry sectors, some of which handle relatively little personal information. But these laws should be making all businesses think carefully about how much personal data they acquire, process, and store. Why? Because the downsides of mishandling or breaching such data are now bigger and more costly than ever. Holding onto data that you don’t really need, and maybe shouldn’t have collected or acquired in the first place, can become a big liability.
What are the most common data security and cybersecurity mistakes you have seen companies make?
In general, I see too many assumptions being made about the company’s security posture, typically erring on the optimistic side, for example assuming that all endpoint protection has been installed on all the endpoints, and is running on all of them, and has not been turned off on any of them. The same is true for backups. It shouldn’t take a ransomware attack to show you which data is not backed up, or which backups can’t be restored.
One type of mistake I see too often is companies putting off creating or maintaining up-to-date information security and data privacy policies (for example, have you spelled out who at your company is, and who is not, authorized to negotiate a ransom?). I see the same with crisis response plans and playbooks, and some companies that have them don’t get around to testing them — preferably through tabletop exercises with executive participation — before the company itself gets tested.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, more mistakes are being made due to an increase in workloads hitting a sector that was already struggling to staff up. Dispersing the workforce in response to the pandemic has disrupted many established controls that were in place to enforce security, including non-technical controls such as those inherent in face-to-face interactions with staff. We know from experience that many forms of fraud thrive on the effects that a crisis like a pandemic can produce. These include heighten levels of fear; personal suffering; economic stress; resource diversion; and regulatory distraction. Not only are criminals targeting employees working from home, some of those employees may be tempted to become criminals.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Companies need to know that criminals are continuing to increase their ability and willingness to attack information systems of all kinds, and if unauthorized access to data cannot be gained through technical attacks or basic social engineering, some perpetrators are prepared to pressure company employees to collaborate. This means that tightening of measures against insider threats is vital.
2. Companies need to know it is no longer enough to teach the corporate policies on cybersecurity and data privacy to new employees on their first day with just an annual or semi-annual refresh. Security awareness needs to be maintained throughout the year. Changes in technology and working conditions demand that policies and controls be updated, and changes must be communicated to staff, contractors, and suppliers. This was true well before the pandemic dramatically altered the threat landscape and multiplied the attack vectors.
3. Companies should know by now that they will probably be judged harshly if a future crisis reveals that they still don’t have a business continuity plan, or don’t have a complete plan, or haven’t tested the plan, or haven’t properly informed employees about what’s in the plan.
4. While most companies do know they need a business continuity plan that includes incident response and disaster recovery, too few know the last time the plan was revised, for example to include ransomware scenarios or working from home scenarios; or the last time the plan was tested, for example using tabletop exercises.
5. Most companies realize that the challenges of cybersecurity and data privacy are continuing to grow, but they need to know that public sympathy is not growing at the same rate. In fact, every survey I’ve seen or carried out suggests that continued privacy breaches and cyber-attacks are seriously discouraging to a growing percentage of the population. If your company suffers a cyber-incident, those sentiments could easily translate into greater than expected losses, of trust, customers, and revenue.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I want to harness the power of the people to convince politicians and public officials to do more, much more, to deter cybercrime. My work with CompTIA showed me that politicians are in fact sensitive to public pressure, so even a basic “call or write your congressperson” campaign could make a difference. But I would like to see us do a lot more than that, because until we can generate the political will to create and enforce global norms in cyberspace, the abuse of digital technology will continue to undermine every positive human endeavor.
How can our readers further follow your work online?
Please visit scobbs.blogspot.com.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!