Ep.18 Ken Gilmour | Creating an Effective Cybersecurity Strategy
In this episode of the Cybrary Podcast, we sit down with Ken Gilmour, the CEO of Knogin. Speaking with Thomas Horlacher, the Head of Creative Services, and Mike Gruen, the VP of Engineering at Cybrary, we discuss the importance of having a sustainable and long term cybersecurity strategy for your company. We also touch on breaches and what that can do to the image of a company.
Share it with friends now!
In this podcast episode, Ken (CEO of Knogin), Mike (VP of Engineering, Cybrary), and Thomas (Head of Creative Services, Cybrary) discuss the important aspects that any business should consider when creating or implementing a cybersecurity strategy in the workplace. They share their experiences and perspectives on the matter, as well as the main factors that influence an effective cybersecurity strategy, such as how imperative it is for businesses to protect data and information about the company, clients, partners, and/or other stakeholders.
Cybercriminals are known to be persistent when attempting to gather information from a targeted company, which is why businesses are responsible for implementing proper cybersecurity systems and policies in order to protect all the data that is collected by them. This is why companies should determine what data or information is relevant to them in order to create a cost-effective cybersecurity strategy whereby sufficient resources can be properly allocated, because the more data a company collects, the more resources it takes to protect those data. A common activity is performing frequent patching in systems and infrastructures as cybercriminals continue to seek and exploit potential vulnerabilities that may exist in a system.
Another critical aspect when creating an effective cybersecurity strategy is delivering awareness and training to all employees in every department. A successful cybersecurity strategy enables unified processes to be established to help every individual in different departments to know what needs to be done in the event of a security incident that may be encountered in their respective day-to-day operations. Every individual not only needs to understand the basic security terminologies, e.g. phishing, ransomware, but they also need to understand the risks and impact to the business should any of the data or systems be compromised. This is why it is important to determine the responsibilities of a specific job role and the access privileges of these roles. As a business grows or reaches a certain level of maturity, it may be expected for some roles to change over time and for other strategies that were once put on hold to be enforced.
Thomas: All right. Well, welcome back to another episode of the Cybrary Studios Podcast. Today in the studio, we have Ken Gilmour from Knogin here, the CEO and co-founder. Along with myself is Mike Gruen, our VP of Engineering and today we'll be talking about cybersecurity strategy. Thanks for being here, guys.
Ken: Cool. Thanks.
Mike: So yeah, I don't know if you want to just to give a little bit of background on yourself. That'd probably be helpful.
Ken: Yeah, sure. So, I've been in the industry for about 20 years. I guess my career started after my enthusiasm, you know, when I was a kid, I used to have a device from Spectrum called the M5, which was one of those old rubber keyboard devices, kind of like the ZX80, and started there on basic and then, you know, over the next couple of decades, you know, I guess improved my skills and I've set up a cybersecurity company called Knogin, as you mentioned correctly and yeah, so we do cybersecurity analytics and behavioral analytics.
Mike: So, yeah. Cool. When you think about sort of the strategy around cybersecurity, what are some of the things that you sort of take into account or think about?
Ken: So I think a few of the problems or mistakes that people make is that they look at it in silo. It's, you know, they say this is a cybersecurity strategy and yes it is. But really it needs to be looked at holistically among the entire business and not just specifically for, you know, just if it's a security incident, we deal with it. But, you know, if your computer dies, we don't care about it cause we are the security team and you know, why would you? But, you know, ultimately, what you need to focus on is the people who are going through the incident process, and, you know, figuring out how you can have a unified process for everything and get everybody working together.
Mike: Yeah. I mean, I think here we have our facilities, everything sort of rolls up into me as Head of Security because all of the systems are integrated. So, everything from the door locks, to what's happening on laptops, and so on and so forth. So, I feel like, because maybe in the small world that I live in, that things are moving in that way, where there is more integration between the security teams. But, I imagine you're seeing a much wider spectrum of the world and maybe that's not quite happening as much as I think.
Ken: Yeah, exactly. I mean, what you have to think of is impact to your business. So, a lot of people, you know, I guess you could call them purists, they would say you need to protect a system at any cost, and in some cases that might be true, you know, we need to protect people's data and put whatever you can into protecting that data. But, in the sense of most businesses, you know, they look at it as kind of a cost value thing. So, you know, if there's a system that's worth $10,000, they're not going to spend a million dollars to protect that system because it's worth $10,000. So they need to make that profitable and kind of, you know, ensure that how they protect it is unified with the rest of the business. So, you know, as you said, in facilities if something is happening in the building, there is a process to follow, even if it's just, there's a fire; run out that door. That's what the process is, right? But there is a process for it and kind of unifying that so that the facilities guy will usually know the people in the company who are responsible for specific things and when doing that within cybersecurity, it's good to collaborate in those ways so that you can, I guess understand who the right person is.
Mike: Right. Actually, I like that analogy because I worked at a company; pretty big company. We had lots of floors and the way the fire thing was dealt with was there was a Fire Marshal per floor. They were just a regular employee that was given this additional designation of, Hey, in the event of a fire, you're responsible for making sure X, Y, and Z happens; potentially making sure all the offices are open and there's nobody in them, so and so forth and making sure everybody's, you know, getting out. I can sort of see that same sort of applying to cybersecurity where maybe it's somebody who's not specifically on the security team, but has some security responsibilities in the event of some sort of an incident, whether it be a physical incident or more of a virtual one.
Ken: Yeah, exactly. So, I mean, you know, an incident. I guess I kinda played it down a bit, you know, talking about the fire thing. So if there was a fire in this building, right, you would evacuate, but there are other processes in the background such as how do we continue offering our service? How do we keep the business alive? And that is very, kind of consistent with what you will do in cybersecurity as well. And all of those things have to be thought through, and there are people in multiple parts of the business who think about that. So, you, as a cybersecurity person, you may know cybersecurity, you may be technical. Do you understand accounting? Do you understand the other parts of the business and how they work? You know, probably not. So that's why you talk to those people and help to understand their processes in order to bring it into your strategy.
Mike: Right. And so speaking of, you know, sort of in the event of an incident or hacks or whatever you want to call, what do you sort of think of with regard to the costs of a hack to an organization? I mean, there's obvious ones that people think of, but maybe there's some others.
Ken: Yeah. So, I think in relation to small businesses, you know, most small businesses just won't survive a hack. You know, it's not because they don't have insurance. It's just because they lose trust, right? So you could have $10 million of insurance; your hack might've cost you a million dollars financially, but really you've lost the trust of your customers. And, you know, once that happens there, they're going to look at other people they're not really going to have you on the top of their head anymore. The thing that they'll remember about you is that, Oh, these guys got hacked and my data's gone and you know, I'm not sure I feel comfortable with that happening again. And so it doesn't matter what you have done afterward to clean up the problem. You've got hacked and you've lost your trust.
Mike: So how do you, I mean, and you alluded to it earlier, but it's that balance of, you know, risk versus the data that you have to do some sort of risk assessment with regard to how much you're going to do to guard the data. I'm constantly asked that by, you know, as we sell into enterprise customers, they want to know like, what are we doing and how do we assess risk with regard to the data that we have. If I'm a small business, I imagine it's a lot harder to sort of think about you also have all these systems like point of sale systems that maybe are managed by somebody else. Do you have any like ideas around how a small business could go about sort of figuring out what they have and assigning risk?
Ken: So I think that the real crux of the problem is the data that you collect. You know, everybody wants to collect so much data. So, you know, at Knogin, when you sign up for a free account, you'll have your first name, your last name, and your email address. That's all we need. We don't care about anything else, you know? Great if you're a CISO. Great if you've got a cool big job title. But to us as a company, why do we need that information? We don't, right? So the more information that you collect about people, the more you have to spend to protect it, and if that money, sorry, if that data is not equated to money and value, then don't collect it. You know, if you can't spend money to protect it, then you don't need it. And that's the, I guess really the crux of the problem. You know, a lot of people will collect a ton of data. That's just completely unnecessary.
Mike: Right. That makes a lot of sense. What about also looking at the data that sort of collecting over time, just by nature of the type of business that they're in. Not necessarily asking for, but like, Hey, you know, I'm a mechanic, I know when your car comes in for service and, you know, so there's just these records in general and trying to figure like how important is it for, you know, from a security perspective, what's the risk if that information were to get out or whatever?
Ken: Yeah. I guess that's quite a hard one as well. It really depends on what the information is, and you know, because really at the end of the day, the only thing a hacker wants is data, right? To you, that data is credit card numbers or, you know, health insurance, or something like that. For a mechanic, the information may be, you know, good data that could be analyzed and to figure out what types of customers they have and then steal their customers from you. Right? So there's a ton of different things that you could do with it, but it really depends on the context and whether you really should collect that data. In a lot of cases, you have to have the history of the car, you know, you need to know, has it been in an accident? So things like that for further sale, depending on where you are. But you just need to have appropriate security safeguards in place for that. You don't need to have the best in the world, and I guess the analogy is like, you know, two guys in a jungle running from a crocodile or a lion; you don't have to be the world's best athlete, you just have to be faster than the other guy.
Mike: Right? Exactly. Yep. I sort of feel like a lot of security is the same security that on college campuses with bicycles. Your lcck just has to be better than the bike lock next door.
Ken: And your bike has to be slightly cheaper too.
Mike: There's that too, right? In terms of like what you've seen for your own company, how, I mean, let me backtrack a little bit. How do I, as a small business, go about feeling more secure or doing those things? It's not like I can hire a full-time security person necessarily, depending on what business I'm in. What have you sort of seen as ways to sort of mitigate some of that risk or, you know, deal with that?
Ken: So I think awareness is a very important thing. So I know Cybrary offers a lot of awareness courses and things like that. And so, I guess it's like; let's use an analogy of a car, right? So you could have the best technology in the world, right? Let's say, I don't know what the American equivalent is, but in Ireland you get a Volvo, right? You've got your side impact protection, you've got your blind spot detection, you've got seatbelts, all those kinds of things. But if you put a blind person in the driver's seat and send them on the highway; probably going to crash and somebody's going to get hurt, and that's just the way it is. So you need to not only have good technology and in fact, sometimes the technology doesn't even matter. What matters is the awareness that you have of the situation that's around you. So it's always most important to be educated about not only cybersecurity, but what the risks are to you specifically, to your data, to your organization and, you know, even your competitors, what are the risks to them because they're probably risks to you as well.
Mike: Right, and then in terms of one of the things I think people don't think a lot about as sort of the different ways places get; how hacks happened in a way, right. Everything’s sort of like very direct attacks, like, Oh, my data's being stolen by somebody across the ocean. But there are other ways, and I'm curious what your thoughts are on, like just sort of elaborating on some of the ways that companies.
Ken: Yeah. So, I mean, I think it's, I guess one of the most important things is patch management, you know, so a lot of people would come to me and it's kind of hard to answer the question in an honest way, I guess, for a lot of business people. And you know, a lot of people will come to you and say, if there was one thing I could buy, you know, that would protect me, what would it be? And you always want to say, Oh, my product, my product. But really, it's not that, it's patching right? So when people get compromised online and often times it's not a targeted attack. So let's say there's a vulnerability in WordPress, some kids would know about this vulnerability in WordPress and he would just scan the web for all the instances of WordPress that may have this vulnerability; may find a few, and then just compromise those sites. And that's generally how, how they get through it. So if you don't patch your site, you will become, you know, one of those buckets of compromised people or compromised sites. And that's generally how hacking happens. A lot of people worry about, you know, maybe China, Russia is going to attack me, but for the average small business, literally just patch your systems and make sure they're up to date and you will avoid, you know, a ton of problems.
Mike: And then as more and more small businesses, I think are probably getting connected to whether it's software-as-a-service or other small businesses, I think one of the other things is to sort of understand what those companies are also doing, because a lot of attacks sort of come in from the side, right? It's not a direct attack, it's my partner got compromised, which led them to getting into my network, or got them my data because it's just data that I'm sharing with that partner. I think that's one of those where people don't really; a lot of people don't necessarily think as much about like, when I entered into this relationship with this company, what are they doing to protect the data that I'm sharing with them?
Ken: That’s right, yeah. I mean it's hard to know what a third-party is doing, you know, and even things like; there was an organization I worked for about 10-15 years ago and they were basically affected. I guess they offered Sysadmin services to us. So, what happened was they were compromised; someone took a SSH key and then used that key to get into us. But to us it looked like our vendor was connecting in and everything was fine, right? But yeah, we were compromised and we detected it because the types of commands that the attackers used were different to the types of commands that our vendor used. But that's the only way we detected it. So you know, I guess the one thing you need to do is don't oversimplify, but also don't overcomplicate because, you know, attackers are persistent in some cases. And you know, if they know that you have a vulnerability, they'll just try to exploit it in multiple different ways. You know, if they found that WordPress vulnerability and you've kind of made a slight modification to it but not fully patched it, they may, you know, find a way to actually, I guess compromise it in a different way. So, don't make it too complicated. Simply just deploy the patch off and it is the best way to do it, and just make it simple, but just not too simple, you know, you have to have a way to monitor as well.
Mike: Right. I also think with data, one of the things that we really do to help is that with a lot of our partners, we share essentially anonymized data, right? There's some sort of unique ID that we assigned to a user. We know how this maps, but then what we're actually sharing and getting back just uses that to sort of help eliminate risk of if they get compromised, how much are they going to get? They're going to get some information about some user, but they don't necessarily know who that person is or, and definitely want to limit the amount of sort of meta that we give about that person.
Ken: Yeah, exactly. You want to limit it as well and ensure that you control how they process it. But I mean, in many cases they say three data points is all that you need to be able to identify an individual, and it's quite true. And you know, I think there was a problem with Best Buy a while ago, I guess probably, you know, probably several years ago where they had, you know, analyzed the shopping habits of one of their shoppers and then they sent a package to that house and saying, you know, congratulations, you're having a baby. Here's a bunch of, you know, baby products. And it turns out that this person was keeping it a secret from her father and didn't tell her father. And then he found out, you know, after these other companies had already realized this; so just from data analysis.
Mike: Yeah. That's true. I mean, yeah, I think in that case it might've been Target, but it doesn't really matter, right? It's just they have all this usage data and they can sort of figure out it's the sort of Cambridge analytics-type problem. And then I also; I heard it on the Internet, so it must be true. But back when I think the U.S Census first released the Census in a way that people could sort of search over it, it was sort of the same. They ran into the same problem that they didn't really consider where if I put enough facets, if I put enough things I could actually limit and figure out how much my boss makes, because I put in location, I kind of know enough meta information about it, that I would actually be able to get the search down to returning one result.
Ken: I think AOL did it as well with their search function. It’s, you know, it's anonymized data. It's just kind of a number that's associated with a bunch of search queries and you could identify people just from their search queries by associating that number.
Mike: Yeah. I think one of the best ways to deal with that is once a data set gets to a certain size, you don't return it. You say, Ah sorry. I think that's how Census dealt with it, they very quickly realized and fixed it. My apologies, if that's not the case. I have a friend that works at the Census Bureau, so.
Ken: They're all great.
Mike: No, he didn’t tell me the story. I definitely read it on the Internet. Cool. In terms of like ransomware and stuff like that, like, what are your thoughts on that in general, like if I'm a small business or a large business, like how do you sort of handle, like, what would your advice be for both mitigating it and then dealing with it if actually does happen to you?
Ken: And so, yeah, I think generally how ransomware works is, you know, it will encrypt your files and then kind of delete the original files and instead of kind of encrypting the new ones with the same name and because it's just easier to kind of make an encrypted copy and then delete the original copy. So, you know, there's a bunch of ways that you could recover from it, but probably the easiest way for small businesses; if you're using something like Box or Dropbox or G-cloud/G-suite; have version control enabled. So you know, if someone deletes a file, you can restore it, and if they overwrite it, you just restore it to the last version as well. But you want to make sure you're not going to get hit by ransomware at the same way as well. You want to be able to analyze and see how did it happen, and then just avoid that from happening again.
Mike: Right, my understanding is that in many cases they actually lay dormant for 6 months/9 months a year before they actually trigger the ransomware so that they know that they've sort of gotten your backups, or even if they haven't; do you really want to restore back to 6 months ago versus or maybe 9 months ago or a year ago? So I think even though the backup approach; it's great one but still also has some limitations in what it can do.
Ken: So they've done that with websites as well. So they'll encrypt your database, and what they'll do is they'll add a key to an external website, and then in order to decrypt your database, you need to have that key. So they just kind of take it away and say, Give me the money and I'll decrypt your database now. Yeah, so this is why having a regular patching schedule is important as well, and looked at it. There are some cases where you can be fully patched, you can have up-to-date antivirus, and you can still get hit by ransomware as well. So you know, you just need to, I guess, be able to deal with it from multiple angles, which is the strategy for incident management.
Mike: Definitely. I think the last company I worked at, we sort of identified the weakest link is always the human link. It's always the person, and that's where a lot of the stuff comes from. And so making sure people are aware and trained and and understand the implications of decisions that they make.
Ken: I think it's the human desire for resolving urgency issues, right? So when there's a problem, you just kind of do something to make the problem go away instead of generally fixing it. So, you know, you've got a problem on a server, you release a new piece of code urgently to fix that problem. That code may be vulnerable because it hasn't gone through, you know, the correct number of tests or QA or things like that too.
Mike: Yeah, no, that makes a lot of sense. Cool. I feel like I've been dominating the conversation.
Thomas: Oh, no it’s fine. It's very interesting kinda watching you guys go back and forth, but I mean; Ken, you're the CEO and Mike, I mean, you're the VP of Content of Engineering. I mean, how far in advance are you thinking of like the cybersecurity strategy? Like, how are you thinking of like, okay, this is what we can do now, you know, we don't have the resources to do everything right up front, but like, these are the things that we needed to put in place at the moment and then we can continuously upgrade and, you know, send people to training and things like that. Like, how is that something you mitigate as you start a business or start, you know, maybe with a smaller business as you're building and growing.
Ken: I think you need to start with yourself and understand what you're doing because you know, when you're starting off a business, you've got one person and then you've got your co-founder, and then you both have admin access to everything. And then, you know, people obviously know you’re the target because you set it up and you've got everything. And then as a business grows, you know, you need to coherently divide that up and then, you know, constantly just keep changing it as well because people will change roles. You know, you've got the accountant who also does HR and all of the other things as well, and then eventually it's just the accountant and someone else is doing HR. So, that accountant no longer needs access to your HR data. And then, you know, you gotta just keep kind of updating it and understanding yourself where things are and then be prepared to be able to hand it over as you scale to, you know, someone else who could do the same.
Mike: Yeah. I mean, I definitely take the same approach here, where when I first joined, everybody had, you know, it was a small company and a lot of people had a lot of administrative privileges and the first thing I did was like, make a list of, okay, well, what can I ever eliminate right away? And what can I work towards eliminating, like, why do they need this access? And is there a suitable replacement or do I have to build something, a solution. And then also in terms of more forward thinking; I usually think, you know, I have a sort of general guide of where I'm going and that's maybe like 6 months, a year out. But it's mostly policy; it's try to keep it pretty loose and give good guidance of like what we want and make sure that the people on my team, whether they’re software engineers, data, science, IT, whatever it is, infrastructure; that they have good information about like what I think is important and what we, as a company, think is important and then they can make better decisions. I can't be involved in every single decision and I can't dictate down. I need the people doing the work to sort of think through that stuff. So, a lot of what I'm doing is really more around policy or sort of that high level strategy of what do we want our posture to be? What do we consider the most important critical data that we need to protect? Where can we have maybe a little more risk? And then as the organization grows and I get more resources then right, I can start addressing those other areas where in the past, maybe we’re willing to take that risk, but now we're a more mature organization. We're getting into larger deals and we're maybe dealing with more and more sensitive data, or just more of the same data. So we become more of a target. So thinking through, you know, definitely adding resources around that and sort of a hiring plan that aligns with that sort of overall strategy.
Thomas: Okay. Well, yeah, I think that is the time that we have today for this episode. So I just wanted to thank you, Ken, for being here and Mike, thank you as well. Ken, we'll definitely have you back on and another episode coming up soon, so, thank you everybody for listening.
Ken: Thank you.