You Are the Weakest Link! (In Cybersecurity) with Trava Security CTO, Rob Beeler

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Hey there, you're tuning in to episode four of The Tea on Cybersecurity. We've learned so much so far and some of the things that stick out to me are watering hole, that really terrified me, phishing, and so much more. But one thing that has really stood out to me is that everything is pretty much centralized around people. We all know that people are intricate and it's hard to know what they're going to do next. This unpredictability causes a headache for companies when it comes to cybersecurity. I have Rob Beeler, Trava co- founder and CTO, on this episode to help shed some light on why employees can be the weakest link in cyber security. Thanks for joining me again, Rob.

Rob Beeler: Hey Jara, it's great to be talking to you today.

Jara Rowe: I'm so excited to talk about these weak links in cyber security. Let's jump right into the first question. In your opinion, why are employees such an easy target for hackers?

Rob Beeler: You touched on it in your intro. People are unpredictable. Everybody's different. So, it's really difficult to put security measures in place that's going to work in every single case and defend against all attacks just because of the way different people react to different things. Another reason the employees are easy targets is because most people are anxious to get their job done. They're anxious to do what they're asked. So, if somebody emails them and says, " Hey, I need this data," or, " Click here," they're often eager to do what they need to do. And sometimes the bad guys can use that to trick people into doing something bad. It's generally posing as somebody they trust, and we all want to do a good job, so we may trust them. Then, the last thing, that inaudible feel like everybody's really busy. I'm sure you see this every day. You're really busy. You have information coming at you from all different directions, from email, from texts, from Slack, or Teams. And sometimes you're overwhelmed with that data and you're just trying to respond and get things done, and you may not pay as close attention as you need to. So, I think that data influx coming in can cause people to make bad decisions as they're trying to work too quickly.

Jara Rowe: Thinking they're doing the right thing and it could potentially cause issues. But as individuals, how can we inform ourselves not to be deceived or moving too fast trying to accomplish everything? Then, how can companies help keep their teams informed?

Rob Beeler: It's a really tough problem. All of us can be tricked into providing information or clicking on a link that we didn't intend to. From a personal perspective, I think the best thing for people to do is really look at everything critically. Look at whatever emails or messages you get and treat them all as they could be malicious until proven otherwise. One thing you can do is when you look at an email, start by looking for the signs that something's not right. A spelling or grammar that's not correct, or the context of the email doesn't make sense, the user, it's unexpected, let's say. So, I think just starting with this attitude of assume things are not what they are, until you prove they are. That's a good way to avoid some issues. As a company, I think the first step is to recognize that your people are a target for attacks. On average, the average company has over 700 social engineering attacks.

Jara Rowe: Wow.

Rob Beeler: So this is not something that's happening with somebody else. It's happening really to every company. To combat that, the companies really need to develop robust training. That's really key to helping your people do a better job, is making sure they're trained and they're aware of what's happening and what threats there are out there.

Jara Rowe: So, you just mentioned social engineering. And just to make sure that my knowledge is up to par, we have talked about an example of social engineering in a previous episode, so that is phishing is one of the things.

Rob Beeler: That's right. Social engineering is generally when somebody poses as someone you trust to get you to do something or provide information. Phishing is probably the most common example of that.

Jara Rowe: Okay. So just to sum up something else I just got from what you're talking about, especially as people, we should just look at the different communications critically when they come in. So, think that it's bad before we actually know that it's good.

Rob Beeler: That's right. Presume guilty until proven innocent approach.

Jara Rowe: For sure. With so many companies adopting a new work from home model, that opens up so many new potential cyber risks and security concerns. What are your thoughts on this as a whole?

Rob Beeler: It's definitely a challenge for security professionals and for keeping everybody safe. There's some concerns. The weaknesses that are exposed when you're working from home. But you generally don't have the same kind of physical security controls as you do in a workplace. You may have a door that's locked at your workplace and maybe somebody who's at the front door and only letting people in that should be in, so you know who's there. Where, you might... especially if you live with other people, they may be coming in and out. They may have friends in and out. So you just don't have that same inaudible separation. The same is true on your network and your devices. There's a lack of logical boundaries within your network. What I mean by that is your laptop you may be doing work on might be on the same network a printer, or another device, or somebody else's computer, so you're kind of exposed in that way. Many companies will use a VPN, or virtual private network, to help secure data. But, you might have to have other datas, other devices on your network that you got to access. There's more and more connected devices. Think about now refrigerators are connected, and cameras, and your security system, those are all ways people can attack you, and they have in the past. There tends to be a lot of insecure and outdated hardware. Things like your network router, which your provider may give you a router or you may buy one, it may be out of date, it may be insecure. Your home network, it may be out of date and it may be insecure. There's just a lot of ways that you can be open to issues when you're working in that home environment that you may not see in the workplace.

Jara Rowe: I know that here at Trava we are a distributed team. We're located throughout the country and even out of the country. Can you just share with me and our listeners some of the different measures that we have in place to keep us secure?

Rob Beeler: Security is critical to us as a security company. We have to make sure that the data we have is protected. So, some of the things we do. We do continuous vulnerability scanning of all of our devices. So everything, whether it's within our network or somebody takes home, we're always watching those devices and looking for vulnerabilities. We make sure that we advance endpoint protection. We talked about this in our last episode. A software that runs on your device and detects issues, or vulnerabilities, or malware. We use multifactor authentication across our entire organization, and this is a really important thing. One of the most effective things you can do to prevent being hacked is to use multifactor authentication. Which means, to log in, you don't just use a password, you also have to have some other factor like your phone or something else that can prove you are who you say you are. That's important and it's important to do broadly across all your applications. Another thing that we do, we use a password manager. This is something I'd recommend both for companies and for individuals. We use password manager with strict password policies. People aren't sharing passwords on text or email, and they're not reusing passwords. And then finally, another thing we do is we provide monthly security awareness training, make sure people are informed of the latest attacks. We follow that up with phishing simulation, as we talked about in our last episode. We test and see how people actually respond. We use that as a learning lesson to see who's responding, who's clicking on the links that they shouldn't be.

Jara Rowe: Yeah, I actually really enjoy the different cybersecurity training. It helps me identify content to create. I've actually borrowed some of the information I've learned to ask questions for the podcast. So, I definitely enjoy that.

Rob Beeler: You may be one of the few people that say they like security training, but it is important in finding the right training. It's an important thing to do.

Jara Rowe: Yeah, I just feel like there's always something to learn. And the different game simulations, there have been a couple times where I picked the wrong answer and then the game goes off on a different route and I'm like, " Oh, but I really thought that was the right one." But then once you choose the correct one, it all makes sense. So, I don't mind it at all. So, you were just giving those examples of what Trava does, but if you could just sum up five different measures or protocols for a small to medium sized business to implement today, what would those five things be?

Rob Beeler: I would start with multifactor authentication would be one. Security awareness training would be two. Managing your passwords, password manager, having long passwords, a good password policy, that would be three. Managing your vulnerabilities, meaning you as a company, you're tracking, you're measuring what's out there, you're assessing what vulnerabilities you have, and you're remediating them. Then last, I would say implementing a solution like endpoint detection and response, or an EDR solution, where you can monitor what's happening in your network and take action if you see something malicious.

Jara Rowe: Awesome. So, just want to make sure I captured all five of those. So, one would be implement multifactor authentication. Two, some sort of training. Three, managing passwords. Four, managing vulnerabilities. And then five, would be implementing a solution just to be able to keep track of things like endpoint protection and things like that.

Rob Beeler: That's right. You got it.

Jara Rowe: Awesome. Fantastic. We've gone over a lot of things to help us as individuals and as companies make sure that our data and everything is secure and that we hopefully no longer become those weak links in a company cyber and security. But do you have any other things as individuals we should do to keep us safe from cyber crime?

Rob Beeler: I think a lot of them, they're in line with what a company does. Number one, look at your communications critically. If grandma's emailing you saying she needs a gift card, you might want to call her up first and validate. So, look at things critically like we do in a business setting. I really highly recommend a password manager. Takes a little while to get used to, but you get away from using that same really simple password on all your accounts. That's a great way to get hacked. Make sure you're using multifactor authentication. And then, make sure you have an antivirus solution and malware solutions on your devices. Don't leave those exposed to the world.

Jara Rowe: I actually recently myself, I was trying to potentially be phished, where an online banking that I use, not going to say the company, but people were phishing as the company about me purchasing like$ 15,000 worth of Bitcoin. At first when I saw the email, it looked completely legit. It was branded with that company name and everything. But I was like, " I don't even understand Bitcoin, so that definitely wasn't me." So, I got into the account to make sure I didn't have$ 15,000 coming out and things like that. But, because I understand more about cybersecurity and things, I was able to assess that and not click on anything for them to be able to get my information. Then, I had to inform my family members, like my mom, to make sure that they were not phished as well from this. Definitely learning those skills to stop and assess before moving forward in something.

Rob Beeler: Yeah, that the right way to approach it. And you touched on something that's worth reiterating. When you get an email about something, don't click on the link. Go to that site through a link and check it out. That was exactly the right thing to do.

Jara Rowe: Fantastic. Look at me keeping myself safe. All right. Thanks so much for your time, Rob. Are there any other final thoughts or statements you have?

Rob Beeler: You mentioned people being the weakest link. Of course, people are our most valuable assets. People are the ones who get things done. So, while all this can be a bit scary, I think with the right training and the right tools, really every company can help their people stay safe.

Jara Rowe: Fantastic. I really appreciate your time today. So now that we've spilled the tea on why employees are the weakest links, it's time to go over the receipts. One takeaway that I have is that because people are unpredictable, it may be hard sometimes to find a solution that captures and keeps everyone safe in all situations. But my second takeaway is with training and things like that, employees, and us as people, we're able to understand to stop and assess a situation before we think and act on it. Just because you get an email from grandma wanting the gift card, like Rob mentioned, does your grandma even use email? So, we should probably stop and think about that. And then, my final receipt is that working from home opens up new things. And because a lot of us have roommates or even our children and things running around, we don't have that physical security of keeping all the information limited to just a certain group of people. So, we just need to do our due diligence to keep information safe. Don't write passwords down in a notebook. You should probably use a password manager and things like that. On our next episode, we will be talking to Adam Patarino, the CTO at Casted, a B2B and podcast platform. Stay tuned as we dive into the SaaS company's journey as a startup all the way through being compliant. That's the tea on cybersecurity. If you liked what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.