Video: 10 Minute IT Jams - An update from Secureworks
Cyber attacks are evolving. And according to Alex Tilley, head of threat intelligence for Asia Pacific and Japan at Secureworks, the key to defending against them lies as much in people as in technology.
Secureworks, a prominent cybersecurity business, provides what Tilley calls "best-in-class cyber security solutions and threat intelligence" aimed at reducing risk and plugging security talent gaps for businesses. In a recent interview, he outlined the ongoing challenges facing organisations of all sizes and why a robust security culture might be their greatest defence.
Asked about Secureworks' core offerings, Tilley was clear. "We're a pure security company – that's all we do. Our major offerings are our managed XDR, which basically means we can add value and, as you said, fill the gaps in your own talent pool. We can add our expertise to help you detect and respond to threats," he said.
With around four and a half thousand clients across the globe, Secureworks leverages its wide reach to offer insights across sectors. "What happens to a bank in Switzerland today could help to protect a small business in New Zealand tomorrow," Tilley explained. This interconnectedness is, he suggested, essential in a world where cyber threats do not respect geographical borders.
Over the years, cyber attacks have changed shape, but one old adversary remains: email-based attacks. "When I started back in 1956 – it was a long time ago – what we saw was the advent of sort of 'dumb phishing' attacks," Tilley recalled. These were the somewhat crude, error-riddled attempts to trick recipients into giving away personal information or funds. Today, despite the evolution in sophistication, email remains the number one way attackers gain access to networks.
Tilley explained that email-borne attacks are "kind of hard to detect and defend against because, even if we put in all the wrappers around them, the bad guy just has to change a few letters, a few words, a few URLs. It's around that first hour, first two to three hours where it takes a bit of time for someone to say, 'Hey, this email's bad', add it to the detection engine, and then get it blocked. That's that golden point where the bad guys tend to slot themselves in."
This, he noted, underlines the importance of more than just technical solutions. In many cases, effective prevention or damage limitation hinges on business processes and, crucially, on organisational culture.
"Security culture is a really big one, especially with email-borne attacks," Tilley said. Business Email Compromise (BEC) is a growing problem, with attackers duping employees into transferring funds or altering invoices. "Business email compromises are really an umbrella term for attacks, basically meaning, in the end, to change where money gets sent. It's an invoice alteration attack – there's a million different variants because it's, again, born out of this criminal experience and sophistication and creativity."
Are there patterns in victim behaviour? According to Tilley, "People have an innate sense if something seems wrong. After they've made the transaction, they're thinking to themselves, 'Something's a bit wrong about that, maybe I shouldn't have done that.'"
Here, he argues, non-punitive security culture is vital. "If a staff member feels confident to raise their hand and say, 'Hey, something weird happened, I think I might have just done something wrong,' without fear of punishment, they're much more likely to do that," he said. He stressed that the first six to 24 hours after an incident are crucial for initiating recovery actions, such as swift bank orders to recoup funds. "If a staff member feels that the security culture in their company enables them to put their hand up and say something strange just happened, without fear of retribution, then the company is much more likely to get the money back."
The reasons technical solutions can only go so far are rooted in the nature of the threats. "I hosted a lunch many years ago with some C-levels, and one of the questions from the participants was, 'I've spent X million dollars on my security programme, I'm still getting these damn phishing emails through. What am I doing wrong?' It comes down to it's humans attacking humans," Tilley said.
He added that while security companies can provide technical protections and help to detect attacks, "when it's a human trying to attack a human to get in, it is very hard to detect technically." Increasingly, criminals are bypassing network protections in favour of researching specific employees and targeting them directly. Tilley described methods including trawling LinkedIn and open source intelligence to identify individuals in sensitive roles, such as accounts payable, before striking with convincing personal messages.
"This is very hard to technically detect, which then comes back to that whole security culture – someone feeling confident in raising their hand and saying, 'I might have done something wrong here'," he said.
On how to further protect employees, Tilley argued that engagement is key. "I think more and more, I'm getting to the point where I'm sort of thinking that it's about employees understanding that they have a buy-in to the corporate security culture." He pointed out that while compliance training is ubiquitous, it is often approached as a box-ticking exercise. "I think it's saying, 'Hey, you do have a part to play in protecting this company and therefore your job.'"
While the IT and security departments are responsible for putting up technical defences, helping staff understand their own role cannot be overlooked, he said. "We can all work together to help this stop happening and to help this business not become a victim. To protect the business, I think we all have our own buy-in as part of that process."
The solution, for many businesses, will not come solely through bigger budgets or smarter software but by empowering staff and fostering open communication. As Tilley put it, "That sort of open and honest dialogue with staff is – if you think something's gone wrong, please tell us rather than trying to hide it – is key."