ESET cybersecurity specialist Jake Moore on what safeguards every business should have to combat cybercriminals, how CTOs can make their job easier, and why deepfake video is the next front in the cyberwar.
Jake Moore is a cybersecurity specialist for ESET, the internet security and and antivirus company. Besides tracking and developing tools to combat growing cyber threats, Moore provides cybersecurity advice and training to small businesses and large corporations.
The risk of a cyberattack and its financial ramifications are now higher than ever. Companies face fines of up to 4 per cent of annual global revenues if they allow a data breach under GDPR regulation. The average cost of a data breach is now $4.2m – and that’s not even taking into account fines such as the £20m slapped on British Airways for a breach involving 400,000 customers or the £18.4 million penalty charged to Marriott Hotels for a similar incident.
Jake Moore offers cybersecurity advice to large companies including Vodafone and Facebook, as well as the Bank of England.
Before joining ESET, Moore worked in the Digital Forensics Unit and Cyber Crime Team with Dorset Police, investigating computer crime for over 14 years. He gathered all digital evidence to present in Crown Court.
Jake Moore regularly comments on cybersecurity issues for the BBC, The Guardian and The Independent.
‘Some enterprise companies have millions of attacks each day, it’s wild’
Most small boys when they’re growing up think about wanting to be an astronaut or a footballer. I understand you are interested in becoming a bank robber.
That’s very true. I really did. I was fascinated with crime. As a child, I just thought crime was really cool.
But then you decided to become a white-hat hacker and joined the police. Tell us about that journey.
I came out of university with a maths degree and didn’t know what to do with it. It was my mum who said, “You’ve got to do something that you love.” And I said, “Well, I do love crime – in particular bank robberies.” And she said, you can’t be a bank robber, but you could join the police force.
Within three months I was analysing robberies and burglaries and thefts. This was back in 2003. It was while talking to the robbery squad I realised that digital crime was on the rise. I hadn’t really given computer crime any thought up until that moment. I hadn’t thought about how computers could be used in crime. But police officers had anticipated this. They could see that the future of crime was coming in rapidly and they weren’t ready.
Dorset Police were going to pump a lot of money into a hi-tech crime unit. They were looking for civilians who were going to stick around. At the beginning, I was going on six courses a year. I got some amazing training in digital forensics, as it’s called now. In the end, I did nearly ten years in the digital forensics’ unit and 14 years in total.
The digital forensics unit was quite at the forefront of crime. We were seeing the birth of Tor, the dark web, the birth of cryptocurrencies and encryption to evade capture, which frustrated me because I couldn’t find the evidence on so many cases.
What can IT leaders do to make staff take their business security as seriously as they do their personal online security, especially now that our home and office lives are smushed together?
The reason why people don’t pay so much attention to their work security is because they think it’s somebody else’s problem. If there’s a financial loss, there’s insurance. But if it’s their own personal account, that has repercussions.
One thing you can do is to give staff tools that will protect the business they can use in their personal life, such as a password manager, so they can use them on their social media and personal email. I believe that all companies should be using password managers. Also, bring in authenticator apps and train your staff in how to use them.
Do you think that companies should make cybersecurity training mandatory?
Absolutely. And not just from day one but before they even start the new job. Companies are at their most vulnerable when staff arrive for their first day in a new office. They could be targeted by a phishing email, a smishing text, even a phone call from somebody pretending to be the boss saying they want to continue this conversation via text or WhatsApp. It’s your first day and you want to please. By then, it’s too late.
People don’t like to question authority. We want to see the good in people and criminals are very good psychological manipulators, who know the exact way to puppeteer people into doing something.
I know that backing up is something that you’re very hot on. Why do we need to back up if you’ve got the cloud?
The cloud is fantastic but bad actors might know exactly where your data is stored in it. Multiple backups are safer. I’m a bit believer in “cold storage” – saving data to a physical hard drive or even a USB stick, so if you’ve had a ransomware attack, your hard drive is sitting on the side, and it’s not plugged in to the internet.
What are the basics of cybersecurity for a small business? Antivirus software and password protection and authenticator apps?
Some enterprise companies have millions of attacks each day, it’s wild.
We haven’t talked about threat monitoring software that constantly scans your system for any possible breaches. The more you automate, the simpler your job becomes. Only it’s not cheap, and it’s not fool proof, but it will give you time. The software will take care of a certain amount, which means the overworked IT department can deal with the ones which get through the first layers. Each layer you have, you reduce the number getting through. They’re being sieved down.
Every day we see to read about companies being ransomed or big data breaches. It seems that this is an unwinnable war – or at least one which will never end.
It’s most definitely a war that will never end. But the battles will become easier and not so huge. Once somebody’s been burgled, they do everything they can to make sure it doesn’t happen again. They up their security. Small businesses especially think it’s never going to happen to them, but when it does, that changes their mindset.
Unfortunately, many businesses, especially small businesses, are strapped for cash. When you look at cybersecurity, it comes under the same category as insurance – something which doesn’t make them money, but it does protect them. Protection is not an exciting part of the business.
What trends are you seeing in cyberattacks?
Bad actors are targeting areas of the business that are overlooked, or not being patched, or assumed patch and vulnerabilities have crept in. Areas such as supply chain logistics, when you’re talking to a trusted supplier and a phishing email comes from them, and you don’t even think about opening it. Phishing emails account for 80 per cent of the start of attacks.
What would your advice be to the stressed-out, overworked CISO, who’s having to field these constant attacks, a bit like an overwhelmed goalkeeper?
It’s all about having multiple layers of protection. Multiple layers make their job easier. Because each time you add another layer, it’s freeing up your time for elsewhere. What the CISO or CTO wants most of all is time.
And the one thing I would say is, expect the unexpected – this isn’t going away.
And what does the future of cyberattacks look like?
We’re going to see the rise of deepfake messages using audio or video. Imagine getting a video call from your boss telling you to do something. If the boss tells you to do something, we do it.
More Tech Leader Q&As
Clive Humby – data can predict nearly everything about running a business – Clive Humby, inventor of the Tesco Clubcard, on ways to stop feeling so overwhelmed by data, how to convince your CEO of its importance, and why data should look forward and not backwards
Tech leader profile: how the CMA uses data to protect us – Most consumers are unaware of how they are being manipulated when they buy things online, whether that’s skewed results on search or opaque pricing. The CMA is the consumer champion when it comes to digital. Yet its work also extends to tech business mergers, investigating algorithms and, increasingly, how Web 3.0 will affect all of us
Tech leader profile: business use cases for 6G – What are the business use cases for 6G? Given how spotty network coverage is for 5G, do we even need a next-generation cellular network? Alan Jones of Blu Wireless explains how cellular networks have evolved, and why 6G will be crucial for the metaverse