SFF GREEN SHOOTS SERIES: THE GROWING IMPORTANCE OF CYBERSECURITY
April 24, 2020
On 24 April 2020, we entered our fourth Green Shoots session discussing the topic of the growing importance of cyber security. Our seasoned Cybersecurity experts and leaders from around the world: Ralph Echemendia (“The Ethical Hacker” and CEO at Seguru), Paul Hadjy (CEO & Co-Founder at Horangi), George Do (Chief Information Security Officer at Gojek), and Jagdish Mahapatra (Managing Director – Asia at CrowdStrike) shared their expert advice on cyber security issues and strategies to better navigate a COVID-19 world. We also asked our speakers for their views on how secure the following communications tools are. Check out the ratings below. P.S. we use Zoom for our weekly Green Shoots sessions!
Here are some resources from the session:
- Q&A with Speakers: below
- If you missed the session or like a replay, view this on our YouTube channel here. Do follow us for more videos!
- Want more? Check out upcoming Green Shoots sessions on our SFF website here.
Let us get through this together and be stronger, when the green shoots start to appear.
Q&A with Speakers
Question: Cyber criminals are incredibly agile and able to innovate at a faster rate than legitimate firms. How can we understand them better so that we can beat them at their own game?
Response: Jagdish Mahapatra: Unfortunately Cyber Security is reactive. Cyber Criminals are proactive. While we can say we are trying to be proactive, we are not in reality.
Response: George Do: Take a look at "cyber attack kill chain" (Google) which breaks down the attack life cycle.
Question: What are some of the cybersecurity issues amid COVID-19?
Response: Paul Hadjy: There has been a significant increase in phishing attacks using the issue as part of targeted campaigns. As George just mentioned there is also a lot of social engineering techniques using COVID-19 as a guise. You also have people spending a lot more time on the internet and accessing there work systems from home which makes them vulnerable in different ways.
Question: I’m a mid-career switcher just starting out in cybersecurity and heard that IT networking is important. I’m working on CCNA certification to achieve this foundation, is this the right direction? How important are CCNA and network security given the rise of cloud vis-a-vis networks?
Response: Ralph Echemendia: In network security, CCNA is a great start.
Question: 5 things we must follow while accessing office systems from home?
Response: Jagdish Mahapatra: 1. Focus on securing the devices. 2. Avoid clicking on suspicious mails. 3. VPN patch dynamic. 4. Multi Factor Authentication. 5. Ask for help if confused.
Response: Paul Hadjy: 1. Multi Factor Authentication on everything that can support. 2. Securing your home Wi-Fi. 3. Making sure your applications are configured correctly, password on zoom meetings, slack integrations, etc. 4. Be cognizant of phishing and social engineering. 5. And asking for help as Jagdish mentioned :)
Response: George Do: 1. Use multi-factor authentication. 2. Use and ensure your endpoint security is always up to date. 3. Protect your Wi-Fi with a strong password. 4. Learn and be obsessed with recognizing phishing or social engineering attacks. 5. Don't use the same password across your personal apps - use a password manager.
Question: We have to use cloud during COVID-19, but FIs don’t like it - what should we do?
Response: Paul Hadjy: I think they are warming up. There is a certification called SOC-2 that is almost a shoe in once you have it. But I think having your security boxes checked and being able to prove it is huge. Horangi’s product Warden actually focuses on helping companies comply with these certifications and MAS-TRM, and MAS Cyber Hygiene which makes most FIs comfy.
Question: Digital signatures and the like are outcomes of a mindset & structure. The change of mindset with FI is a problem given legacy & the veil of regulation which is a convenient thing hidden behind the curtain. How do we change the mindset using security as a conduit given their understandable paranoia?
Response: Paul Hadjy: I spent a lot of time working at banks and governments at my time at Palantir and I think the thing that works the best is proof. You need to create the situation where you can show them, but showing them and helping them understand is the only way that I have found that works. It takes a long time and it is painful for everyone, but it does work.
Question: Three signals which will indicate - hackers are taking advantage of COVID-19?
Response: Paul Hadjy: There was a recent statistic that phishing attacks had increase almost 700% over March.
Response: George Do: 1. COVID phishing usually masquerading as the government on financial assistance programs or from healthcare institutions on your health record; 2. Increases scans of your systems (reconnaissance); 3. Sudden increase in company assets showing up on the dark web.
Question: Security certifications for Fintech. Where can we get more information on this?
Response: Paul Hadjy: It depends on what type of FinTech, but SOC-2 is becoming the most popular for SAAS offerings. ISO is always well respected as well, but most companies these days are pursuing SOC-2 over ISO, because it is more specific.
Question: Ralph - please share 5 top insights on hackers.
Response: Ralph Echemendia: 1. Question every e-mail you get. Make sure it looks and feels right; make a call if you need to. Avoid clicking on suspicious mails. 2. Harden the configuration of all your devices/servers/applications. 3. Use VPN and insure they are configured for least access needed to network resources. 4. Use Multi Factor Authentication. 5. Ask for help. We are here for each other.
Question: There are more work collaboration tools and applications that require installation at our edge such as desktop and mobile devices. iOS is doing a better job to help user control what got access. is there similar work being done on desktop level?
Response: Ralph Echemendia: There are similar applications available for desktop/laptop often referred to endpoint protection tools.
Response: Paul Hadjy: Most newer operating systems prompt when software is looking to access things like cameras, microphones, etc like IOS. I think this is a great security feature because it helps us humans think about it before making a decision.
Question: In the current COVID-19 world, are demand drivers more or less open to working with cybersecurity startups?
Response: George Do: Demand drivers are about the same however reality is budgets are under constraints.
Response: Paul Hadjy: This is a hard question, but in general I think security spend generally stays pretty flat or up through a crisis. But likely there will harder questions.
Question: In cyber security it seems we need to pay, either pay cyber criminals or cyber security. Why can't security be built into the fabric of the internet?
Response: George Do: Unfortunately the underpinning protocols that make up the internet was never designed with security in mind.
Response: Paul Hadjy: I think ultimately you can only mitigate risk, you cannot eliminate it. People are smart and will figure out a way to break things, that’s what hackers love to do. I would equate it to physical security. No matter how safe a place, but crime still happens, and there is a police department because you can never fully mitigate the risk. Which is why its important to have Protection, Detection, and Response measures.
Question: We're hearing reports of social engineering through WhatsApp (especially as more people are working remotely and communicating outside of work mandated tools or platforms) in order to gain access to data or passwords. Is this something you're seeing increasing?
Response: Paul Hadjy: Yeah for sure, I get quite a few personally and I think we need to be thoughtful with who we are receiving the message and links from. I often ask people if they meant to send it.
Question: Cybersecurity is so often seen as insurance to keep the business running. So much data is seen by security, why not use it to improve business outcomes and thus be more valuable and proactive? Are your businesses looking at this angle? If so, how? If not, why not?
Response: Jagdish Mahapatra: Yes. We must use data to predict malicious behaviour. But we have to use the power of Cloud to bring in agility and scalability to react in seconds and minutes.
Question: What are some of the factors companies like GoJek consider while shortlisting a cybersecurity solution / company?
Response: George Do: 1. Efficacy - does it effectively work for the use case.2. Value - pricing vs. what are the security risks solved.
Question: We've all heard there is a shortage of qualified cyber security professionals worldwide plus they are expensive. SMEs, even if they can afford more advanced security tools, struggle to get the right skills and expertise to manage their security and address all the alerts. Any suggestions?
Response: Paul Hadjy: I think there are a lot more companies being built to support the space, it is a problem for SMEs and products/services may not always be the solution it can be simple as running cultural chat talks and training to enhance it.
Question: How to find the right balance between flexibility and security in a startup space with BYOD policy? Implementation of GSuite device policy (e.g. phones require to have safe passwords) caused some challenges already. How to implement further security measures without disrupting the daily business too much? How to get more confidence about the personal computers the team is using (e.g. nobody would acknowledge that they never update their computers)?
Response: Paul Hadjy: MFA and SSO which are hugely important and will mitigate a lot of risk. I think also having logging, defined IAM roles, and security matrix will put you in a place better than most. You can also hold trainings and walk them through these changes. But there is risk with BYOD so you can’t fully mitigate it.