October marks Cybersecurity Awareness Month. For this occasion, we spoke with Michel Fecteau, our CISO (chief information security officer) at Present. Michel, who has been with Present for 26 years now, is an expert in cybersecurity. During this interview, we discussed the threats that companies are facing, the new Law 25, the trends and forecasts in IT and the importance of employee awareness and training.
With working from home being so common since COVID, this has been known to create concerns among cybersecurity professionals as workstations are now remote. BYOD policies can also expose businesses to threats. Could you share with us what preventive measures you suggest companies take in order to fill these cybersecurity gaps?
The notion of BYOD is already a problem in itself, because unfortunately, work computers are often used as a family computer as well. This means that children can use it too. This results in an extremely large exposure to phishing attacks on a workstation. I suggest that personal family activities should not take place on a corporate computer. Speaking of corporate workstations, it is also necessary to ensure that these computers are equipped with several compliance rules (antivirus, EDR, SIEM, filtering, etc.). Communications with corporate resources must also be validated by an MFA. This is already 95% of the solution!
Remote working means working from home, but it can also mean working from a coffee shop, an airport or a hotel. By connecting yourself to a public wifi network, as we know, we expose our computer to external threats.
Absolutely! I therefore suggest having a VPN especially when accessing corporate resources this way the channel will be encrypted. Nevertheless, because of “split tunneling” (a type of network configuration that distributes communications) this remains a source of vulnerable data. This is also something to take into account when using a corporate phone with which we use Cloud applications. In general, you have to be wary of public resources.
We often talk about cybersecurity strategies such as managed security with SMBs. Based on your experience, what are the misconceptions circulating within companies when talking about cybersecurity?
The most common is thinking that a company is too small to be a potential target. But this is totally false. If a hacker manages to embezzle $1000 from 1000 companies, it becomes really lucrative for the criminals. We're talking about “opportunity attacks”. In fact is 90% of attacks are not carried out by experienced criminals who have found, detected and worked hard to find the flaws; but by people who follow tutorials available on the DarkWeb. You have people of all ages and all professions who at home, can scan for vulnerabilities around the world to detect a flaw. We are not talking here about targeted attacks within large companies. Becoming a hacker has become very easy. Many companies still see IT as an expense. Don't have to wait to be attacked to realize the extent that an attack can have on a company's productivity.
We can all agree that in the event of an attack a company can become frozen, no longer able to produce anything or service anyone, yet it must continue to pay its employees. There is a huge loss potential. And this is not even considering whether the company pays the ransom or has a succession plan.
Indeed, and paying the ransom is not even a guarantee that the company will recover its data. The company may even be a victim of blackmailing. The data can certainly be recovered, but the hackers are still in possession of all that valuable data and nothing prevents them from disseminating it on the Dark Web. Risk 0 does not exist, flaws are everywhere and therefore a well-defined "Incident Response" plan is needed in the event of an attack.
Does the Law 25 make these measures mandatory?
Law 25 stipulates protecting “personal” data. But not necessarily company data. There is a slight nuance. But it sure does go together. If the company is not protected at the level of its corporate data, it is all the more easy to access the personal data of customers and employees.
Could you tell us about the trends and forecasts in the field of cybersecurity for the next few months?
I can tell you that we are seeing more and more attacks carried out by amateurs. Real adversaries with nested targets are becoming increasingly rare. Proofs of concept are now posted on the dark web and some are even sold “As a Service”. As a result, the attacks are more and more what we can call attacks of opportunity. Attacks are therefore multiplied, as social engineering is becoming more widespread.
Could you share with us an attack that took place in the last few months and that particularly shocked you?
Yes I have one in mind. A company was putting in place multiple protective tools in their network, but not everything was completed. Part of it was under development. They had an EDR, but no SIEM or MFA, and internal policies for managing administrative accounts were not in place. This resulted in one entry point being infiltrated by phishing (like 90% of entry points). Once inside, the adversary used the operating system tools making it impossible to be detected by the antivirus. These were basic orchestrated commands to infiltrate the network and obtain additional data in order to carry out an attack. So the alert system could not be triggered by these simple activities. They did not have a SIEM that could have detected abnormal network behavior. This is also why high privilege account management policies are extremely important. This is probably the first thing to do in a company. I also suggest having an EDR as a base, an MFA to limit access and a SIEM for network monitoring. These are the basic steps for protection.
How can business leaders stay abreast of constant changes and new types of IT attacks?
The best solution for a company that does not want to worry about IT is to have managed services and have an external team that manages security and keeps abreast of IT trends. As a SMB, it can become very time-consuming and takes away time to focus on your business.
Finally, how should companies educate their employees about cybersecurity?
Phishing campaigns and user training remain the best approaches. The majority of entry points are the users. Organizing a phishing email campaign can pinpoint the weak links. Reinforcing the notion of cybersecurity with individuals is essential. Having strict cybersecurity policies signed by employees is also a widely used technique to encourage employees to remain vigilant. It holds employees accountable!
Conclusion
If you have to remember one thing from this interview, it is that cybersecurity remains a very broad area of expertise. That's why your IT security should be handled by a team you can trust. Thank you Michel for taking the time to share your precious knowledge!
Let Present be your security ally so you can concentrate on your business, with peace of mind.
