Preventing Supply Chain Attacks: Best Practice

Solarwinds and Kaseya showed the world how dangerous supply chain attacks can get—when one actor in the supply chain becomes compromised, the effects can be devastating to hundreds of organisations downstream.

PrivSec Third-Party Risk will explore the ongoing threat of supply chain attacks and provide actionable advice on reducing your risk exposure.

Transcription

Robert Bateman:

(singing)

Hello, welcome back to PrivSec Focus Third-Party Risk. We’ve had a great day so far looking at due diligence, vendor risk management, and now we’re onto some supply chain topics. Our next session is about preventing supply chain attacks best practice. I would like to say a quick thank you to our sponsors before handing over to our moderator for that session. That’s ProcessUnity and Servicenow, and our moderator for this session is Cat Coode, who is data privacy consultant and fractional data privacy officer at Binary Tattoo. I’ll hand over to Cat now for this session.

Cat Coode:

Thank you so much, Robert. Hello everyone. Good morning. Good afternoon, wherever you are. Today, we are talking about the thing we are trying to mitigate the most, which is attacks. So we are looking to find out best practices on what we can do to prepare for attacks, what to do when we’re in an attack and of course what to do if, and when it actually happens. We have an amazing panel today. So I am going to let each of them introduce themselves. Let’s get started with Vincent D’Angelo. Why don’t you tell us about yourself?

Vincent D’Angelo:

Thank you, Cat. Good morning, good afternoon, good evening to everyone. So I’m Vincent D’Angelo as Cat said with CSC Digital Brand Services. I lead alliances partnerships and corporate strategy. Been in the domain management and brand protection industry going on 22 years. I am located in the New York metropolitan area as well. So when I was asked to join this panel, my focus is going to be more on how domain security, which is the security in relation to how we could keep our own core digital assets safe and secure from being used in phishing attacks, as well as how your brands could be compromised and attacked through the form of domain spoofing. So thank you for the opportunity and thank you to the audience for joining as well.

Cat Coode:

Thank you so much. Our next panelist is Marco Tulio.

Marco Túllo Moraes:

Hello everyone. So my pleasure to be here. So my name is Marco Tulio. I’m from Brazil, I’m the CSO for a company, a just company in Brazil called OITI. We are ID tech working with onboard customers to B2B to see kind of business. And I’m responsible for the information security program and how to protect the organization, the different business that we have, and also our customers.

Cat Coode:

Fantastic. Our next one, our next catalyst is Patricia Punder.

Patricia Punder:

Hello, my name is Patricia Punder. I’m the owner of Punder Law Firm. I have been working in the compliance field for more than 14 years and at the privacy ESG and other steps regarding to DOJ, CGU and BI intrapol, et cetera. And it’s a pleasure being here with my colleagues and try to give some updates or tips about best practice regarding to supply chain and cyber attacks. Thank you very much.

Cat Coode:

Thank you so much. And last but certainly not least, we have Anu Kukar.

Anu Kukar:

Hi everyone. Thank you for having us here today. I am coming to live from Australia, Sydney, Australia, and I am very passionate about bringing diversity into technology and cyber. I am myself, a chartered accountant who switched careers and the joined cyber security. And what I’m going to bring out in this panel discussion today is really preventing supply chains from, I’ve seen it from a consulting perspective and I’ve also seen it from industry. So my background is 20 years, 10 of which was in consulting and 10 was in industry. And I want to share the best practices covering various domains around governance, risk compliance, cyber security, and data.

Cat Coode:

Fantastic. And I think I knew you really touched on it there. Supply chain attack can mean a lot of things in a lot of places, and there’s a lot to consider. So we have an amazing breadth of expertise as you can see on this panel. So to get started, I really want to just have each of you explain in your world from your lens, what it means to have a supply chain attack. So we’ll come back to Vincent. What does that mean to you?

Vincent D’Angelo:

So from my lens, I guess the recipe always includes trust of a brand or a platform and a targeted group of companies that are connected in some way. So from my perspective, one of the largest global systemic risks, so those that are associated with the domain and DNS ecosystem, they’re often not discussed. However, when you think about some of the single points of failures with cloud providers and domain registrars, essentially legitimate domain names could be weaponized when those providers are breached and it has happened where technology such as blockchain and crypto wallets have been dependent on these registrar breaches and they have far and wide effects.

The other perspective from my lens is around domain names or domain spoofing that are used to target not only the enterprise itself, but also its partners, its supply chains and obvious as we’ve seen with COVID consumers as well. So that’s kind of my lens. When we talk about supply chain attacks.

Anu Kukar:

Cat, you on mute.

Cat Coode:

Of course, because one person at some point. Yeah, that’s wonderful because a lot of people don’t consider domain attacks, right? A lot people are looking at other methods of attacks. So it’s a really good vector to look at. Marco, how about you? What do you think of when you say supply chain attack, what are you thinking?

Marco Túllo Moraes:

Yeah, it’s interesting to understand what is domain, think on that. It is you have all the companies, all the ideas of ecosystem being created. And at the end of the day, you are putting some other companies to your business. So we are talking about companies that are supporting some process, some technology that are inside your company and perhaps directly to the main business line or not, or some support activity, but they are inside your environment or connected to your environment, or accessing your data and these companies, they can be used as a vector to cross the line to your environment. That’s one of the main things that I think.

The other one is of course the case of the SolarWinds that’s we have some product, external product or external solution being used to your environment. And that’s one of the main things that maybe the energy, the utilities industry, the critical infrastructure industry has been considered for more time [inaudible 00:08:21] the startups and scale apps and G companies.

So we have this concern about protecting their environment, because you are putting something inside your substation or power plants and that would be a big concern. Right now, the SolarWinds flag on, on the case that happened, what should we be concerned about how to protect these environments from this supply chain that’s inside your company, that you trusted them, and you don’t believe that somehow they were attacked and then it [inaudible 00:09:00] something to your environment. That’s are the main two ideas that I have on supply chain, cybersecurity attacks.

Anu Kukar:

You on mute again.

Cat Coode:

I’m just going to leave it off now. Anu, what about you? What is your perspective? What does supply chain attack mean to you?

Anu Kukar:

Yeah. Great. Thanks. I think I’m going to take a bit of different lens if we… I think there are two aspects to it, but what I’ll do is I’ll take through a real example. Hopefully all of us, as we’re coming out of COVID travel is resuming. And if we think about traveling, if we were to travel, we would travel from our home, make it to the airport, step one. Whether we came by train, bus, Uber, Metro, et cetera, we get to the airport. We do bag checking. We would do security clearance. We’d probably go and get a drink or a bite to eat, or maybe some shopping at the airport. I would then be onboarding our specific flight at the relevant gates. We would fly to wherever we need to go. Security clearance as we get off, passport checking, et cetera, collect our bag and travel again. Standard flying.

And if I look at those sort of multiple steps, if there was a cyber attack say on the organization that does all the bag checking, like all those different, the retailers at the airport is one organization, multiple organizations. The security clearance is generally by a different company. The catering of the food on the airplane is by a different company. Where we collect our bags and check in our bags is a different company. You then look at even the maintenance and cleaning, different company. So in our whole travel process, there are many organizations that come together to make a great flying experience for us.

And so for me, the way I think about supply chain attacks, I go imagine that sort of whole process of taking a flight, what if there was someone who did an attack on the company that does our bag checking? Well, it’s not just going to be impacting your flight. It’s going to be impacting, not just airline that you’re flying with. It’s going to most likely impact that entire airport’s airlines. And so for me, that’s where the two aspects of supply chain attack comes in. A cyber attack is where you are impacting the entire ecosystem. And the biggest difference is, and I go back to tech days, it’s not a one to one, it’s a one to many. And so by attacking that bag checking organization, you’ve done one attack, but you’ve impacted many organizations and disrupted a lot. That’s my real life example of supply chain attacks.

Cat Coode:

Excellent. That’s great. And Patricia, great to have you back. So we are looking at what does supply chain attack mean to you? When someone says there is a supply chain attack in your world from your expertise, what does that mean?

Patricia Punder:

Well, what I can say for you about this, it’s like that the crime is evolving. In the past, you have these Western movies, new ones that you have two guys and they shoot each other. Now, if this evolution of the crime, a lot of hackers, they decide, okay, you have a new way to obtain money. Let’s look for the vulnerabilities of the companies for money. And they are very good of doing that. Young people, they are doing this and they use the crypt money or companies that don’t invest a lot of money in data private program. Don’t invest money in tests regarding to the vulnerabilities of the systems.

So is a new form of crime, very sophisticated, but you can do in your home, at your home, in your room, you who can be 70 years old or 21 years old, and you have a group of kids and they decide, okay, let’s do it. And they can do it because they have the knowledge and they know how to avoid the enforcement because they know how to use technology and comprehend technology in a way that we don’t. For them, it is very easy going to look for iPad and say, Hey, there’s no instruction. For me, I was very afraid with my first iPad. I was look for destruction, the guide. There is no guide. For them is the same thing with technology.

So is a new way to obtain money, is a soft crime. And I believe you’re going to see more and more in the future because it is very easy for this very expert. Let’s say like that they don’t need university. They only need to know about technology and they know a lot to enter in a company and stop everything and say, “Okay, you want your data back, give me money.” And they are doing this around the world.

So it’s a matter that the enforcement agents needed to maybe hire these young people, to teach them in a way to prevent these crimes, to learn with them. Because without that, it will be only a matter to pay for, I want my data back, give me the money and I give the money, create money. So I can trace. So following the money is not applying here. So we needed to use these guys. I say, have the right side of the force, the good hackers, to teach us to know how to prevent this.

Cat Coode:

I totally agree. And I think we touched on a lot of really great points here. Marco, you had said critical infrastructure. And we know, we know that’s where these ransomware… Ransomware is extremely lucrative as Patricia had said. You don’t need a university degree to come at this. You just need a little savvy and some time to understand this. You can download programs that do ransomware online.

So I think for me, the real takeaway here is for companies to understand how prevalent and easy it is for attackers to understand ransomware and as a new head highlighted, every system is interconnected now. You bring in your supply chain, you bring in your third party and they leave the door open to the back of your secured building. Everyone is in, and they’re all doing damage. So we really need to be very aware of this, especially again, critical infrastructure. We are seeing hospitals, we are seeing utilities, they are prime targets for these attacks. So we have to be very, very careful of that. So again, we’ve talked about SolarWinds that came up, of course, because it is a big example of a major, large scale supply chain attack. Why do we think these are happening more? And what do we think is the root between supply chain attack? Anu, What do you think?

Anu Kukar:

Yeah, I think going back to my airport of flying example, I think the reason we’re seeing more of the supply chain attacks is that that effort and that energy or that being able to break into one rather than just impacting one organ organization and holding one organization to ransomware or being able to extract data or money through supply chains, the criminals are able to maximize and amplify the effect. They can actually target one company and have multiple impact and really, I guess, cripple multiple organizations.

So I think number one, the maximum amplified impact. I also think that the way that the world is now interconnected and the way software distribution, product development, the way we’ve changed our way of business is I guess really exposing us to this kind of threat. So it’s kind of, as we take on new technology, we try something different, new risks occur. We’ve changed our business model globally. And so we’re seeing a new type of risk and we now need to manage it. That would be my two, but I’m really keen to hear what rest of my panelists think about this.

Vincent D’Angelo:

I’m happy to comment as well to state on your sort of analogy of being at the airport and traveling. One technology that has not evolved in a big way is email and phishing as we all know, is the preferred attack method, as old as it sounds, it’s effective. And I think when you combine the trustiness of a brand, especially with domain names that are deemed to be legitimate or a domain name that contains a brand that’s when talk about the supply chain and having a wide ranging attacks and the impact could be really fascinating. And I think it comes down also to the lack of awareness.

I think when you talk about even for some of the CISOs in the audience or the chief compliance officers, when you ask a question, who is your domain name registrar? Essentially who manages the keys to the kingdom? That’s really what it is because I think oftentimes if someone is able to take your legitimate domain name, let’s say streamyard.com and then create fraudulent sub domains to the left of stream yard. So login.streamyard.com., imagine the impact that has. So all of the security appliances think that streamyard.com is a legitimate domain name. However, through the social engineering tactics, they’re able to trick the enterprise to think that is a legitimate domain. And that’s where the cascading attacks begin.

We also know with spoofing that we’ve done some research at CSC, that’s looked at the number of fake domains that are associated with the trusted brands and all of our studies point to the conclusion that seven out of 10 domain names on the internet today are fake. Obviously you have averages where well known brands that are very aggressive in protecting their brands may have 50% coverage. However, the less developed brands, especially in the EPAC markets, for instance, that are just emerging, 95% plus are owned by fake, by third parties. So basically that enables these third parties to leverage this very low cost technology email domain registrations to have wide range attack and impacts on organization. So that’s my perspective. And why is it happening? People really don’t have domain security as a top of mind area that they should be looking after.

Patricia Punder:

And if you allow me [foreign language 00:20:51] sorry, I was talking Italian now. The core of a company now is a supply chain department because they can raise or increase the price of the product. There are inflation in almost all the countries in the world. So the supply chain is a very sensitive area now. They need to buy the spare parts, the products to manufacture something in order to sell for the consumers. So that’s the reason that the hackers like to attack this department because they know that this department, you’ll be the department responsible for saving the money for the company. They try to deal with the suppliers in order to decrease the price for in the end of manufacturing sale, something, the price would be the same or less. And the revenue, it would be great for the company.

So supply chain has been under a lot of stress regarding to you needed to negotiate with your supplier. If you stop the supply chain department, we stop the company, stop the manufacturing, stop the sales. So the hackers are very smart about that. They don’t want to stop your finance department or your compliance department or the HR department. They want to stop your company and how you stop your company? Stopping your production and how you stop your production? Stopping the department responsible for acquiring things to manufacturing something. So that’s the reason that the hackers are increasing and looking for this department.

And I agree, they are very smart. And it’s not only about the domain. It’s about the IT service. Normally, big companies they have an IT department, but some companies they say, no, I don’t want to have an internally. So they ask for an external and they want to pay a good price for the service. So the level of security is not so good and they don’t have a good data privacy program. They don’t have the proper policies regarding to how to continue the business if having a crisis, they don’t have a crisis committee hare guarding an invasion, for example, what to do. Stop everything, stop all the computers. How do you contact your clients, your suppliers, et cetera.

So it’s more a matter of invest in a data privacy program and also invest in service regarding to vulnerabilities. You hire. I have a friend, he has a company and he has been hired for the most important private banking [Brazils 00:24:02] in order to invade their sites, to discover back doors, to discover the vulnerabilities. And is an agreement. And every month he has been doing that in several banks and every time he can discover something.

Cat Coode:

I think that’s a great point, Patricia. Yeah. Thank you. I think what we all have this problem from a cybersecurity perspective is that we’re a cost center. Nobody wants to put money into security and privacy, they all want to put money into profit. Marco, as a CSO, you are responsible for both technical and organizational safeguards. Now we know remote work is here to stay. So we have all sorts of new endpoints to manage. So part of our million dollar question of how do we prevent these attacks, but where is a CSO, do you start to look at adding in some of these organizational technical safeguards to prevent the attacks?

Marco Túllo Moraes:

Yeah. Yeah. Great point. I guess the first thing it is to understand the risk of appetite. We have seen a lot of innovation in new companies, new startups and companies need to prevent themselves, mainly the big organizations the corporations and they are looking through that solutions. And in putting that inside your company, that’s the main thing. So what is the risk tolerance and the risk appetite over that understanding. So first of all, we need to look for that. After you understand that point of view, what should you do? That’s your question. So we have a lot of different solutions and tools, network segmentation, micro segmentation. We can look to all technology controls in place to understand as a mindset that putting some company or some products inside your environment, and if it has access to critical operations or critical data, you should understand that could be a vector of potential issue and should handle the controls, should prevent and deal of that.

I guess the one point that we are failing is regarding not only on [inaudible 00:26:16] and by risk assessment or third party risk management, but it is to call them to your umbrella. Perhaps you put some company smaller than yours and they don’t have the same capability that your company have. So how can you leverage your resource to help them to protect your data? So perhaps some technology, some consulting from your team are putting and performing some risk assessments on [inaudible 00:26:54] tasks and getting on their hands to help with them to be more protected, not only to push them and say, you are not fulfilling this disclose this language in the contract, but you need to be more protected because we want that you want to work together. So you hit the bar. So we raise the bar on protecting our organization.

So I think that looking for these point of view, not only in on our side, but we are talking about everyone. So it’s our ecosystem. The ecosystem for your company, how can we be really concerned about it and put them to be protected and consequence your company will be protected.

Cat Coode:

That’s great points. Anu, what about you? What do you think, what do we do to mitigate these attacks?

Anu Kukar:

Look, I think from having been in industry and been in organizations when these have happened in our ecosystem, I think one of the learnings I’ve taken from that. And then as I’ve moved into consulting, advising, and helping companies do this, I think it comes down to really that mindset are around take the travel and the airport industry. Having worked a lot with travel and transportation, the mindset that they have is it’s about, we’re only as safe as our weakest link. So I think there is a fundamental thing that I’ve seen in organizations that really get this right. There is a mindset throughout the organization.

And then at same time, they’ve really looked at how security is part of the life cycle of a supply chain. So you onboard a new third party, a supply chain, you manage and monitor them as they’re going, and you make sure you have proper processes and rules when you exit a third party. So that life cycle for a supply chain, third party provider, how is security assessed before you take on somebody? How are you on 24/7 ongoing managing and monitoring them. And importantly, if you decide to exit or the contracts coming to an end, how do you protect your data? What’s the security? How to make sure that the door is still not open? You don’t give the keys to your apartment for Airbnb for every person and it stays the same and they can just have duplicates. You take it back and you kind of make sure that they don’t have a copy and you frequently change your lock.

So kind of thinking about that, I think the real thing that I would say for anyone who is part of this webinar listening is think about what’s the mindset top down. And secondly, how are you making sure that security is assessed at each stage of the life cycle?

Cat Coode:

That’s fantastic advice. And Patricia, I know you had touched on policies, so we have a fundamental problem and I’m not calling anyone out, but I know lots of clients that will download a set of policies and then stick them on a folder and go look, we have all the relevant policies, but nobody actually customizes them, socializes them to their company. So in terms of preventing supply chain attack, certainly we need an incident response policy. We need an incident response plan. What might companies not be considering as part of that incident response plan when it comes to supply chain?

Patricia Punder:

Well, my first advice for all the companies regarding to these type of cyber attacks, you’ll be clean the house. Look at your house first. Later, look for the [inaudible 00:30:36], because sometimes you have a lot of policies. You have data privacy program, you have a DPO and you have a lot of training, but the way that you are communicating is very technical and people depend on their position. They don’t understand. The top manager, the C level, they needed to understand now the data is gold. They needed to understand that. They needed to put this in their DNA. Otherwise, they are not support the data private program and policy can write everything that they want. But if you don’t communicate, if you don’t establish campaigns about data privacy, about please don’t click in a link that you don’t know… You know, very short guides. Don’t click in a email that you don’t know as Ms. That maybe come from Apple, but is not from Apple, come from a beautiful brand or it’s a promotion about resorts. You need it. Not only to develop policy and providing awareness about that, you needed to give real examples about life.

One day I was giving a lecture for the C level. And I ask for everybody, “Do you have kids on the school? Yes, I have. Do you can access them through your mobile phone and sit see them alive? Yes, we can see. I can see my son now. He’s in the kindergarten. He’s happy.” Then I ask them, “Do you know where they are?” They are collecting this image and where they’re protecting this image. If they are not put in this image or selling this image, or someone is hacking, inputting the dark web for pedal file, in the end of the directory, the compliance directly contact me say it was a nightmare, everybody contact the schools and asked about the data privacy program.

You need to give real examples about what happened in life in order to people to understand that it’s a problem. Otherwise, we had lot of blah, blah, blah, about compliance and people will not do anything. And in the end, investments. Where to invest in technology and protection, you are investing in the continuation of your company. You need to think about that. Not more about costs. Is only data.

Cat Coode:

Yeah, and again, it’s cost, but it’s worth that cost. Vincent, what about you? What should we be putting in that plan? What should we be thinking about so in the moment, when we do have an attack, we have a list of things we’re supposed to be doing? Certainly I know from a domain perspective, what should we be looking at?

Vincent D’Angelo:

Yeah. Now first off, Patricia and Anu, I love the analogies that you’re all talking about getting the house in order and keeping the front door locked. The analogy that I often like to use is that domains and DNS are like the electricity that powers our homes. No one really cares until it’s the Champions League final and your internet connection goes out because the power has gone offline. So with domain names, the act of managing domain is a cost center. However, domain names in DNS, they are the lifeline to an enterprise. Websites, email, apps, VPN, you name, it is powered by your domain names and your DNS. So I could go on for days talking about this topic, however, I always like to keep it simple. Investigate who your domain registrar is. The company, your domain management and DNS security company.

Do you have a defense in depth approach to secure those critical assets, your domain names, your certificates, your DNS. The buzz of the day, especially with the cyber insurance world is MFA today. Let’s use MFA. We all know that obviously it’s a very necessary tool. However, when it comes to securing your domain name, DNS portfolio, it starts with MFA, but it’s absolutely multiple layers of security that should be put in place. So I kind of capture them as, we capture them as the hygiene and the controls that are associated with your core domain portfolio. So things like dnsec demark, SPF, Dchem, domain registry locks.

So once we’ve gotten the house in order is then look external, how is your brand or company name being abused on the internet through the creation of fraudulent domain names, fake domains, fake sub domains, and et cetera? Those are kind of the threat factors where today we do rely in the early stages of mitigating ransomware attacks that start obviously with phishing and business email compromise, we are relying on necessary applications, advanced threat monitoring and phishing awareness training, absolutely critical. However, there are a few things as they pertain to domain security that could be done to essentially mitigate some of those upfront early stage risks that are associated with those cascading attacks on the enterprise. So hopefully I didn’t make it too complicated, but I would focus on those two areas.

Cat Coode:

That’s great. Marco, how do you prepare your team internally with training or your incident response plans and policies, how do you prepare your company for an attack?

Marco Túllo Moraes:

Yes, regarding these subjects of the panel, we should include everyone, not only our internal team, internal resources that we have, and of course we should consider not only the technical teams, but the entire company, they’re talking about legal team. And they’re talking about the communications team, the PR team, and of course the senior management, but you should practice some scenarios that considers external situations like we’re talking about supply chain attacks and include this folks in your scenario planning or perhaps some tabletop exercises or whatever you use to test it. So it’s important because this alignment, when something happens, you already have the way to go and it is tested and aligned for third party, consider that you are looking for the main relevance third party to you ecosystem. I think that’s the main point in my side.

Cat Coode:

That’s great. So I’ve tried to integrate some of the questions that are coming in. Amazing questions. If you have them, please post them. Taking another question from the audience. From a cost perspective on risk mitigation, how is the insurance industry reassessing the landscape with respect to requirements for coverage and ultimately cost for said coverage. Anu, you have experience of the insurance industry, what do you think here?

Anu Kukar:

Yeah, I think this one is really timely. The industry is going through a number of changes. So certainly there has been a, [inaudible 00:38:36] what I’ve seen in particular, I feel like there’s been a real sort of push for it and now there’s been that reassessment of, how much can insurance cover and given the fact that we’re now in this environment of, it’s not if a cyber attack will happen, it’s when it will happen. So how much does that policy cover and does it cover if you’ve decided to pay and do you then go into the terrorism laws anti-money laundering. So from my experience, having seen the sort of regulation change and the insurance assessments around this, I feel like we’re at a really tipping point where everything’s being reassessed. There was a big push, and now I feel like it’s like, let’s just kind of… And I can see Marco nodding as a sizer going, it’s really changed. So that’s what I would say there from a risk mitigation, I think there was an initial push and now it’s sort of, let’s reassess. And I think it’s equally organizations, but equally the insurance company is going, let’s just reassess around what we’re offering and what value it’s providing. And is it sustainable for them?

Cat Coode:

That’s fantastic. Yep. Patricia, this question’s directed right at you. What have you found to be best practices with respect to training? [inaudible 00:39:56] use former used frequency. What do you think about training people on privacy and cybersecurity best practices?

Patricia Punder:

Well, when we’re discussing data privacy and compliance and governance, CSG, normally we professional reps where we use a lot of American terms, very technical terms that normally people don’t understand. So we needed to humanize this, try to explain them in a different way. So I love, and I use a lot that methodology. When I explain about compliance and I explain about data privacy, I like to use real examples. For example, I told you you about, please look for your kids now and ask for the school, how they’re protecting the image of your kids. If you use that methodology, you can talk about yourself or about someone or about a case that you saw, or you listen it. And then you build the history about the subject and people, you understand. That’s the point.

And the way that you communicate, it’s very easy for technical people talk. Data privacy is a law. You cannot click on phishing. You cannot do this. Young people, you understand? But people more than 40, you say, “What’s the hell? What is this?” Okay. So you need to use the language in accordance in the way that people understand, like history stories, et cetera. There is a book, very old book, but is from the founder of Ted, is how you provided trainings using that methodology. And I use this book until today and regarding to how many trainees, all the time, people don’t look message anymore. So please compliance departments, don’t send message about a compliance. They delete. I made a test in a company that I work at. They delete. 80% delete without looking.

So try thinking outside of the box, put popups when people log the computer with your very beautiful phrase, take about your data. It’s a bad example, but you can be funny. If you click you being held, for example, you put your company in danger, something like that. Try to be more… Ask people about the example, put people during the training and say something happened to you? One day I ask during a training and a very simple guy told me, “I have a soccer team that help poor people. And my blog was hacked.” I’m a simple person. I don’t know how to do that, but my son is controlling the block and he explained to us, and I use this example in several trainings about why? Because everybody is connected now. People that understand technology and people that don’t understand. So we needed to find a middle term about how to communicate it. Don’t use technical words. They don’t like… [crosstalk 00:43:39] Yes.

Cat Coode:

Yes. That’s right.

Patricia Punder:

Yes. Have more empathy with people about technology

Cat Coode:

And meet them on their level. Meet people on the level that they want to be met at to talk to them.

Patricia Punder:

And be funny.

Cat Coode:

And be funny. Always be funny. We only have a couple minutes left and I want to get one more takeaway from everyone. One thing though, I didn’t hear mentioned was a lot of disaster recovery and business continuity. So make sure backups, backups, backups. You have a ransomware attack and you have a backup. You can slide in there, no more ransomware attack, but do make sure that you have business continuity and disaster recovery plans that again are not just a piece of paper sitting somewhere in a filing cabinet. It is something you’ve tested. It is something you know works. You have that flip over. So capture everyone’s amazing ideas. One takeaway that someone could take away today and put into action that would help them mitigate and deal with supply chain attacks. Vincent, what do you think?

Vincent D’Angelo:

Yeah, so I couldn’t resist. So Patricia brought up the soccer analogy, but we’ll say the global football analogy, right? So it’s, the games are won in the midfields football games, in my opinion, as well as in American football, it’s the offensive and defensive line. That’s where the game is won. My one piece of advice is, don’t rely exclusively on the human to solve the problem of phishing. We are the weakest link. There are proactive measures that the enterprise could take today that could become part of the phishing mitigation toolbox. Secure your domain names and keep a pulse on how bad actors are talking about you and registering about you in the domain, in DNS ecosystem. So that’s all I have from my end.

Cat Coode:

That’s great.

Vincent D’Angelo:

Cat, thank you.

Cat Coode:

Thank you. Marco, what about you? What’s your takeaway from today?

Marco Túllo Moraes:

Yeah, we raised the point, Cat. So I think that the main thing of the as risks, it is how to think strategically into the pre-work of how to be prepared. So BCM, it is super important, but you should look BCM as a perspective of strategic point of view. So what should we do if you just trust one in one cloud provider, and if that happens a failure, what should we do? Or if you have just one big, important software inside company, that’s the main thing that’s sustaining out organization. What should we do if they have a failure on that? And the same for a breach or whatever happens in the supply chain event. So how should we react?

Sometimes we have a plan, but it’s just to wait and a way to see the impact and to be established the service, or thinking about how you are going to do in the case of a breach and how can we react to put another one in their place and be able to continue to operate and continue working and providing service and the products your customers. So think strategically on regarding all those risks on supply chain attacks.

Cat Coode:

That’s great. Anu?

Anu Kukar:

So I’ll say the one takeaway is going to be a bonus. It’s one linked with another. So I’ve already said the one, which is really immediately look at your organization and go as security part of onboarding, managing, and exiting any supply chain, third party. So I think that’s a real easy check that anyone can do. In doing that, one of the common things I find people say is, “We don’t have enough people. We don’t have enough cyber security people. There’s a skill shortage globally.” And my key takeaway to that is going to be, you’re probably not going to like what you find when you go and do those checks across the life cycle and part of the challenge will be, “We’ve got a skill shortage. I need more people.” So my key takeaway is why not try and offer an opportunity, go and talk to someone in governance, risk compliance [inaudible 00:48:09] ask them if they’re interested in joining cyber or building their career, they don’t have to give up and switch careers fully, but they can actually bring a lot of supply chain knowledge, and you can up skill them in security. And there you go. You’ve got a win-win situation.

Cat Coode:

Fantastic. That’s a great suggestion. And Patricia, what’s your take of way today for people?

Patricia Punder:

Everybody forgot about the crisis committee is mandatory in every compliance program, and this crisis committee can now include the data privacy program and compliance supply chain, HR, IT, they are members and they needed to having meetings every month. They needed to discuss playing BAC. They needed to understand the level of risk involving their business in all the aspects, including data privacy and know what to do when the bad thing happens. Who you call? We need an external expert. We have not only the data in the servers, we have in clouds, we needed to improve the crisis committee because the crisis committee now today is someone that, okay, a crisis happened, what to do? Oh, have a paper here. So you don’t need to create new things. You have to have the answers. It’s only a matter to implement a doing by the book. As Vincent told us about, yes, human beings, you are the weak link regard to data privacy.

Vincent D’Angelo:

Patricia, just one thought. We got the wheels turning in terms of the crisis management plans that we have in place, as well as that, we advise our clients to. Have a backup method in place to email, because every one thinks that email’s going to be up and running constantly. If there is an attack on your domain in DNS, your email will stop resolving. And many people in their crisis management plans don’t think about that. It’s kind of like the electricity that powers your home. It’s always going to be there. Have backup communication methods and multiple layers, because oftentimes during crisis management, you want to have access to be able to communicate with your peers and security and legal and et cetera. So great, great point, Patricia-

Patricia Punder:

And Vincent, one thing sometimes is great, you create a crisis, a fake crisis in order to see if your crisis committee is working well.

Vincent D’Angelo:

Right.

Cat Coode:

Absolutely.

Patricia Punder:

Yes, like security-

Cat Coode:

Everybody should be … [crosstalk 00:51:04]

Patricia Punder:

… so you create your crisis in order to understand if your policy, your procedures, all the technology involve it is working well.

Cat Coode:

Yeah. And anyone running IOT or smart buildings, please also have backups for your access and your doors and everything else that runs also electrically and on supply chain.

I want to thank everyone so much from this panel for your knowledge and your time. The big takeaway, certainly that I’m seeing is it is worth the time of both money or worth the investment of both time and money into your company to prevent these attacks. The way that you ensure that you don’t have a supply chain attack is to take the time, Marco used the word strategy, come up with the strategies, create your crisis committee, create your plans appropriately, put the right technology in place and ensure that you have actually mitigated the attacks so that you don’t have to deal with it when it happens.

Thank you again, everyone. I hope you enjoy the day with PrivSec today and we’ll see you next time.

Vincent D’Angelo:

Okay.

Patricia Punder:

Cheers.

Robert Bateman:

Thanks so much there to Cat and the panel. That was a really great session. Some really kind of hands on and practical advice on preventing supply chain attacks. A subject that sadly is not losing any relevance in the security field with the recent attacks, always very high profile, always plenty of examples of things going wrong in the supply chain. So we now have a seven minute break. When we return, we will have a presentation from our friend at Servicenow, fast, smart and connected. A renewed approach to third party risk management. I’ll see you back here at half past two, UK time for that.