In this interview, Iskro Mollov, Group Chief Information Security Officer (CISO), Vice President Security, Business Continuity and Crisis Management at GEA Group, shares his insights on the best practices for preventing human errors and security mistakes and the fight against ransomware.
Iskro Mollov was a panelist in the session entitled “How to build and sustain a strong cyber security culture and awareness” at the Global Cyber Conference 2022.
What do you consider to be the biggest hurdle for organizations in the fight against ransomware?
The biggest hurdle for most organizations is still the lack of basic security measures. These include basic technical preventive measures such as missing or insufficient patching, still using legacy systems, missing network segmentations, insufficient privilege account management, MFA and password security, and often unfortunately not available, not tested, and/or not protected back-ups. Those in a combination with insufficient basic organizational but also detective, reactive and corrective measures such as awareness (especially at the top management level), security incident response and disaster recovery plans as well as missing crisis management proceedings and exercises are forming the hurdle for the companies that we often see attacked by ransomware.
Those basic security measures are well known and, in the meantime, actually “common sense”. Nevertheless, a lot of companies are struggling with implementing them. The root causes for this hurdle are often to be found in the status of the security function itself – (Information / IT) Security is often in the hands of technical IT experts who cannot transmit their needs and challenges to the Top Management, cannot communicate the business risks and cannot get the needed resources. If they after all get the resources, they often lack change management capabilities for implementing new ways of working and new technologies in the organization and cannot convince or show managers and employees the benefits by working in a more secure way.
Almost all successful cyber breaches share one variable in common which is human error. What are the best practices for preventing human errors and security mistakes?
Human errors will never be completely prevented. We are all humans, and we all make mistakes. This will remain. What we shall do is to try as much as possible to exclude the human factor itself. A good method for that is often used in the process improvement “poka-yoke” approach. The concept was firstly formalized in the Toyota Production System and the term means in Japanese “mistake-proofing” or “inadvertent error prevention”. Poka-yoke was originally called “baka-yoke”, but as this means “fool-proofing” (or “idiot-proofing”) the name was changed.
There are a lot of everyday examples of a poka-yoke that we do not even notice because of the intended simplicity and repeatability which becomes over the time a habit, such as:
- ATMs in Germany do not issue the money until the card has been removed
- Telephone plugs cannot be plugged in upside down
- Pressing the clutch pedal of a car with a manual gearbox before you can start the automobile (or the brake pedal in an automatic car)
- Shopping cart numbers on the bottom of the cart (in some shipping markets the cashier must write this number before every sale. For this reason, he or she must look to the bottom of the cart and will see, if something is “forgotten” there, such as e. g. water boxes)
We also need much more poka-yoke in the information and cyber security domain. Passwordless log in (e. g. face recognition) but also MFA is a good beginning and good examples for that – your credentials cannot be easily phished and by mistake revealed.
The trend in remote working has created concerns for cybersecurity specialists, exposing companies to increasing cyber threats. What major preventive measures should companies take to mitigate those threats?
The companies must go in the direction of “Zero trust” in general. This includes measures for verification of accounts, devices, applications, and infrastructure, independent of their location but also applying context-based access, continuous monitoring, and dedicated security for the crown jewels of the company. Such measures that are part of the Zero Trust philosophy include MFA, IAM, PAM, SSO, VPN, NAC, network segmentation, information classification, DLP, etc.
The human element plays a central part in most cybersecurity incidents. To which extent do you consider that people are often the problem?
I will never call the people or the employees a “problem” (if they are not acting with malicious intentions). More often the “problem” is the security system and its processes. This could include missing or insufficient security culture and awareness measures but also missing consequences, including disciplinary measures if the employees are not respecting and simply knowingly ignoring the security policies.