CISOs Panel Discussion: Securing Remote Collaboration During a Pandemic
Liron Barak, CEO of BitDam interviews three CISOs from across the globe in this unique panel discussion. A common theme between all of our panelists is how to face the ‘new normal’ of remote working with the rise of cyber threats. These security experts dive into their organizations’ plans of attack on how to become quick and effective adaptors to these new security challenges. Read the transcript below!
LB: Good morning and good afternoon! Thank you for joining the panel discussion on securing remote collaboration during the pandemic. My name is Liron Barak. I’m the CEO and Co-founder at BitDam, but I’m the least interesting person here. Today we have three special guests that I’m honored to host.
We have Michael Sherwood the Chief Innovation Officer at the city of Las Vegas joining us from Nevada. We also have Norman McKeown, the Head of IT at LSH Auto UK Limited, the UK’s leading Mercedes Benz retailer with over 143 Mercedes Benz dealerships, worldwide, and last but not least Daniel Baird who is the Group Head of IT of Graham’s Family Dairy, all the way from Scotland.
Welcome guys! Thanks for joining us for this session. We’re planning to have an open conversation today talking about what it’s like to be in charge of IT security when things are crazy, everywhere, but especially when it comes to IT and cybersecurity. Let’s start off with a little bit about the background of each of you and the organization you represent. Daniel why don’t we start with you.
DB: Yes, I’m the Group Head of IT at Graham’s Family Dairy. We’re a family run business, operating since 1939, supplying milk, cream, ice cream and butter, to over 7,000 customers UK wide and internationally. I’ve been in the role here for approximately five years and looking after everything from IT Security through two to one connectivity in ERP solutions. So it’s a busy job. Prior to Graham’s, I was Managing Director of an MSP doing cloud consultancy primarily and Office365 consultancy. I’ve become a bit of the gamekeeper turned poacher.
NM: I’m Norman McKeown the Head of IT for LSH Auto in the UK. We are one of the largest Mercedes dealer groups locally, I’ve been lucky enough to do this role for about four years, touching pretty much anything I cable touches from to infrastructure, to telephony, to CCTV systems all falling under my role. It’s been a whirlwind since we launched the company in the UK. Prior to that, I did a short stint at the Siemens Power Generation Services and before that I was over 17 years at PSA. I’ve worked on the manufacturer side of automotive; I’m gatekeeper turned poacher, having now moved onto the retail and dealer side. So it’s been a good four years and plenty more to keep me busy.
MS: I guess I’ll go now. I’m Michael Sherwood, the Chief Innovation Officer for the City of Las Vegas. I don’t think any introduction needs to be done for Las Vegas, we’re an entertainment destination where you come to have fun. I’ve been here for roughly five years, like many of the other individuals on the call I oversee everything from cable infrastructure, CCTV, all basic systems. Anything technology based or that plugs into a wall for the most part falls under our purview. I’m very proud to work here. Very happy to be in this community in the great state of Nevada and it’s an honor to be here with all of you today with such esteemed colleagues. When it comes down to it security and protecting our digital assets is our number one priority. Now as more and more of the city in the community relies on technology, protecting those assets becomes increasingly important.
LB: Thank you guys. Why don’t we start with some tough questions? It will be interesting to hear what were your top information security challenges during the pandemic?
NM: I would say the automotive industry certainly in the UK was one of the more challenging divisions that had to move to remote working at home. It’s not something we traditionally do in the car industry. People come in and they want to walk in, touch the metal and buy the cars. So whilst the majority of our industry is shut down, we kept two facilities open for key workers.
During the lockdown in the UK, our biggest challenge was twofold. It was taking a predominantly paper based business and I’m moving it digitally and electronically while doing that securely and quickly, and also getting users who have never worked from home in their life before to understand the unique differences and challenges. Whilst it may appear that they’re sitting at their desk in the office because of the access we gave to them there are some unique considerations to take into account and some simple things from, ‘I don’t have the scanner right next to me’, to remembering to ensure that their VPN is running, their security is up, that we’re not constantly there nagging them. That was a big challenge for most part, we’ve taken a very legacy industry and bring it to the 21st century very rapidly.
DB: Well, I liked the fact that you think that the car industry is a legacy industry and milking cows is pretty old school as well. We are certainly a very paper based culture and that can pose a lot of challenges. I think we’re probably slightly different from a lot of companies that have been affected with the current situation. Our sales have gone up and we’ve had, and financially we’ve had three or four very strong months. That’s a change in people’s behavior and the way we’re doing sales. While we lost about 3,000 customers, as soon as the lock down hit. The demand for milk went from people buying a latte in Costa Coffee to buying a lot of milk for the house, increasing it in what we call doorstep sales. Sort of traditional milkman sales, and another which are higher margins to do business with a supermarket because it’s in bulk. It’s great! Not as much logistics and customer service with the doorstep piece, plus it’s much higher margins.
We had to obviously move as many people home as possible to shut down the offices while keeping them working at 100%. We had some challenges around paper based solutions and certainly things like scanning, as Norman mentioned, people asking to take scanners home, even though the tracking of what people were taking home was a challenge in the first couple of weeks. We were getting phone calls, like, “Is it okay if I take my desk chair home?”.
Then we had a challenge around hardware as being a very traditional business. We had a lot of physical desktops, very few laptops. We were trying to send people home, but we’re unable to source corporate laptops. So we had to do a lot of BYOD type things, getting people up and running on their own systems from home. How can we secure that access? Can we give them access to the company shared drives into VPNs on personal devices and how do we protect that? For me was the biggest security concern to begin with.
MS: It was very much the same, along with the lines of my esteemed colleagues here. It was shifting, roughly 3,000 people from coming into physical offices and moving them to their home locations. Obviously shortages of equipment, laptops and so forth, but going to a complete remote infrastructure. We were really privileged that some of the tools we already had were in place, like Azure and other types of remote connectivity. This really helped and benefited us to get moving. The other issues we still had to maintain staffing levels at our facilities. Having staff and getting them prepared up with PPE or protective equipment and still be able to operate.
The hardest part which we learned through this pandemic is just the user education we need to do. Just basic security education, basic overall computer skills, which we take for granted in our department where the technology department, most of us are familiar with it. Then adopting to workers can’t come down to our office or can’t work with us and can only talk to us over the phone. Trying to explain what cable goes, where and how to make these things work. So we came up with some really ingenious ideas, basically took ideas from YouTube and TedTalks and made little videos and then sent those out to employees to help bridge that digital divide. It’s something we’re going to work on going forward. Other than that, the biggest issue was security access to data and how that’s going to move around in this new age of a decentralized work environment.
LB: Did you specifically regarding information security, did your information security toolbox narrow or broaden or change in the past few months? Why did you or didn’t?
MS: For us, we were compromised and we used the word compromised in January, right before COVID. Basically we took a lot of measures, so we were kind of ahead of the curve based on that incident. Obviously, part of that was adding more monitoring tools and a harder look at our infrastructure. We reemphasized focus on how we managed cybersecurity, not just internally, but across the organization…especially passwords. Part of that I was implementing a two factor system, which wasn’t popular at the time. With COVID it was a great opportunity to have those types of systems in place. It hasn’t been as hard to get executives to provide investments into cyber cybersecurity based on the compromise that we had in late January. Now with COVID, security’s been on the minds of everybody. Getting tools was not as difficult to implement as it was to getting users to understand them was the greater long term challenge.
NM: We’ve very similar. We lucked out in that we had the same issues as both Michael and Daniel have mentioned in terms of shortage of hardware. I think I found one supplier that could supply me with laptops, but it was on a five week lead time; and when I was shutting the business down in three days that was not good. We were actually in the middle of an infrastructure change when COVID hit the UK; a data center change, VPN service change, network change. We were right in the last six weeks of that before the lockdown. Very much as Michael has mentioned, the biggest challenge we have was around users. We did some videos as well, some video voiceovers and our biggest implementation was bringing forward multifactor authentication. We had a user compromised that we luckily caught within five minutes of the compromise. So there was no risk to the business. There was no leakage of data. We caught it very quickly and shut that account down. The hardest bit was getting the users to read the instructions on how to set it up once they’re up and running. We had a partner who worked with us very well and really understood what we were trying to achieve. That was a big bonus that ensured we were secure during the whole change of moving terabytes of data between data centers in the middle of this pandemic.
It was having a really good partner who understood our business and our organization. Then again, having the backing of the executive coordinator to put in the extra layer of security. Again, as Michael said, there wasn’t a long conversation around the implementation. Often it was “Yep. We need this, let’s get it done. And let’s get it done efficiently.”.
DB: I think we were quite lucky. We already had the bulk of our services in the cloud. We’d already implemented multifactor for a number of years, but we had multifactor only enabled, we only allowed certain people to access services out with our opposites. And then all of a sudden it’s that bulk enrollments of users into MFAs, the infrastructure was all there, but that pain of actually getting the users to follow the instructions was challenging. You also have the personal information piece around that.
We don’t have company mobile phones out without people saying, “You need to put your mobile phone number in here, but I don’t want you to have my mobile phone numbers.”. It’s not for anything other than helping you secure your account. I’m getting that piece, which was quite challenging, but COVID became quite a good stick to beat people with around a lot of IT projects. Things like the migration of documents to SharePoint and user adoption within MS Teams, things like that. These are all technologies we already had, but we weren’t using them anywhere near enough. We used this as an excuse to rapidly do it and that works in our favor, I think.
LB: You all talked about your entire organization working from home and discounts, along with a variety of challenges. It will be interesting for me and for us, to understand if it was the pandemic that caused your organization to use more collaboration tools, such as OneDrive, MS Teams, Zoom and others? And if so, how do you ensure that your enterprise collaboration platforms are actually protected?
DB: I said before, I think we were already using a lot of these technologies and they were already in place, but underutilized and getting the user adoption piece up and running was key for that. We haven’t invested in any new technology and we’re not doing anything that we couldn’t do before. We’re just doing more of it. Having people dialing in from BYOD devices onto legacy shared drives was a security challenge. But if we thought moving these things into OneDrive, they become a bit more secure, especially because that’s being protected by BitDam.
So we’ve got that protection there at the service side, as well as on the client side and that has made me sleep easier at night.
NM: I think we’re in a similar position where we’ve been obviously O365 since we launched in 2016, but I think outside of the IT Department, probably Skype for business was the only there any collaboration tool and that was used by maybe a seventh of the organization. We’d been pushing MS Teams and making the information available saying it’s really useful. There was a little bit, we were just starting to gain traction. Then suddenly we made a business decision where our business is spread between two areas, the Birmingham and Manchester market areas in the UK. Before lockdown, we took a decision to reduce traveling. So one of the first meetings we converted to online, was we’re meeting with our senior management and our general managers who run each facility. We ran it through MS Teams and instead of it being an all day 9 to 6 meeting with traveling too. We had the entire agenda covered by 3pm and people saying, “This is fantastic. Why haven’t we done this before?’. So I think from the IT Department point of view, it’s a feather in our cap. As Daniel has said, we have our OneDrive, email, our MS Teams all protected by BitDam.
With what I’ve seen since I started using BitDam last year, I know if there’s something that does creep in it will be picked up like that. And then we can react if and when we need to so it’s been a real opportunity to showcase what IT departments are not just there to be there if and when things are broken. We can bring real value add in terms of collaboration, but secure collaboration with the business and not having people’s stories and things here, there, and everywhere, which is out of control.
MS: I agree with Norman, it’s basically you got to have the right tools, BitDam’s been our go to tool for all of our Office365 offerings, which is our mainstay for how we do remote work in the city. The other area that we’ve really lacked is the cybersecurity team on our side, getting them educated and trained on how to use the tools and when working remotely where they’re not sitting next to each other, being able to share information and talk about working in a remote environment. It’s almost like what we’re doing at your meeting. It’s a different environment to be able to work through issues and still collaborate with our infrastructure team and with our desktop team. So that’s been a challenge, but overall it’s having solid tools in place, like BitDam that’s really made the difference for us in feeling comfortable with deploying all these remote services.
It’s not a normal thing for us. We’re very used to coming to the building, use our technology in our facilities, other than getting an email on your phone, there was very little getting service access to our internal environment. That just wasn’t the way government worked, but it’s changing. It’s changed in days and weeks rather than years, but having solid tools is really what saves the day.
LB: Thank you guys. We hear a lot about threats that are being sent to organizations today. A lot of organizations that get ransomware or another big data breach because of the pandemic. It would be interesting to hear from you because you have a lot of experience in this field. How do you explain the fact that organizations have so many malware protection solutions in place yet there are still so many successful cyber attacks? It would be interesting if you can share if your organization’s experienced more cyber attacks during the pandemic and if those attacks were sent through a certain channel or through different channels. It would be great to hear from what you experienced during the last few months.
NM: I think our biggest increase of these came through phishing emails. Since March that has gone through the way and certainly for us as an organization I think the cybercriminals have tried to take the opportunity to exploit the fact that we are not working together in the same office. Being that we do a lot of transactions, people buying Mercedes Benz vehicles and they are quite a sizable investment. We’ve certainly seen an uptick in malicious attachments and credential harvesting attacks coming into the business or attempting to come into the business. As you mentioned, there are so many cyber security tools and the way I explain it to the board is it’s a bit like car security. We have to invent new technology for the cars that we sell. Criminals will find a way to exploit that. So we then event more security and it’s a constant game of cat and mouse.
Every time we close a loophole in cyber security, they inevitably try and find another route in, and because we are in such a connected world now, I go back to the early days of my career when I first put corporate WiFi. Back then I was told it’s not critical if it goes down, fix it when you can. Within two months as soon as it went down, the MD was on the phone, shouting at me wanting it back up and running again. People are so used to it. We’re so used to being able to access things easily. Which is weird, but the side effect is that they’ve given easy access, giving more weight into security. Having a suite of security tools means you’ve got more chance of catching it, then trying another route if you only have your standard spam filtering, email protection. Even with the market leading protections, you need to have a number of those to keep going in line and just try and keep locking them out of your systems.
DB: I think Norman’s absolutely right. I think that the multi tiered approach is critical. In an industry where the Chairman of the company is a farmer it’s challenging to get him to lock his computer and say you can’t just have one password as your password. You must lock your computer and no, you can’t just click on everything.
These are the challenges that we have that goes back to that user piece. As an IT department, we’ve got to protect users as much as possible. Putting in BitDam alongside other tools gives us that multi tiered approach. That’s one of the reasons I liked the way BitDam approached the email security piece is the way it interfaces with Office365 it sits inside the mailboxes. Therefore, we can have perimeter security protection and we can have mailbox security protection. That’s what I really liked about it.
As was for an increase in attacks, our reporting says we have a bit more attacks. We’ve not had a huge amount more through to the mailboxes of users, but certainly the stats are showing that more are being attempted.
MS: Definitely attacks are on the rise. I mean our name Las Vegas, every time we’re in the newspaper or something, attacks rise up. There’s been a lot of press today, some of the casinos are laying off a lot of individuals, so the attack vector or attack surface rises because we’re in the news. To Daniel’s comment, having a layered approach, multiple tools and using BitDam as our main tool, most of our attacks come through email, the old fashioned way through phishing.
Again, I go back to user education, user education, user education! Most of them are very plain to see in the world we live in today. For example, I got this email from the mayor. I look at it and the email address is nowhere near what the mayor’s email address is, but they’re so focused on it looks like it’s from the mayor. They don’t look at the email address and immediately start responding to these individuals. To me the key is education as well, the tools have been fabulous. We haven’t had any issues and the layered approach is working. It’s the education of our users, which is most important. Phishing continues to be the most problemsome issue within our organization.
LB: I agree. It seems like from all of our customers we see a lot of phishing. So what you are all saying is reflected in the data we are collecting as well. This is something we see on a daily basis in our system.
On a different topic. It would be interesting to hear how do you balance security with business and productivity needs? It would be great to hear if you have any tips that you can share with us.
DB: The key thing there is that the, the, the productivity has got to be there. And if there’s, if your security compromise, you have zero productivity, you’ve got to put these marriages in place to protect them, protect the productivity. Absolutely.
NM: I think firstly, the biggest, the challenge I’ve got as I’m sure we all have is users will take the shortest way to get to where they want to get to. I think as Michael mentioned, the previous comments it’s user education. So it’s not just that IT is putting these tools to make your life awkward. We’re actually doing it to make your life easier. So as well as understanding how to use them and understanding why we’re doing certain things. Especially, if it’s not something nice and shiny they can instantly see. Most of our security work is hidden in the back end.
One of the things I loved about BitDam was the ease of deployment. I didn’t have to teach my users how to use a new security email system. It sits on my mail system, but it’s explained to them.
We’re not just doing this because it’s a new, shiny new tool that we want to play, we’re doing it for raising to protect the business to ultimately make your life easier.
LB: Let’s move on to our last question for this session. It’s known to us like everyone is talking about remote work becoming the new normal, even after the coronavirus will be gone. It would be great to hear what will be the influence of this period on organizations cyber security, in your opinion.
MS: It is the new normal, I don’t think I’m going back to the way, even for government, who generally slow adopters of anything new and shiny. It’s definitely a trend that’s not going to stop, which is going to complicate our security posture. It’s definitely going to put more reliance on letting go of certain aspects of our operation, not being able to be fully in control.
Azure was a big leap for us to give up our email servers locally and move all that the cloud OneDrive was even a bigger leap MS Teams. That being said, that’s what really makes us very proud customers of BitDam is that it is an evolving platform. As our ecosystem evolves and changes the BitDam system evolves and changes with our organization and kind of interweaves with the technology solutions we are going with. As the world moves towards going more mobile and remote, we have to be flexible to provide the services to all of our customers in any condition and be able to gain access to all the tools and resources, just like if they were in the physical building itself. So it will be very challenging, but with great partners, we know that we will be able to, to meet that challenge head on.
DB: We’re going to be taking security in a different light. I think security and home working, having more mobile users and people being outside that corporate firewall learning the different ways of securing access is going to be key. I’m currently trialing physical keys for laptops as well, and for cloud access. I’ve always been one to focus on identity. I think all security things should be identity. The more you consolidate that identity piece and protect them as a fortress with MFA, with physical keys, these are the things that we’ll need to be looking at more and more.
NM: I think it’s the new normal it gets for the IT department, it’s a double edged sword. It’s been a real opportunity for us to showcase what we can bring to the organization. As both Michael and David have said, it adds an extra layer of complication. I think my industry proves we can do things more digitally. One of the surprises for me was the number of vehicles we sold completely online in lockdown. From start to finish and we’ve got to protect those customers. One of the reasons why I liked the BitDam platform is that not only helps protect my users and my organization, I know it’s helping me protect our customers as well, which helps them protect our brand and our brand image. But it is constantly treading the catwalk between ease of use and accessibility, keeping it secure and keeping all the business data secure.
LB: It sounds like there are also some good surprises in this period of time. Thank you guys very much for joining us to discuss for this session today. It was super helpful and then I wish all of us, uh, you know, a better, healthy period of time!