When speaking about cybersecurity, the concept of the weakest link is essentially the human element.
This was said by Alistair Freeman, CEO, ESET, East Africa, during a CIO Executive breakfast on Cyber Security & Disaster Recovery held at, the Fairmont, Norfolk Hotel, in Nairobi, Kenya.
“It’s the idea that people need to recognise that humans are not machines, and if they are not machines you can’t write codes to train them. You need to train them as individuals. It’s about understanding that most breaches now are via social engineering, and by social engineering implication is that it is purely individual,” said Freeman.
“You can have all the perimeter defences; you can follow the traditional approach of an onion, sort of a layered security approach. But the core of the problem is the human being who opens up the door and says come into my network,” he added.
Mr. Freeman opined that social engineering has gotten so good it is so hard to see, stating that the days of obvious online scums were gone and that cyber criminals have evolved.
“Nowadays it’s not so obvious, and it’s about accepting that. And from an ESET, East Africa, perspective one of the important things we want to get out into the market is that we are not in the business of just trying to sell you a product and pretending that is going to solve the problem,” continued Freeman.
“When I sell someone an antivirus, I’m going to tell you that this antivirus and every antivirus out there; is not going to stop a vast majority of ransom restrains, is not going to stop a mass majority of what is out there as problems, because it is social engineering, I can’t write code to fix a human,” he added.
Freeman went on to explain that when ESET sells its products; they talk to their customers about how to best secure their environment. He pointed out that antivirus and perimeter defences are still important, but at the same time companies should train and test their employees in order to understand the risks.
“The majority of these acts have seen are Spear phishing emails, the ransomware which is so prevalent here is because of Spear phishing, and it’s going to be on the rise and if people think purchasing solutions is going to protect them, it’s absolutely not the case. So the approach has gone from layered to two dimensional, human plus system,” said Freeman.
“We have a product called Knowbe 4, we distribute the product through tout sub-Saharan Africa, and I think to me this is the most relevant product out there in addition to our antivirus component. What the product does is that it literally Spear phishes your staff, it is a simulated exercise so you are doing what exactly what the hackers do. You then get a scoring, you get an understanding of who clicked and opened the malware, embedded in that programme is a need for those that clicked to undergo training, there are training videos that are part of it so they have to fully watch it,” he continued.
Apart from the video Freeman explained that manually training and retesting of the employees who click on the link are also important as follow up exercises, Freeman though insists that It’s not just about that, as ESET also distributes materials to their clients, which show the latest threats, which they can push out to different departments.
“So from what I see is if I’m going to talk about product, ESET as an antivirus solution and Knowbe 4 as a human risk element, going hand in hand. I would feel uncomfortable about selling someone ESET telling them it would solve ransomware,” he added.
“If you are worried about ransomware, train your staff and then have another product, backup. There is only two ways to deal with ransomware; reactive, train, or proactive, backup.” Freeman concluded.