In this edition of the Beyond the Perimeter Podcast, we discussed the Promo.com data breach and interviewed Sivan Tehila, our very own Director of Solution Architecture, to gain her insights about security hygiene.
Breach of The Month: Promo.com
On July 21st, Israeli marketing video creation site Promo.com announced that a database, which contained over 22 million user records, was hacked and leaked for free on a hacker forum.
The data included users’ email addresses, names, genders, geographic location, and 2.6 million of the users, their passwords. This leak included 1.4 million cracked passwords, which is when passwords are decrypted and could immediately be used by attackers.
After the public leaking of their database, Promo.com announced a data breach notification saying they became aware of a vulnerability on a third-party partner’s service that affected their data. If you are a customer of Promo.com, I suggest you should immediately change your password to one that is strong and unique.
If you use that same password on other sites, it is strongly advised that you change your password to a unique one at those sites as well. A password manager can make it much easier to use unique passwords at every site and is highly recommended.
In this episode, I talked to Sivan Tehila to get a better understanding of the importance of proper security hygiene and why it’s a shared responsibility between employees and organizations.
Military Experience Shaped Her Career
Many career coaches will bring up the idea that your life experiences will help mold your professional career over time. This was especially true for Sivan when it came to her time in the IDF. “I started my security journey in the Israeli Defense Forces as a cybersecurity specialist. If you would ask me before I joined the army, if I would work in cybersecurity as a career, I would say no way. But thanks to the IDF I was exposed to the fascinating world of cyber and the fact that I had a chance to participate in cybersecurity operations and to get that perspective from the army, I fell in love with the dynamic profession. It makes it even more interesting to me and that’s why I love the cybersecurity world, that no day looks like the day before.”
When asked which cybersecurity tendencies she uses in her day to day life in cybersecurity professionally, Sivan discussed how people need to embrace the day to day uncertainty in cybersecurity. “The fundamental thing in cybersecurity is to understand that no day looks the same as the day before. By people understanding and embracing uncertainty it will help them to manage their day to day life.”
Sivan believes the same approach should be taken when it comes to cybersecurity strategies. “I believe that by building a cybersecurity strategy, it’s the right thing to do before you start any project in cybersecurity. You need to understand the environment, threat factors and the attack factors. By having a better understanding of the situation, you will be able to manage and build different solutions for each environment while still being able to operate in such a dynamic environment and responding in real-time in case of an incident. We’re seeing it now with the current situation with the pandemic and the fact that many companies are practicing for the first time their business continuity plan.
“If you have a strong strategy and an updated business continuity plan, you could succeed and get over this crisis. But if you don’t have it, it just takes more time and more effort to be able to overcome this challenge.”
Organizations Are Not Thinking About Security
The lack of security hygiene for organizations and its employees isn’t new especially when it comes to modern cybersecurity. According to Sivan, the current pandemic highlighted most organizational security mistakes. “When COVID-19 came most companies focused more on the communication between their employees and the company and less on security. Organizations were more worried about how they could communicate via Zoom. I think many of them left the security procedures behind and when they understood that they had to worry about security, for some of them, it was late. It was the regulations that enforced them to apply security procedures and policies.”
When asked about where she learned her security insights and how organizations can implement them, Sivan mentioned how most organizations lack security awareness. “I experienced many security incidents during my service in the army and when I worked for different defense industries in the private sector. The most common issue I experienced was that most organizations lack cybersecurity awareness. The best way to learn and improve awareness is by building a stronger security strategy. An example I experienced was when I built security campaigns and I created a phishing campaign in one of the companies that I worked with. When I scheduled a phishing campaign and I got an email the morning later with the campaign that I created and I did such a great job. So I was the one who clicked the phishing email. I think that was a moment when I understood that it can happen to everyone and that we all are vulnerable.“
Security Hygiene at the Forefront
When discussing if employee security hygiene is strong, Sivan commented on how employees need to be properly trained. “I think it’s an ongoing process. I mean it’s never enough to just do one time an awareness workshop in a company. It’s something that you need to train your employees all the time. Awareness is something that you should build over time while you need to make sure you keep your employees aware.
“In order to make sure your employees are up to date, training is not enough. For example, organizations should run quarterly phishing campaigns and quarterly workshops that remind employees all the time that security and hackers never sleep. Security awareness has to be always in their mind.”
Sivan emphasized how hackers easily trick employees. “My prevention tips for employees are they shouldn’t just click on a link or open attachments from emails you are not expecting or from unknown senders. Even if you know the sender, still check it twice. Make sure that the sender is someone you know and you were expecting to get that email. Check the URL of the sender to make sure that it’s a legitimate address and remember that companies like banks and the government won’t put a web link in their email to you. They will usually instead advise you to visit their web page and log in through the web page.”
If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.