What are some of the key cybercrime risks that are disrupting the businesses and society at large? With billions of dollars that has been lost to cybercrime every year, how can we help organizations invest adequately in cybersecurity? Has Business Email Compromise (BEC) taken over the Nigerian Prince Scam? Why is insider threat still a big issue and what can we do about it?

So if you wish to learn, grow and be a part of this journey, then hit the subscribe button. Click on the notification’s bell and let's meet our guest right away. This is Monica Talks Cyber.

Hey, Graham, welcome to the show.

Hello. Real delight to be here. Thank you for asking me, Monica.

Likewise. Really a pleasure that you are here today. So before we get into it, let's just start with a fun fact about you.

A fun fact about me? Well, a lot of people who work in cybersecurity sometimes have a bit of a shady past, might have done some naughty things. And I'm not going to give a big revelation that I used to hack or I used to, you know, break into things without permission. What I did back in my day was I was a bit bored at school and I had a group of friends and we decided that the boys loo would be our office and that's where we would hang out coming up Christmas.

And we wanted fairy lights and we wanted a telephone and we kept on bugging the teachers and setting things up and they didn't like that and they took them down. And what we did a few weeks before Christmas was we kidnaped the school Christmas tree. And so I and a group of my mates grabbed this ten foot Christmas tree and legged it with it, and we left behind a ransom note saying that unless our demands were kept, the ransom, the Christmas tree would get it.

So that's that is that is about as criminal as I've ever been. A bit naughty wouldn't recommend it, but I was a bit bored at school, so that's my, that's my excuse.

Oh, wow. That's wonderful. So if that was in your school days, can we actually say that's the first world ransomware attack?

Oh, yeah. Well, was it ransomware? I suppose the where part was. Where has the Christmas tree gone to? So ransom-where on earth is that so? Yeah, possibly. Maybe it was.

Right. Wonderful. So we have gotten a new revelation this time. Okay, amazing. Amazing. So when I do talks next time, I'm going to say I know the first ransomwhere attack of the world. Okay, this is the one. OK, talking about Ransomware is a fantastic topic to get into because today we're going to be talking a lot about cybercrime.

So you're obviously a security researcher and you have your own podcast and you obviously talk about all these issues and things. What are you seeing as the top three issues with regard to cybercrime that's really disrupting businesses and society, at large today?

So I think that sometimes the things that the security researchers get really, really excited about this zero day vulnerability, the state sponsored cybercrime, of course they are interesting and they can sometimes be highly sophisticated. They're not necessarily the things which people should be worried about most, the things you should worry about the most are rather more mundane, but the ways in which the bad guys are actually making money.

So we've just mentioned ransomware, of course, you know, we can't escape that fact. It's a huge business. The ransomware gangs have moved from purely encrypting your data and locking it up and demanded in a ransom to now exfiltrating your data. So even if you do have a backup, you still possibly have a very good reason to want to pay them.

The extortion fee at the end of it. So ransomware is huge, and the reason he got huge is because the criminals found out it was so incredibly successful. Make them money they tried lots of things in the past. Suddenly, wow, there's a gold mine here which we can exploit and plunder. The other thing, which I think is very worth considering a huge threat to businesses more than consumers is business email compromise.

Mm hmm. So these are the fake invoices. This is where people pretend to be the CEO, where they may break into an email account, see the communications your company is making with a legitimate supplier or contractor, maybe working on a construction project or something which may involve millions of pounds. They see that communication. They set up a bank account.

They set up a a fake look in a lookalike domain. They then send an email claiming to come from that genuine partner of yours, saying where invoice for the work which we've done and because they've timed it so well, because they have that inside line of communications that's been going on, people may well say, yes, they have done that work for us, so please go ahead and pay them.

They say to the finance team, the financing and some companies have lost hundreds of millions of dollars through that kind of attack. It's not sophisticated. It's nothing like as sophisticated as ransomware, for instance, even about encryption and cryptocurrency, you know, it's not that complicated at all. In some ways. It's not that much further than those letters from Nigerian princes we used to get, and probably still do get tweets.

But it's not that much more sophisticated now. But boy, oh, boy, it makes a lot of money. And so that's a huge problem. The third one, I think one of the three is the insider threat, which a lot of security firms don't focus on.

And I think the reason for that is many times they think actually that's too hard. It's much easier dealing with the external threat actors that people are trying to break in exploiting vulnerabilities or exploiting breached passwords. Then the people already inside your company who you gave passwords to, who you granted access to the database to, what are you going to do if one of those goes rogue or one of those was actually deliberately planted inside your company to steal information or to plant ransomware?

So the insider threat, I think, often overlooked and probably underestimated, is just how much of a costly problem that is.

Absolutely. And I think these three that you're talking about are absolutely worth talking about. So let's take them one by 1/1. You said ransomware, right? And one of the things that I have seen in the last year that has changed is that ransomware was just encrypting data and always trading big money making business and machine. It has become what's also incredible that has happened.

It's not that are double extortion. Right. So a lot of data that has been exfiltrated, not only are the companies being like a being extorted to give the money, but they're going directly to the victims. Like if you don't give us the money and then they are obviously more gullible, right? A double extortions are happening. That's that's one thing that I'm seeing.

What's been your experience in terms of an on that thing I'm seeing is also this ransomware affiliates. I mean the cybercriminals are actually bringing up ransomware funded programs and they are working with each other in terms of that. So what has been your experience before we go to two and three?

Yeah. So I mean, you're absolutely right that there are situations where companies have suffered a ransomware attack and subsequently the attackers also attack their victims, whether they be business partners, because, of course, you may be a supplier to other companies, you may provide services. And the fact that you've been breached and we saw this with Kaseya, for instance, when they got hit by ransomware, all of their customers suffered a security problem as well.

But crumbs, you know, this is really bad, potentially, they're going to have to pay the ransom. I also remember on a personal level, there was a chain of Finnish psychotherapy clinics and so these people in Finland, a psychotherapist, correct. They got hit. They got hit and their data was stolen and the ransom was demanded and individuals who were seeking help with their mental health and their personal problems, their notes, ended up in the hands of fraudsters and extortionists and they were receiving messages from the people saying, we know all about you.

We're going to release this to the public, potentially your loved ones and friends and colleagues, unless you pay us hundreds of dollars worth of cryptocurrency as well. And it's absolutely disgrace. You know, it's disgusting, despicable thing. But what do you expect? These are criminals. I don't give a damn about who they're going to steal from and the the impact which they're going to have.

So it's it is ghastly. Yes. I mean, these these sort of problems are happening all the time. And it's not just the case that one company will be hit sometimes it will be many companies or individuals as well as a consequence.

Mm Absolutely. And that's that's why I think the impact of ransomware is growing massively, not only just for the companies and the businesses, but also for individuals and society at large. And then you set off for the business, even compromised because yes, I think the awareness has obviously led to some improvements in the cybersecurity industry, especially say like not necessarily everybody now falls for the Nigerian King.

Yeah, yeah. I left the money and you can hurt. That's right. But the business even compromised. As I say, it's not that smart, but it's the timing that's meticulous and that's why they're able to sort through. Right. And you mentioned that millions of dollars just in cybercrime, I think in 2021, if I remember the estimate for the loss to cybercrime was approximately $6 trillion in the entire year, $6 trillion.

I'm not certain how accurate the number is, but nonetheless, it's it's it's quite large. I mean, it's incredible how much money we're losing to cyber crime. And then on the other hand, you have organizations that don't want that. They can't justify the money that they're putting it into cybersecurity programs. How do you help organizations? I mean, the thing is that no matter how small the organization and how big your position, we are understood that you're always a target, right?

Either you are a direct target or you're in direct target, or you're stepping stone into somebody else's that they don't care about you. And while in the last year, ransomware or cyber criminals have become more targeted, they've gone from just randomly shopping in the dark to more targeted attacks. But everybody is ultimately a direct or indirect target, and organizations have to all must today put some investment into security, whatever is necessary for their organization, then, yes, but many resources are still not doing great and not doing enough.

How do you believe we are cybersecurity professionals? Can help them see what they need to invest, not the why. I think they're understanding the why now, but what they need to invest and how much do they need to invest. It's justified or not.

Yeah, I think I think it is a real challenge. You know, obviously people are cash strapped businesses are finding it difficult to pay for all manner of things. And sometimes on foot you have to let people go. But when it comes to security, it's so essential because your company can effectively be made bankrupt. Your company can be destroyed by a cyber security attack if it's damaging enough, if you also pass on an infection, for example, or you have the data breach of your customers, your customers may very well decide, well, we're not going to do business with you anymore because you've put us at risk.

As a consequence of this, we will rather go somewhere else. So there's no real easy solution to this. And no one single thing that we can suggest to companies like you do other than follow the sort of sensible guidelines. And I do say to businesses, look, there's no such thing as 100% security. Someone really wants to break into your organization.

I have limitless funds and a lot of time they will get you. It's possible to do it. But the good news is you don't need that supremely high level of security to avoid the vast majority of attacks. All you've got to do is have better security than the average firm. If you can just brace yourself above the average, many hackers will do very simple test to see who is vulnerable.

Maybe they've got websites in or Internet facing servers, for instance, which haven't been patched against well known vulnerabilities. Or maybe they should be misconfigured to allow people to gain remote access. Most of the malicious hackers out there are going for the easy pickings. They're going for the things which are easy for them to do. And sometimes those hackers won't even be interested in exploiting those sites.

And so sometimes they will actually say, Well, I'm just going to collect as much details as I can or how to break into different companies. And I will then sell that knowledge. I won't do anything more legal than what I've already done. I won't actually install the ransomware, I won't steal data. I will give other people grant them the access to do this and this.

You mentioned earlier ransomware affiliates. You know, it kind of ties in with that. So you don't have the ability to find the vulnerable companies yourself. Don't worry, because there are the people who would do it for you. And so you that information simply if you can't run a ransomware operation, don't worry. There are other people, you know, it's very organized.

This community and this sort of infrastructure which we see on the cybercriminal side now. But I hate to be too negative, but I like to say to most companies, you know what, there are some very simple things you can do which can dramatically harden your security in just a few steps, such as not using different passwords, such as rolling out a password manager and password policies across your organization, such as enabling multi-factor authentication.

When people log in, such as network segmentation or, you know, not giving everybody administrator rights, all sorts of things like this, and a little bit of training and awareness where you can begin to get people to think, Hmm, these emails come from outside the company. It's worked in a slightly different way. Or I've been told this is a domain who I don't normally email with, even though it might look like the same domain, it looks like a different person is just beginning to set off.

Your spider senses that there are some dangers there. So I don't want people to think that this is impossible. I want people to know that you can generally improve your security at not huge cost. And hopefully if you do that over a period of time, you will get to be better than the average may be much better than average.

And so you won't be such easy pickings in the future.

Absolutely. I mean, the key thing that you're saying here is that you don't even have to do it in one go. You can do it a step by step approach. Right. So I give a keynote in a couple of months ago where I talked about because like when we talk about maturity in cybersecurity, we have this same a model that we are using in terms of like the step one, two, three, four, five, or there's initial ad hoc and all these process oriented CMI and I and I personally feel this is my experience that this model doesn't suit one cybersecurity industry because it's very process based and cybersecurity doesn't work that way.

And then we have other maturity models like we have missed and all these things, which is fine. But what I have learned in my experience, I have tried to categorize maturity in four different very overall capabilities, very, very broad capabilities as an organization first step, try to be compliant, just try to be compliant, step to try to think about risks.

What are your business risk and try to have the controls are on that? Step number three, think about threat actors. Put the threat motivation capabilities in your risk management model so you have even better maturity. Step four Now you need to start also thinking about you are under attack, right? Because we say it's not a question of be a fun one, but when you are under attack, what policies you might have in place at that point of time to minimize not not the probability of being attacked, but the minimize the loss what?

Yes. Avoid or reduce. Right. So that is something I actually even publish on my LinkedIn. But I feel we need really simplistic models like this. I'm not not saying that my model is perfect, but I'm just saying we need something really simplistic like this for people to understand because we have such complicated models and talk about and also that maturity and resilience are not the same thing in my experience.

Again, maturity might be linear. Like you say, step one, two, three, four. The resilience might be more exponential because you need to be more consistent over time before you really start seeing that exponential and compounding effect happening. But then you will be above the average businesses. So what do you think about that? Would that could that be an idea for organizations to think in that chance?

I think absolutely, yes. That that kind of approach seems well organized, seems like, you know, you're thinking it through and you're thinking, okay, we're not going to fix everything in a day, but we are going to make progress and we're going to harden things over time. And I think that combined with I mean, it's surprising how many companies, for instance, don't consider what do we actually have to lose?

What are our crown jewels? What's the one thing we can cannot, you know, what are the things that we cannot afford to lose? And what are the things which don't matter so much just to make sure that you're prioritizing in the right areas where it's most essential. So maybe your customer data, for instance, is something which you don't you don't want, or there may be some financial draw or something like that, but there's some sort of intellectual property or some kind of data which you're collecting which has to be secured, you know, come what may, and have all of that protection in place.

That and there is quite often a cultural reaction to imposing some of these security measures, because it may be that your company started very small and it was the case that every employee in the company had access to a particular database or particular resource. And now you're 100 people, you don't all need to have access to that. And then it because, you know, I used to have what I have access to and what I would would try was trying to control that a little bit more rather than having this free for all going on all time.

And we need some processes in place in order to better protect us. So I think it's also really important when companies are considering security to realize that cybersecurity is not, I believe, primarily a technological problem. It is primarily actually a human problem. And that's why we haven't solved it, because we can roll out updates all the time to the computers and the endpoints, but we can't fix the bug in people's brain, which makes them double click on something they shouldn't or enter a password where they shouldn't or get fish.

I mean, phishing seems so passé because it's been around for 30 odd years. But the truth is, phishing is pretty much at the center of everything you know well will often be a component in the attack. At some point they've tricked someone into handing over some information which they shouldn't or did it on a slack channel, or they did it on the telephone pretending to be the IT team.

But, you know, that's and that's such an old problem and technology has not fixed it. We've had we have safety nets. We have ways of reducing the threat, but we're not completely eliminating it. So you've got to get the people on board as well and recognize why you're doing it and what the benefits are both to the company and to them individually as well.

Absolutely. And I 100% agree that social engineering has really a big role to play, and we'll continue to have a big role to play. I mean, I was reading about it one of these articles that came out in The Economist about what today is known to humanity as well, the world's first cyber attacks. It's actually something that happened 200 years ago in France when they had their digital.

They are not there. They are a network for transmitting information to all the country. And even there their social engineer, the guy in the tower. So like it has been there for like forever and it was just continuous at the point.

And it will be we'll be here forever. I mean, in a thousand years time, we will still have social engineering attacks. People will pop up in front of us as 3D holograms. Right. We will see. We will think it's the CEO or we will think it's, you know, a robot droid will come and talk to us and we will think it's the robot droids that we trust.

And isn't is one wearing a fake mustache or something like that. So we're never going to completely fix that, but we can become a little bit more questioning. We can learn more about the kind of attacks which happen and be a little bit more on our guard.

Absolutely. And I think we will have social engineering also in the metaverse and everything that's going on that will be continuing to happen 100%. Because I was literally going to ask you this question. We already touched upon it that I believe that organizations I feel that they are trying to one, they are trying to invest. Obviously, some are not really ready to invest.

But the ones that are really investing, they're still trying to solve this by just buying products or throwing the money at the technology. And I think that is really not the solution that's only going to take them this far, but not really where they need to be, and definitely not above the average in the industry and the business world in general.

But that was my next question. But it ought to be answered back. So let's move on to the one after that, because, you know, that we talk about the we talked a bit about ransomware. That was the first one that we talked a bit about the B, C and obviously we talked a little bit more about cybercrime, the money and everything.

And then the third one that you touched upon was the insider threat trade. And I 100% agree. And so this has been a really big challenge for me as well in the industries of the companies that I work for. But absolutely a very, very important threat. Actor, your tech model that you need to take into account the need to do something about.

So one thing that I started doing and I want to know your thoughts on what other things we can do. So one thing that I started doing was the insider threat. I divided into two. So D let's say the very malicious and you said the malicious insider threat. That's the real problem. But then there is this accidental insider.

Yes, right. And then to use the employee's, you can actually see the majority. I would assume that 60% or so is accidental insider threat. Right. People are just clicking things randomly and they're sending out information to wrong people. And that's happening quite a lot too. That that for me has been a way to ease employees that we are not now blaming you.

It's not about a blame game here. But then obviously there are just a few percent, 10%, 5%, 15%, whatever that is, the militia insider threat. So you need to help us actually to do this. How effective do you think in your experience would that be? I mean, I believe it has been effective, but what would be your thoughts on it and what other ways can we do or can we use to actually really hit the nail on insider threat?

I mean, maybe we're not going to hit the nail directly because it's not an easy problem to solve, as I as we talked about it. But what can we do really about it?

So I think you're right as much as possible. Get your staff onside. Make them feel like they are part of the i.t. Security team. Don't you know, don't wallop them with a cricket bat every time they make a mistake or click and you know you want to encourage them at the same time, if they're being phished every day or if they're running some malicious executable every day and said to them, look, would you stop downloading that game or whatever it is and they're not getting the message, then it clearly is some discipline which is going to have to be required.

But you have to people I remember way back when in the early days of an antivirus, I worked with Dr. Alan Solomon and he used to tell this story of someone who came into work on a Saturday morning, do some extra work, and they booted up their computer from they left a floppy disk. That's how long ago this is.

They left a floppy disk in the computer. And as a consequence, the computer caught a boot sector virus from the floppy disk, came up with a message or whatever. And they knew that on Monday when they reported it to the IT department, there'd been a lot of trouble because they shouldn't have done that. They shouldn't have left the floppy in the drive to be tied up.

So they thought, well, what can I do about this? And what they did was they went to every other computer in the office, put the floppy disk, booted it up, so all of the computers had the infection and so on, and so the team would be able to single out anyone for particular blame. So yes, I don't want to much blame culture because yeah, often people's attempt to cover up what went wrong is much worse than the actual incident.

So you want to encourage them. But they could of course also act as eyes and ears if people are behaving unusually or if people are asking for passwords for something which they shouldn't have access to. Correct. There's also a lot of a lot of stuff i.t. Administrators can do to log activity on the network and unusual movements of data.

For instance, some sort of data leak prevention. So if you see someone who's, you know, email in their Hotmail address with a spreadsheet containing hundreds and hundreds of credit card details, for instance, that is worthy of investigation or people who are accessing the network at unusual times of day, you may want to investigate. Well, what were they doing at that time and why were they doing it?

It's it is slightly uncomfortable to talk about these things because you don't want to be big brother all the time. You know, we we want to be a little bit flexible as to what people can do in their work time. And we don't want to be watching every single thing that they may be reading online or things which they parties are paid in in their lunch hour or whatever, you know, have your own rules regarding your organization.

But there certainly is technology out there which can help look for some of those anomalies which can begin to protect you and having the rest of the staff on board as well to consider what will actually these hackers don't all have to be external. The other thing is, of course, sometimes the bad person may actually be in the IT department.

Sometimes it's the city administrator themselves who watches the watchers.

Yeah.

Because they often have all of the passwords or know how to get hold of the password should they require to. So it is a challenge. I think it's a significant one. And like I said, it is often overlooked because it can be very difficult to handle.

Absolutely fully 100% agree with you? I think so. We talk a little bit about like these three key risks that we're seeing in the lead up to cyber crime and involving cyber crime that we seeing and we all to talk a bit about in each of these points, what can the organizations really do? So to sum it up, what would be your one key message to the audience today?

Oh, my goodness. One key message. I suppose if you just want to stay aware, you know, keep your eyes open as to what is going on, what people are advised. And even if it's an old problem, are there new, imaginative ways in which people are making their employees aware of those problems or dealing with those problems? Because sometimes we do see some new technologies or new techniques to raise awareness, which might work just as well in your company as they are in other companies as well.

So share information with your peers, keep clued up as to what the new threats are, as well as keeping patched and keep them back up and all those sort of things as well. But just just try and stay on top of the ball. And the good thing is that we're all working in a fascinating field. We're working in something where it isn't the same story every day, and I think that's quite enjoyable.

I think that that's a good way that I've kept interested. You know, I wasn't interested at school, so I kidnaped the school Christmas tree. But cyber security has kept me interested for the last 30 years because there is this sort of arms race, there is this the bad guys are always looking for new ways to sneak in or new tricks, social engineering tricks they can use to try and fool people.

So keeping aware of those things, communicating stuff, communicating with your peers are other companies as well and sharing good practice. It has to be a good piece of advice.

Wonderful. Thank you so much. Thank you so much for coming on the podcast today, Graham. It was absolutely absolutely fantastic.

No, it's a pleasure. Thank you very much.

We had an amazing guest today. I hope you had as much fun as I had. So keep tuning in and I'll be back with more amazing guests, more amazing conversations and engaging topics in cybersecurity, Tech and Leadership. This is Monica Talks Cyber.