This analyst chat episode is the 50th and therefore a bit different. This time Matthias talks to two experienced analysts, Martin Kuppinger and Alexei Balaganski, about the ECSM, the European Cyber Security Month, which is to provide information and awareness on cyber security in October 2020. The particular aim they pursue is to go beyond awareness to arrive at specific measures that can benefit individuals and organizations alike.
I think it's quite obvious. Why? Because when you look at the major shifts, many organizations have experienced in the, the way their people are. The teams are working over the past six or seven months, then I think it's so obvious that cyber security has far higher attention now because there's so much new. There are so much different. I wouldn't say down use threats in the narrow sense, but they affect threats, affect certain companies. And this change to shifts as for what I believe, um, raised attention for this European cyber security months,
If I may add to Martin, and in this regard, we have to remember that the risks are that the stakes, if you will, are also much higher now, besides the obvious kind of elephant in the room, the COVID pandemic, uh, we've heard some other news as well. For example, just recently, a couple of weeks ago, there was the first human casualty offering somewhere recorded ever. And of all places in the world in Dusseldorf in my home city west could have had a patient who could not be saved because the hospital infrastructure was locked. So she had not had operation and did not survive transport transporting to a different hospital. So in that regard, cybersecurity is now a life-saving measure if you go. So of course everyone's talking about cybersecurity,
And I think there's this, this frisk pond is a very interesting one because threats are the same assets are slightly changing, but what really changes is to probability and sort of the range of assets you need to protect. So when you still thinking, okay, my brokers, my employees are working in the office. They all ended office. They use a corporate Elon DYS, and only if you are traveling and maybe if you have a home office and then you shift to zones and where a lot of people must use their own devices, at least for a transition period until all the new notebooks are delivered. And if you shift from all people sitting in the office and what you may still feel is a protected network. So talking about Stuart trusted, probably isn't, um, but shifting to different types of access, then we have a different equation for risks. So there's nothing new in the sense of that hasn't been around, but it affects far more organizations, far more people. And so the risk is bigger and that creates advantage. As I said, blasty the change and change always causes uncertainty. So everyone needs to get adopted to how do I do my cybersecurity ride into a new work environment? So in consequence of anise is increasing, but just good.
Yeah. I would fully agree on that because that was important years before already. But, um, as we have the attention right now, it's really good to, to also use the impetus of such a, such an such a campaign as it is going on right now to, to really leverage this for improving the security posture of an organization in general, one core aspect, as I've read it out from the mission statement is about raising awareness. And Alex, you have written a as I think really reflective and thoughtful blog posts about this topic. Um, what is important to you? If one wants to approach this topic of raising awareness properly, maybe you can elaborate a bit on that.
Well, materials, you know, as I already mentioned in the blog, I am not a fan of the term awareness or itself because I I'm afraid that many people kind of understand the whole idea of letting the public know. Sure. You can spend all your time doing this and you can go through different hoops and tricks to attract and more attention. But in the end, the fact that you have communicated any idea cybersecurity or not to the public doesn't mean that the public will retain that idea for a long time, because you know, every day brings new challenges. People tend to forget, which is absolutely normal. It had nothing to do with pandemics or anything like that or cybersecurity. The problem was how do you not just make people aware of a problem, but how do you make them aware of the solution to the problem? And this is what many sources I think are lacking at the moment. So yeah, it's not enough to just tell for the top thousands time, write another article about you somewhere or whatever risk for working from home. How do you communicate the solutions? How do you explain to the people, okay, this is how you actually solve those problems. This is how you prepare for a ransomware attack. This is how you deal with it, uh, after being hit by ransomware and so on. So apparently should be about solutions to problems, not the problems themselves.
Yes. And I have a strong belief that the best starting point for cyber security around this trading is starting as what affects people in their daily life. I got every now and then I got a call from my parents saying, oh, there's this obscure email in there. Should I open it? And one has these males in the inbox. Many people are not sure what they do. And they are afraid of other types of phishing attacks a day sometimes, or a full week to, to certain types of attacks. And if you start your cyber security awareness training was saying, okay, this is where you need to be cautious. And this is like Alexis said, how you solve it, how you react on that. The reaction might, the first thing might be trust, ask the right people who might know might give you an advice, your it supporting your it security team, ask them, and also bring up simple solutions on how to better understand is this a potential attack or not? Is this something real? I think this is where everything must start. So not lengths is things. Um, I think in March I created the five minute video as a cyber security awareness training and five minutes. And you can do a lot in five minutes and it's far more important to do it regularly, to support people continuously and to dry, to do once a year, a long full day or half day training. That's not the right way.
Absolutely. Uh, I believe mark and that's kind of the only reliable to make people actually remember. And awareness training is to turn it into a routine like, you know, like taking your children to brush their teeth. Isn't enough. You actually have to make them proud of their teeth, Emory, even at least. And this is exactly the same cybersecurity bias. So it has to be daily. It's not enough to limit it to one month, right? So
You have to take the step further from awareness to actually real practice. So an example would be how to treat passwords that we all still have to use on several occasions, how to treat them adequately. So using something that generates a complex and not guessable password, instead of doing this manually. So having a tool at hand, having a tool decision, being made, maybe on an organizational level, that might be a starting point. So if you have the tool and if you are told to use it and you are able to use it, that might change the situation completely when it comes to using passwords of not reusing them, not having simple guessable passwords. So that would be something that an organization can do that the it team can do that Martin as the lead of this company can do and say, use a password manager to make sure that nobody can guess your passwords in general
And even better. If that password manager is actually more convenient than a piece of paper to write your passwords down, if it actually allows people save time doing that, then it becomes your second nature. So you wouldn't reach for a piece of paper to write down the password. You just click a button and you are safe and you're able to do whatever job you do daily immediately after a second.
Yeah. And there are many things insecurity which can make life of the user easier. So, so we learn that using a fingerprint to unlock the iPhone is quite convenient measure and it's more secure than a four-digit pin. I'm absolutely confident about. And when we look at many of the MFA approaches, so the one I'm using on a daily basis in the office 365 environment, they are definitely very convenient and they are more convenient than entering lengths in like passwords and keeping them in mind and changing them every month or so. So security can be if done, right. Security can in certain areas, definitely increase convenience stolen all. I think we also must be very clear about that. Sometimes security is a burden, but I think we got much better in this industry and making security more convenient. And that is an important aspect as well.
And the one great aspect of this is actually a standardization. For example, speaking about multifactor authentication used to be extremely cumbersome and inconvenient because you would have five different security keys and stuff like that. Now you have the Fido standard. So basically I am really amazed at sometimes how fight if development has gone already. Like I can use my webcam, for example, for face ID authentication, or I can use the fingerprint on my phone, or I can just click a button and authentication app. And it all works in a uniform and standards-based way. So you just have the choice and this is what brings convenience,
Right? And as this campaign is aiming on the one hand at the, at the single of citizen of the EU, um, or actually worldwide. And on the other hand also aimed at organizations trying to increase their security. This is really, um, a broader aspect. So what we are talking about all day long is more or less making organizations more secure. So having security on an organizational level, on a group level, on an enterprise level, also on a platform level to make sure that it's in an ideal world secure from end to end. Um, we are also looking at making the individual citizen more secure. And I think this notion of security across these different areas is also of importance because if you are safer, more secure in your home environment, in your daily, uh, web browsing, um, entity device experience, you will also most probably be more aware when it comes to dealing with your corporate devices, with your bring your own devices used in a corporate environment.
So it's really a good thing to make sure that people understand that security is really something to think about, but to practice as you've mentioned. So if we have a look at individual measures to take, if I asked you both to provide two tangible recommendations to our listeners for, for using this impetus, either for yourself, for the individual listening to this podcast episode, but also to use this for moving this into a corporate environment, using this impetus to improve security there, what would be your recommendations, real practical, concrete, immediate steps to take right now, maybe starting with you Martin, where would be starting points to improve right now where maybe people are not looking at right now.
So aside off the call to shift to multifactor authentication now, and I made this call in a couple of my videos and posts over the previous months, my main recommendation for the individual would be to look at some of the very short videos we have from that at our KuppingerCole upside and 40 businesses. My recommendation is resync your cybersecurity awareness strategies, meaning go for shark mutual, modern content that really educates and delivers recommendations and helps your teams not lengthy cyber cybersecurity around us trainings. I think it's really going short and sort of speak modern in the way you do it. And then you will be far more successful and gossip far more positive feedback from your teams.
Great. Um, Alexa, something to add from your side, what to do right now?
Well, if I may, I'd like to look at it from a completely different angle. Sure. Because one major change that COVID and the pandemic has actually brought to us in that there is no longer such a clear border between corporate and home security anymore. Because if you are working from home all the time, you're either using your own computer or you have your own computer or your own phone in the same network. It's really difficult to, uh, to protect one from the other. This is a traditional approach. So basically what any person working from home can do is just go to the employer and say, Hey, it's in your best interest to help me protect myself at home. Or like, I don't have an antivirus helped me with a license, or I don't know how to secure my wifi network. Can you give me some recommendations? Like our, it guys, maybe write a guide on secure in the whole network and stuff like that. There is absolutely no needs to enforce this separation between personal and corporate anymore. People should seek help from the employees because again, it's in the employer's best interest.
I would fully agree. I just wanted to use this, this metaphor for moving from the individual experience also to the business experience and back. And that is actually what you said right now. It's really, there is no clear distinction line for many people right now with this COVID crisis being in full swing, most, probably the easiest way to understand it can protect yourself. So it can also protect your organization and the people behind that when it comes to, um, helping people and that could be organizations and individuals alike, um, in understanding where to move forward. I would really also recommend that we apply a risk based approach. So really to understand what is really at stake, what is the most important aspect to protect? And that might be corporate email. That might be your web browser histories. That of course are your passwords if you still have to use them.
So protecting the most important things first, so to apply a risk based approach on a personal and on a, on an employment level, that is really an important thing to do. And maybe as a final question, um, you've mentioned the it guys writing down some recommendations for protecting a wifi for protecting individual aspects. Um, we as analysts of course provide information about security on a daily basis. This is a part of our job descriptions. So is there material online that organizations and individuals can use for this European cyber security month awareness? And beyond that we have at our website at KuppingerCole and maybe especially for new listeners, what is available and how can they use it? Martin you've mentioned the videos already that I think is a great starting point because it's always better to have a video than rather to read through a lengthy document, but we also have short documents to help you write Martin.
Yes, we have. We have, we have a ton of stuff. In fact. So when you go to our website, if you go, when you go to blast stock KuppingerCole dot com, where you can get access to all of our research, I believe, or a decent fee, you will find a lot of leadership, brief documents, and a lot of other materials, which helps you in securing your it and securing your systems and understanding how to move forward, just authentication indication, and many, many other topics. At the end, in a nutshell, we have a lot of research. We have a lot of events, life events running at least every second week. And we can also support everyone was the full range from at wise, an organization needs to get better in cybersecurity, right?
And I think another aspect that we have, of course, it's this podcast, and there is a frequent production of blog posts, which really help here, as we've mentioned, Alex's blog posts, right? So we are looking at this aspect very closely also without payment and with payment, of course, this is business, but on the other hand, really to make sure that there is a constant flow of regular and up-to-date information regarding cybersecurity as part of our work, anything to add from your side, Alex say,
You know what he has of course mentioned this whole a risk based approach. Everyone is talking about risks. Now I see one tiny problem that kind of calculating and assessing risk is actually a difficult task. I mean, it's a lot of math and a lot of our out of the box thinking if you will, because for many people, this is absolutely not an obvious approach and they have to change the way they think about their jobs. So here, I mean, learning how to do this risk based approach is also critical. I believe we have some materials, uh, probably more company oriented, uh, as our academic advisory materials actually help companies to learn this approach and apply it thoroughly and kind of, uh, mathematically, if you will. And of course, I mean, our blog posts, our short videos, they're all helping to quote unquote, raise awareness about this risk approach as well. So yeah, absolutely. You have to maybe, uh, invested some time into just learning about risks and how they are calculated and how they are applied, because this is like for some areas of cybersecurity, this is a matter of survival.
Yeah. I would fully agree. And to iterate on what Alex just said, if you go to our website, if you use the search box on the upper right corner and you just type in risk based with a dash in between, um, you will be led to session recordings of webinars. You will be led to two blog posts, which really detail this aspect beyond the gut feeling that everybody has, but what risk could look like. So that would be a starting point also to start your individual journey on raising your own attention and maybe to improve the awareness with your own organization and leading then to concrete advice, how to deal with this mass of threats that we encounter on a daily basis. So maybe that is a good final word for today's session. Famous last words from your side, Martin.
Hopefully it are not the famous last words here. At least not the last one from fake famous, they might get that. They shouldn't be my last words. I think it's simple. Take cybersecurity earnest and act on it.
Right. Perfect. Alex say last words.
Well, first of all, uh, let me just congratulate you Mathias again and thank you of course, for doing this for 50 episodes already. It's certainly definitely be our last one. So expect at least another 50 in the future, all of this episodes or about raising cybersecurity awareness thrive. So let's not stop here. Let's not stop at the end of October and we'll just continue doing our daily jobs. Great.
That is a great summary. So we ended up here. Thank you very much, marching. Thank you very much, Aloxi. Thank you. Thanks.
How can we help you