 Hey everybody, this is Christian Buckley doing another post-collab talk tweet jam discussion This month the topic was on Protecting yourself and your data from ransomware and obviously it was it was a a bigger topic than just ransomware I'm talking about security of collaboration kind of the broader topic, but I'm joined today by Tobias. Hello Hey, hi everyone. Hi, Christian. How are you doing? I'm doing great. Why don't you introduce yourself for everybody? Yes, my name is Tobias Koprowsky. I'm living in the in UK in Hucknail It's a small town close to Nottingham It's very historical town connected with IT because this is the place from Ada Lovelace came So Ada Lovelace if you don't know she invented the computer algorithms to the gather of the Charles Babatch So that is their her place where I live now I'm data platform MVP for some over 12 years Working with the infrastructure share point office 365 security cyber security as well compliance and the licensing here in the UK and around the world with my clients delivering training consulting and with my small small company Well, I know this is a topic you and I have talked about security a couple times before you participated in the We did a tweet jam last fall. That was security related It's it's interesting. It's one of these topics that You know, we we hear about different instances of companies being hacked or these huge data breaches Sony had their their giant breach years ago was SharePoint related But it had nothing to do with the failure of the technology. It was all all about poor administration of those environments It was the people side where the failures were that caused the data breach But it's it's an interesting topic. It's so actually two of my clients prior to joining avpoint had were hacked and One of them paid the ransomware and the other one did not and had backup and Was able to restore very quickly and very little loss of data I also had for one of my demo tenants So there's no data. There's nothing out there, but I got like the I saw that I was hacked I got notifications. It was the one profile on that demo tenant without MFA and That's what that's where they got in and so I could see where that is and of course I got the threatening letters and I laughed it off. I was like, good luck. Good with that There's nothing there. You got nothing. You just spent all that time. It's like, but you know, it just makes all this much more real Yes, I think so, you know Having a testing tenant as you mentioned especially I mean around the Microsoft 365 is absolutely brilliant idea because you can use this of course for Prepare your production environment which is on the different tenant which always need to be separated for the real real world As well, you can use this sometimes as a kind of the honeypot So place where the potentially adverse adversaries will go and trying to go into your systems or into your Environments somehow and so we can see this that may be the same IP addresses later Maybe some adversaries or some email addresses or some kind of data are similar around our production environment and around the testing environment for some reasons You are absolutely right with that MFA multi-factor authentication switch from my perspective, of course should be Enabled as a best practice the first best practice everywhere by default for everyone However, we'll probably discuss about this a little bit later There are some kind of points around the MFA which we need to have in mind as well around the around our administration You mentioned the process about the lack of Maybe knowledge of the IT especially sometimes that the human factor is very very important And we had a discussion as well. Yeah, yeah, we had that discussions as well So we need to look for the multiple different aspects. What exactly happening? Well, that's that's why and we'll see in the flow of the questions why I broke it up the way that I did of Technology process and people and it's funny when you start you ask them the questions and and we'll get into it You know how some people responded to each one where they started jumping into the the the next question like those Just the technology. Let's focus on the process aspect So let's start things off the first question that I asked was how vulnerable is the modern organization to cyber threat? So phishing malware data exfiltration ransomware kind of all those things. How vulnerable are we? Let's say I should decide we should define first. What is the modern organization? I can assume that modernization is some organizations Which is actually connected to the cloud somehow might be working with the hybrid environment Probably not organizations, which is only on premises because that organization from my perspective is not modern anyway and Vulnerabilities, I think very very very much because we as a IT specialist Security specialist administrators, we know something we trying to protect our organizations as good as we can sometimes We have a some kind of limitations like a budget sometimes like a timing and so on we have some limitations with our knowledge quite often however Adversaries have a plenty of time and they are working very often with the big bigger groups So for small businesses, you could have a one person with IT, which is responsible for everything Including security because no one think about Invite for example external consultant for making the security better. So phishing First and foremost always constantly super active Vulnerabilities for our environment because this is the fifth way how the attackers trying to go to our systems They're not going for databases. They're not going for the SharePoint libraries They don't know where they are but they know where are the users and if they will be able to Give some fun fancy email that you want the 100 Amazon voucher last week because you watch on the Netflix something Yeah, I watched that movie on the net. Yes, and I just click done You know, it's amazing. I mean how often it happens. I I probably see One phishing email at least that comes through various filters per day at least Ones per day. It is so common now and some of us so so many of them are so poorly written and obvious What they are others are very fancy in fact internally we did our security team Did some testing Thankfully it was and and number of people failed. I failed as well Because I trusted because it looked like an internal regular email and and so and then they pointed out afterwards I said, yeah, I was sloppy. I was on my work email. It looked work related It looked like something that I see during my day But there were telltale signs that I should have been aware of But one of the things that I do is like I will rarely if ever Unless it's coming from work people work related, you know, I will not click on a link to anything Yes, you know, that's especially external. I will go and and hopefully this is a practice for best practice for people I get a message from my from my insurance provider or my bank or whatever I will never click on a link to those things. I was not even Amazon. I will go to the site I will log in properly to the site and then go to the message center and updates and things like that That's one way that you can find out if they're real or not and and you know, not surprisingly There's a few like I just got a notification. I've got one of my sons on my car insurance Got an email like it just didn't look right Went in and logged into my insurance It was right and I actually provided feedback back to my provider as it you need to improve your templates this this looked sketchy With the way that the template that they use my local office And I think it works in the both ways because of course we need to protect our users and our Organizations as much as possible Against the phishing for example because we've the phishing could be a malware link for the Infected website info link for the some infected zip file or whatever else and user Lee click for that one Is there have no idea of course but on the other side sometimes as you mentioned some organizations sending emails, which is absolutely legit and It looks sketchy, but only looks sketchy for you because you know this because you've seen similar emails 100 times in last year and you still remember yet. That is something Strange here when I'm delivering training for the security. I quite often have a discussions with the phishing I'm showing some examples I even have about 100 examples in my special mailbox about the phishing emails and the administrators quite often said that That that email is not okay. That is probably phishing because the grammar is bad But we working in the multinational organizations Multicultural organizations and just because from my perspective, you know, I'm not a my English is not my first language I'm I'm of course. It's not my face And from that perspective and when I see my different colleagues from the different countries The grammar is not super much important because even my English teacher told me many years ago Don't don't think about the grammar too much Intelligent Englishmen understand you I still remember this 20 years after so that means that even the poor written email Or a little bit bad grammar Some at me said no the decision is wrong because it's the wrong grammar and the grammar is not okay But for the foreigners working inside these organizations that grammar is not completely not visible Right and that is as well some kind of aspects of the phishing emails Education of this I'll probably discuss about this later as well. Well, and that's why I mean It's just again just a rule of thumb of never clicking on anything email. It's a good rule like go to the source Site log in look at it from that different perspective. So I mean, that's just one way around it Well, the second question, I mean we kind of start we started to go down this road in your experience What are the primary challenges that are driving the worldwide increase in cyber threats? Well, I think Politics and money always driving this the actors which coming from the not only private sectors But as well from the governmental actors We see what happening now with the Ukraine and Russia and we know that the part of this is a very very big or very very big level The cyber war which exists from very very long time But it's more and more and more sophisticated and we can see this if you're looking for for the couple of different places around the world like I was I remember when I went when I went for China some some some years ago and My friend tell me please remember take the different device Of course take the device we're choosing coming in China But please remember do not enable the VPN because VPN is prohibited once you enabled VPN You will have some problems with the local authority because the rules there in that specific place working differently I think the primary Challenges which we have that cyber threats around us is because we are more open Adversaries know that we moved out from on premises Which was let's say working in the box with the security guards with the reception with this Data center and with our local LAN network We went from this place to home to hotels to a ports to a cafe to club to Whatever is we moved from the PC to laptops tablets smartphones very sophisticated smartphones Even we quite often moving and probably you know this very well wearable devices. Yes Yeah, so I can I'm using this sometimes. Are you reading my emails on my feed bit? Okay, this is the spot tracker, but that's what is connected with my account So I can read my emails and that emails are not protected here completely because it's not encrypted So I think that adversaries trying to look for every single aspects of that one we still remember the network at home in From my perspective 70% of the private networks at home are not secure Because home users never think about that They still have a routers with the default admin username and admin password They never change this because there is no reason if you want to look in for that router You can even go for the Website for the support of the producers and then you can find what is the default user name and what is that the password? 70% it's still the same. So you're sitting down in the car in the Nightboard area like like like me you run some some kind of software and you're listening to the network And then you know, okay, that network is open that no Chris. No, but let's try admin password admin password Okay, one two three four one something and we in and then of course we working from home We're using VPN our security departments tell us. Okay. We have a company laptop you have a VPN but before VPN you have unencrypted and not secure network Which means if you have a guest inside your home network that guest can simply traveling with you By a VPN into your company. Yeah, you know Works in the multiple different ways much more sophisticated. It's well, it's other if we're much more open We're much more connected because of the what started with as you say the bring your own device That we you know companies wanted to be open wanted to make it be flexible Let people use the devices. They're most comfortable with work. We're increasingly we're hybrid working models now So we're across those which makes us much more susceptible My other answer to this is this is to your other point as you started out is The money the financial side of things as well because the I think it's just that simple is because the money's so good It's so it to go in there and do that the the return on that again When we think of the massive data breaches and we think of the billions of dollars lost for a single company from the massive data breach Well, the cost is even greater as a cost per employee to the small businesses like to go in in like this one of my clients that had you know 20 employees and I don't know how much they paid they paid a lot of money tens of thousands of dollars Which they couldn't afford to go into if they had to they had no other choice because they were in the process of redesigning their system in their security and had not yet launched the new protocols and That's when the breach happened and that is very important for point Which you mentioned that the small company small organizations because when you're looking for the big organizations big companies Okay, so they've been hacked and big organizations been hacked There's some kind of failure somewhere in the procedures people in and so on so but as well I am hearing very often from the small businesses people companies like a 10 people 20 people 50 people We cannot invest in the security. We don't have a budget. We don't have a money We just simply working can so and that is the process which is very very You know something is missing in that in that case because once we starting to moving to the cloud Later we moving to that cloud or another but of course you're talking mostly on the bottom Microsoft cloud We have that features. We have that features paid inside the subscriptions. So there is no reasons to not using them Yeah, yeah, that's that's an interesting comment. It's like yeah, we have features that we're not using, huh? Well, let's let's so the third question is Kind of touches on this is cloud adoption Outpacing our ability to properly secure data and part of that is we have this I and I realized that that might be true in this and some percentage of companies that are just unaware They've got these features. They don't know what's there yet. They're not caught up. So they're not utilizing all those things Some it's just bad practices. They've just they they they just aren't that sophisticated They're not thinking about that and and so much of this. It's driven by A breach like a problem happens, then they go in and correct those behaviors Yes, we have a we know that the people learn from the from the failures sometimes But I think with the process of them moving to the cloud. It should be Part of the process as a changing the security approach changing what happened what happened on premises Before and what what will happen in the hybrid environment or in the fully cloud environment? That should be the beginning of the process of the migrations at all and I think that in many organizations We have a problem. Yes We think that our systems on premises is secure I used to spend about the 15 years in the data centers the physical data centers hundreds of the servers clients and so and I can say some of them Were secure some of them not that much Comparing the security level with them for example Microsoft data centers or couple of different cloud providers Some of this data center were less secure than my home in some specific ways because everything depends what is your approach and You know Thinking about the physical security is that completely passed? We don't think that is the reason why we're moving to the cloud We don't want to think about the infrastructure. We don't want to feel about the physical buildings. That is completely not important It's fancy to see that Microsoft have anti-tank Borders around the some data centers in the United States. That's perfect. We don't have but they have but we can focus on the different things problem, which I can see is that quite often the budget or management Don't have idea how to transform the previous part of the be of the budget Into the security approach using the features which we have including trainings testing and implementation So so one other area and I agree with that one other problem is that we are utilizing I don't have that data in front of me, but I think it's a Gartner that said like the average number of cloud services Per company. It's like over 130 Sass applications being used. Yes, so I guarantee no matter how Security-minded your organization is if you're utilizing an average number of 130 Sass applications, I guarantee that you were not applying the same level of security proactive thought and process around all 131 of those and each one of those is a is a vulnerable point Of course, and it's enough that from the 150 applications You will find one which not using keyboard for storing the secret credentials and then you are open or one of the applications Which developer implemented just you know, I remember implementations. Yeah, let's do something Implement some kind of features some kind of applications put this on the test. Okay. It's working now switch this to the productions Okay, switching is the one one, you know one button switch to the productions Okay, but did we implement the SSL? Did we implement encryptions? Did we implement encryptions to the databases? No, it was on the testing. Okay, we will do this later, which means we will do this never Right, and that is the approach which we have as well very very often and I agree with you probably with that average number of the of the data One of that applications could be consumed by the adversaries as an entry point into the systems And it is enough to having one entry point Adversaries have a time they can be in our systems for the three months half a year maybe later depends what they will can Achieve from the hacking our environment. Yeah Yeah, that's that's another thing. There's there some of them can be very patient and Waiting that out so didn't make it less obvious that they were able to enter Well, so that this is where I broke down in the questions. I broke it down into Technology policy and then people so question for was what are your technology best practices to mitigate cyber threats? and we've talked about like the Utilizing the features that are available for the platforms that the SAS applications that we are using That's a good place to start actually using the out-of-the-box capabilities of these solutions I think that everything which we have out of the box implemented that directly should be used by default MFA, of course, is a standard going for the password less if it's not if it's possible, of course Going for the password less. It's absolutely fantastic. I am very big fan of this however that that implicate the Necessity of changing the hardware quite often and then company need to of course think about okay We need to replace the harder because our old Windows 7 machines cannot work with that one because they don't have a physical capability to working with the Biometric or something else. Yes, I have a my machine here the laptop, which I'm using normally for working that one doesn't have a biometric Other than fingerprint, but I have an external camera for that one which can recognize my face So I can use one of those options to simply connect. However Technology MFA of course important I'm very big fan of MFA or generally two factor authentications multi-factor authentications For from ages and I'm using this in the multiple different ways But I see sometimes a problems IT specialists if they know about the MFA and many of them know they are willing to implement and that is absolutely brilliant But we need to remember about the users which maybe not every single time will be able to use the MFA or Two factor authentications in the way how we approach for example The most popular probably is the Microsoft Authenticator app and maybe some kind of fingerprints Then if you have a device which doesn't support fingerprints that MFA will not work So Windows Hello will not work if you don't have a smartphone Because of something then your multi-factor authentications will not work Then you have to work with the SMS for example and then of course you're thinking from the security perspective Or SMS can be simply and relatively is intercept. Yes, that is kind of risk Which we have but even that that SMS is much better than nothing in that case I used to work with the sometimes I'm working as well full the elderly people with the for example some Charity organizations and when you're looking for the elderly people they have something I don't know if I have with me now. I can show you that one. They're using this You see Yeah, this is the book of passwords and we can laugh of that as the technical people But for the elderly people if they need to go to the shop for example log into the systems and selling some goods in their charity shops they Cannot use MFA. They cannot use something which is high secure because they simply maybe don't have a skills Maybe don't remember. Maybe don't know how to use it and so so MFA absolutely is but it must be flexible So implement for everyone who can use it But please look for the some groups of the people which may be cannot and then next after that MFA Enable everything which you have on your license if it's if it's necessary use the security center use the Compliance center a privacy center inside the risk management. Please do not forgot about the inside the risk and inside the risk I mean the highly People which have access for the sensitive data, of course, but as well our Management and they had a lot of that discussions before control your CEO control your CxO because they are vulnerable. Maybe they don't know but as well Maybe they could be a risk in our organization. Yes, well that that's where you've gotten it You started to go into question 5 which what are your policy best practices to mitigate cyber threats? And that's where it is a lot of they are the rules that you have in there Just like we've gone where you say you look well I don't I don't want to have policies within the system that are with named individuals I want to be role-based because what if something happens that person they're not available We then can't get into that system. We need to have other people that need to be able to get into that You should also have just part of your policies that someone leaves an organization We run through these specific steps when somebody leaves in fact a lot of organizations are very smart They know hey this person their last day will be Friday We're gonna take other preventative steps or we're gonna start monitoring and looking at Activity and behaviors from these employees So there's a lot of things that you can go new to be you know kind of preventive measures But so much of this that can be if you are Solid in your processes that you're handling leads that your life cycle management that you already have Predetermined what is the life cycle of content? How do we treat these profiles? What are we doing like we have as part of our provisioning process internally for our tenants? So it's you know the Microsoft ecosystem So so Microsoft teams and SharePoint sites and Yammer communities and OneDrive and Third-party solutions we use JIRA for example and all these other different places all these systems that need to be handled So someone you know joins or leaves the organization that they run through and these do these things immediately But I even get prompted on a regular basis for the teams that I own for the SharePoint the sites that I've created That I'm active in daily There is a cycle of at least 90 day cycle where I have to go in there confirm It's still valid confirm all the members one at a time that they're all still valid within that Update any of the rules around those things and as I I look it's a hassle It's like MFA is it's a hassle to go in and do that But I'm now just accustomed to having with the authenticator app on the desktop. I know the process around it I understand why the rules are there. It's just become it's been baked into now the way that I administrate those Spaces those work spaces that I manage and it's just part of the way that we work The benefits far outweigh the annoyances of going through the additional steps to to maintain all each of those things And so that's a policy thing We've set up the guardrails and that corrects like technology We're things are turned on we're utilizing the features are we're very security-minded as a company our Policies and our technology far exceeds the out-of-the-box alone So we're more secure than most data centers because we're we have a you know a chief security officer We're that focused on security important to us but is that policy part of it and Yeah, I agree with that agree with that and that that is the very good example of that of that policy which we which we should have up and running Checking activities from time to time on some specific period of time. It could be 90 days like you like you mentioned and Checking what happening in the site sending the emails about the active non active users Checking that reports checking that activities from the owners of that groups from the owners of the SharePoint sites or or Microsoft 365 groups and so on Controlling where that groups exist and how they are how they are Created because as you very know very well the Microsoft 365 groups can be created almost everywhere And we have a multiple different places and sometimes those administrators of that super users are not working together They're not or not even connected But they creating the Microsoft 365 groups and then we have a behind the scenes we have of course email have identities We have a multiple different things so that is very very important part And I think that as well with that with that controlling to what happened in our organizations Around the around the people which we which we have we should look for the Microsoft Identity identity risk management is a absolutely brilliant features for the reasons which you mentioned We know that someone will go out from our company So we need to protect that user of course a little bit but our company especially Against potentially some kind of problems with that users. So let's run the inside the risk management Okay, I know it's required if I've licensed, but anyway, we have that one in some moments And then we can control what happening with that users and you can control. Okay, that user Will be with us for the next month But that user starting for example downloading a lot of documents from the SharePoint libraries or Sending that documents to the USB drive and which is which is part if it's if it's part of there There's actually another reason for having you know, like audits It's another reason for having just exception management So that the system you can actually automate and it looks at patterns of behavior that would be out of normal like here's an example, I was just thinking of this too of Like I appreciate the fact my bank contacted me and said that hey you spent a lot more in this in this last week Then normal and what happened is I had like a bonus at work I paid off a vehicle. I paid off a car loan Yeah, there wasn't a lot, but it was but it was twice as much as I usually spend in a single month around this and they're like Was this still you and I'm like, that's what that that auditing that automation Allowed to go in the do so this was outside of the normal pattern of behavior What's going on? Is this still you or I appreciate that every time I would travel Internationally and use my American Express and they would do the phone call at the concierge or at the front desk of the hotel Like is this you traveling? Yes, that that is me Buying you know buying dinner at a restaurant outside of Manila in the Philippines. Yes, that was me Because I've had the other times where I had there was a breach I don't remember which credit card it was an American Express But like a visa card where it's like is this you and I was in the Ukraine like buying food in the Ukraine I'm like, no, I'm pretty sure I wasn't in the Ukraine yesterday making purchase And so we like let's send you out another card like appreciate that process You can have that same level of proactive monitoring and pattern watching inside your organization and that is very good point because Bringing that example from the banking systems how the banking works and how they try to mitigate the risk and fraud Detections and so on about your activities. Yes, you pay the loan for the car or I had the same scenario when I Two years ago both the new server which is actually under my desk And it cost couple of thousand pounds and I just simply pay with them with the cart and they call to me Hey, you're doing some crazy transactions on that on that online shopping when you buying something for the some 1000s with the one transactions. Is it you what you're buying and so on and I really appreciate that I think the Educations around that kind of approach If could be somehow, you know migrated into the IT systems IT specialist that could be super great if you're looking for the SLA service level agreement We remember that SLA has been created in about the 1980s with the telecoms mostly But the plan of that SLA approach has been migrated into the IT SLA later But the telecoms was the let's say inventors of the SLA in some specific ways and we just bring this up So bringing the same from the banking assumptions I give you one more example because you mentioned something about the special groups and special Notifications and observations of the groups. I am a very big fan of Not remembering or not using the accounts as a humans or as a people I'm always looking for the identities. So I remember many years ago when I used to work in the data centers We had that problems that in my I used to work in the one company for the ten years, but I had 14 or 15 CEO. I know it's hard to imagine but they simply change and I was responsible for the SharePoint and Infrastructure and I said, okay guys I have no time and I don't want to change the Permissions and something every single time for the new CEO. It's boring for me. I don't have a time as it's boring Simple, right? So we created in our active director is special group called CEO and that was the one person there only Always almost except the moment of the changing when that group had some permissions everywhere to every systems And you know, I even give the permissions for the HR. Hey guys, I'm not interested. Who is my CEO? I never meet that person So when you have a new CEO put that new CEO to the active director You have the permissions and then everything will be sorted and everything was sorted and for the many many years I never think who is my CEO? It's not important I know that that person have some specific limited permissions for some specific part of the systems everything as a reader almost nothing as a writer sorted and Because we have a role-based access control in Azure and in Microsoft 365 and you can use that airbags Airbag airbag functionalities if that role is not enough Create your own role other the specific people and forgot about that Maybe not not in 100% but for me forgot about the human insiders It's just the identity is just the object which we need to protect in some specific ways I know maybe a little bit not super kind but Yeah, we still I know the next question is probably will be about the people because it is Yeah, it's exactly I was gonna make the comment It's like just funny when you said you talked about our back I know what you're talking about, but that's one of those that always so I started my career earlier in my career I worked for Pacific Bell. So one of the big US phone companies. Yes, and I did data centers Like I wrote the the materials in the binders. I was constantly in fact I did one of my bit first big projects was a data center consolidation project. It was very secure I worked with these systems, but and we were actually We shut down for three different the systems for the marketing organizations that I worked with we shut down data centers and Consolidated to one a fourth location And so I learned so much about the protocols and access to the floor and this was one of those places where Where it was, you know the the the door at the you know the beginning of the movie Tron Where they they get into the building But it's that massive door that could withstand a nuclear blast. It was like one of those facilities Yes, you know very tough like you couldn't drive a truck through the front door, you know and and survive They would be protected. But anyway, yeah, we you know our buck in that world That was the point I was gonna make is the regional Bell operating center. So I just still have that Acronym stuck in my brain. Yeah, so the next question was as you point out Question six was what are your people best practices to best mitigate cyber threats? Because that's really where the lion's share of Risk happens. We've turned on all the features We have the policies in place and then someone does something stupid. Yes you know, I Always smashing this and this is still hard for some organization Technology is the one thing we get a lot of technology from the Microsoft We get the M365 with the E5 and we have a hundreds of the features dozens of the solutions Plenty of the options. We are doing for this Azure subscriptions We're being sent in a way adding Azure Security Center and so on so on that's absolutely fine but we first need to Educate the users and the education is a super super important part and I'm talking about the educations from the lowest level of the end users which are completely not technical to the highest level super technical people and somewhere in the middle are the management co CFO and so on we know that that C level people doesn't have time for learning doesn't have time for something But even those people should at least attend for the cyber security our the shrinks once per year Look for that video Answering for some questions Maybe not the same questions every year and having that information someone in the system Yes, that people at least look for that one that will be very helpful later with the auditing in the post bridge Eventually if we have a if you have a bridge, but from my perspective Education education education is from the levels. We need to remember and users quite often are not technical and users Coming to our organizations doing their job They doing something which we don't know if I will talk with my colleagues of my former company for example And I used to work if I talk with my colleagues in the finance. I have no idea what they're doing I'm not finance person. They don't know what I'm doing. I think that's fine But I need to explain them that we need to implement MFA Passwordless or specific new features like you don't have to anymore put the passwords in your computer It is not enough that you look for the camera. It trust me. This is extremely hard for many people. How How to look for the camera? I use that password for the last 25 years and I remember the puzzle because it's still the same of course, yes, so We implementing as IT specialist a lot of things we enforce our users because we have a power to enforce But it doesn't mean that they understand if they not understand they will not will be with us They will not they will not helping us that the knowledge and understanding need to come together And it need to be repeated because once we going to the cloud I always mentioning on my training set with my with my clients that Cloud is a constant change is the adaptations for the constant change on every level because even Office 365 Installed on the PC for the users will be changed every 18 months. Yeah So we need to adapt for the software my perspective best practices education knowledge understanding having some budget for for training and Many of the organizations as well because I see this on the trainings. They don't know that the Microsoft have a Hundreds of hours training for free on every single level They said we don't have a budget for trainings guys. You don't need to have a budget You just simply put on the page link for that specific modules or that specific Pathway or learning path and invite the people you can build this together With the with the Microsoft learn systems So we can see that users going for that systems user Watching for some videos or some documents or some tutorials and so on you can very simply invite on the portal on the Microsoft 365 As you know very well, there's a hundreds of them of the links for the administrators It pros and end users So you don't have to spend the budget for that one It is already done if it's not then you can look for the special trainings Maybe consulting may be something else, but it is already available for everyone You know, I like what the idea is like I talked about how my company did like the Internal like the fake phishing emails to kind of test people's knowledge on that And they did that they do this on a regular basis is just part of our protocol So you don't know you never know it's like the fire drill. Yes, like, you know Like sometimes they announce the fire drills Sometimes they don't because they want to test your your response To that and you and you must and you must to take a part of the fire drill Correct. You must participate. Well, that's the thing. I like I like the idea of and I would even welcome this in my company you know like for the people that fail on the fake phishing then Forced them to go through and complete like a short video a reminder of that thing So just to make it more top of mind and look in starting to make yourself aware knowing that You know, hey at any time one of these messages like do I I just got this link for something? Do I click on that? No, what did I learn? I just sat through another 30 minute video a week ago I'm not gonna do it again, but I think that would be a great way It's almost a gamification of the of the training for those end users and force those that are failing those steps To do more so that they will you know learn that hopefully it will stick and they'll learn not to Pray to that again, you know, we working we working for for the organizations We're working for the best approach and best results of our company We're not working for ourselves if we're not working only with the one-person company But even I have my one-person company. I'm working for the best result of organizations and in the organizations everywhere It's exactly the same people need to understand that they of course doing the job But as well the risk which could happen because I don't know they having so phishing emails or like the Data exfiltration and ransomware is you know, you probably starting to go for the physical events Yes, it's slowly starting around the world and some of them Do you remember that moments when you go for the physical event and you get for example that kind of gadget? Yeah, yes, and now my Many of my colleagues from the security security department say okay guys But if you're taking something like this, which is the USB and even is written Microsoft and what is and is the Something like a the hybrid way. Please do not put this into your computer, right? But what people will go for the events people will get the USB because there is a new 52 gigabytes or 64 or I don't know USB for zero or whatever else plug-in of Course probability that that on the event that USB will be infected. It's relatively small But in some place it's still kind of risk. Yes. Yeah Think of that. I just still think of that now. You've seen these scams at Gas stations petrol stations where they'll put like a fake car reader thing over that And so you go in to use it and all it's doing is it's it's it's it's almost like a it's a little shell over the thing And it's reading your password your card information You're you're still filling up your gas tank But I it's it's enough that I got scared by the news that happened in my area That every time I go to the gas station, I'll go over and I'll wiggle on stuff just to make sure like is that real, you know And it's it's it's like when you're walking at night in a sketchy area You know, you look around a bit more Yeah, and I think we just need to have that approach like be self-aware of your environment and know that hey I'm I'm at a hotel. I Never like I don't just go and plug in any of my devices into a USB Anything whether it's on the bed stand for charging or the desktop. I have a power module. I plug it into the outlet I'm always powering my own through my own device just because I know security-minded people That do not plug a USB anything into anything at the airport for example. They just don't do it I'm just like well. I'm gonna be more like my security-minded friends And you know, I have I have a that small device which is just simple USB Yes, and that is for plugging for the photo for the traveling exact. Yeah, you plug in any of your devices Via this and then no data coming But you don't know what could be yes, especially in the hotels and so on and so on yeah I even I had some discussions to two days ago on the Twitter with some of those guys from the United States that You're still using their checks for payments. Yes In so they're still legal tender I don't know anybody who uses them, but they are still there and they seen some discussions with some of my friends that They they seen in the hotel the guy who pay with that with the check and that the check was there You know the account number a reference number and all of those transactions number all that stuff routing everything So it's enough to you know grab that check You have access for that for that for the account if you have access for that numbers Then you can very simply prepare the phishing email. Hey guys or Even worse even worse some people have so it has their name It has that that it has their signature Some people even put their social security number like printed with the information on there, which is just Asinine you are Anybody gets their hands on that check and a lot of banks Well, I don't know anymore. It's been away from a long time. My wife worked for Wells Fargo one of the biggest banks here in the US for years and she was a business teller when we first got married and They would throw out canceled checks not shred them not destroy them throw them out Yes, you know that was a different time that was 30 plus years ago And so we don't have the capability now, but if you know now that would be a treasure trove for For thieves to go in and find canceled checks irrelevant bank account number routing number name and address Signature double verified on that, you know, it's signed on the back of that you have everything that you need for stealing somebody's Person of per profile. Yeah, I remember because I used to work in the banking as well for the couple of years I remember some of the trainings from how to work with the checks from around the world Especially from the United States and how to manage all of this and I remember that was that it was a crazy crazy crazy part And of course three decades ago. We didn't think about this that much. Yes, but now You know, it's very very good to good point to grab something and Get access for the person. Yeah, exactly. Well, the last the last question is kind of around that if your organization Has had a data breach What should be your immediate next steps? Who I Think it there is a couple of aspects of this from the legal perspective For example here in the UK is I see also is that information? Commission office so there's a special governmental office, which need to be informed about the data bridge That's no matter. It could be GDPR or not GDPR. That's no matter. It generally need to be need to be informed The second I think We should check from the technical perspective Where it happens what happens how far the adversaries go what potentially damage it could be What kind of information's potentially will be available? It doesn't mean I quite often have a discussions on the on the on the trainings that we're talking about the in the Microsoft 365 about Data loss prevention. We have that features is quite big a lot of procedures a lot of automations and so on But I quite often discuss about the because I still think that they are to DLP Data loss prevention and data leak prevention and it is not even mentioning normally in the documentations But for me, they are too different to a little bit different topics because if if I will for example for some reasons Lost this USB, which I show you in that case. I personally don't care Because I know I probably there's some data here, but I don't care that the data are encrypted And if that data will be stolen. No one will get access for that one as well If I have a copy of that one somewhere else, I don't care as well So it's just a physical device the same it could be laptop could be something like us. However Data loss and data leak will be completely different because some of some organizations some of our adversaries going for the systems to Stealing the data and making some money for the time. Some of them have the idea of Disclosing the data, you know the data bridges happening as you can see as you see probably many times in the multiple different places Sometimes the target is let's steal the data if we can find the data Let's steal the data and make a money of that one But the other one could be let's steal the data and publish them and make a bigger harm than stealing Even so we had that case couple a couple years ago. I remember here in the UK that one of the It was this Final point. I didn't mention this With the first point vulnerabilities as well our script kiddies or and or your young hackers Which trying to do something to getting access for our systems and they did in the in the UK about the three years ago Before the election local election. They just simply Jump into that into the local election County County systems and Delete all of those data of the people who who can vote Just they before in the evening before the election and the problem was that of K Everything was printed before but was nothing in the systems to confirm that the people exist And that was only for fun for them. Let's make good fun Let's delete all of those voters and you know the election stop Yes, and you know the cost and all of those problems and so on so on So it's very important to looking for what is the target of that of that users And then when they have a data breach, of course informing our employees You probably seen on the on the Twitter. I don't remember the name of that university But it was in the United States two or three days ago they have a ransomware attack and they Posted the informations on the Twitter and everywhere on the social media for everyone's students teachers and so on Hey, we have a ransom a ransom attack switch off your computers plug off your computers and so that was kind of probably You know ad hoc policy in some way Not that bad not that bad Anyways, we know that the students using the Twitter or Instagram or social media anyway, not that but approach. However informing the clients informing the users and of course being ready to discuss with the Marketing which should be responsible for informing the users and informing the the the the clients and the business and Auditing so of course talking with our auditors and working with the auditors very important partner I think this is the personal problem for money Do not we we should avoid as much as possible to hide anything? Everything should be okay inside our organizations. Everything should be for the specific people available Which means auditors coming can say, okay, what happens and we should have a some kind of personal responsibility Yes, I just simply missed something or something else because sooner or later That informations will be visible somewhere because we can check the audits It will take maybe weeks maybe months, but you can find that informations But as soon as possible we can find those moments that yes I made that mistake and that probably is a part of this we can mitigate this faster for the next part I think that the last part of the data breach and that is again very Discussionable because you know in them I know in which company you work of course and I know this company very well from years But in the Microsoft 365 we do not have a backup Yes, the concept of the backup and restore not exist at all by definition by default by design And we have a few part organizations which coming to our systems and helping us to keeping this And now the questions which I quite often have with my customers and with my students on my trainings is Why we still have a policy for having a backup Because that policy has been written in the time on premises when we didn't have a clouds quite often Yes, 20 years ago three decades ago Maybe maybe maybe even even I don't know for four decades ago And that policies that you know, I saw 27 000 PCI DSS all of those compliance standards are still Very very much connected to the on premises and In on prime on premises. Yes, okay You have to make a backup two copies or three copies one outside one offline and so on so we notice very well But in the cloud it not exist so I think that from the beginning the approach of the Preparations for the potential data breach should be different. Yes, we can of course use the field party solutions and make a backup storing the somewhere else or using retention policy using Any kind of other policies which you have inside our system But planning this very very very much and there may be last part which I want to add for the data breach It will be great if we have a before data breach Strictly written procedure who is responsible for what? because I remember I had a couple of the disasters in my data centers and It sometimes is extremely hard to find who is responsible at that moment to do something Because no one wants to take a responsibility. Hey, we have a data breach. We have a problems data disappeared Someone's stealing our data. We have a ransomware who is responsible not me not me not me not me not me That's also it's important to understand the roles and responsibilities So as part of that auditing process where you're going back and looking at it Was it a failure of the technology? Was it and there's uh, and and There was a failure in the technology was it that it was misapplied was did the technology itself actually fail? Was there a hardware component? Was there a software failure? Because there might be depending on the cost of that that release that there there is some liability for the The technology providers that are involved. Was it a policy of failed policy? inadequate policy Was it applied or was it, you know end user user related at some level? So you go back and look and say that like oh, I see that it was Like we had one admin who was doing this role was all You know, it wasn't automated. They were doing manually a lot of the steps. They were on vacation So therefore certain things happened. They were out. It wasn't being done There was a gap in information And one of the arguments that made around a cloud backup because a lot of them say it's like well like with microsoft 365 It's like well, you know, hey with microsoft data centers in the platform And like they're doing backups like yeah, they back up the entire system for 14 days Like you want more granular Do you want to have to do a like you lose days of data up to 14 days and beyond that good? That's it. Like you don't have that Um, do you want more granular control? Do you want to be able to go and look at a specific workload with a specific user that lost that? Or up to the entire system and do you want it more than 14 days back? You know, so anyway, there's and for for some organizations You also have to look at what industry am i in what laws and regulations pertain to what rules are in place that I must adhere to And your technology and your process the out-of-the-box capabilities may not even at that That basic level adhere to or make you compliant with those regulations So you also have to be careful and look at that understand The rules the regulations the industry the best practices And and you can't just take for granted that Whatever those 130 or more sass applications all of them may say we are compliant with gdpr We are compliant with whatever country or regulatory rules first industry. They may be compliant You may not as a customer of those services may not be compliant in using their solutions because People are funny that they may not do everything by the intended Scenario that they that this service outlines and maybe you just have applications Which simply are up and running developers created that that applications But they never connected for the for example for the github or for the other source control systems And then your your applications is is hard and your applications code is Disappear and it is over is because you didn't you didn't remember? Yes, maybe we should have all of those applications as well in our source control systems Because we want to be sure that if something will happen accidentally or intentionally Intentionally we can following that one we can auditing and we can restore for that place which we want In that moments, which we need For that for that system. So a lot of things a lot of automations hundreds of the solutions In the microsoft 365 and in the azure working together as a platform But not so easy sometimes. So I think again That educations understanding knowledge and collaborations again collaborations around No devops is very very popular, but sec devops as well should be a popular or different kind of Connections between the different departments working together for keeping that environment up and running and in the good conditions is super very important Sometimes it's just a personal problems I you know, I put all of that everything you just described of of taking to these different areas and having an ongoing Conversation, it's not like hey, it's a checklist and we've done all 10 things and we're good We're secure like no, it's the ongoing discussion. That's the governance discussion And I know that you say the word governance and people like their eyes roll back or they fall asleep instantly You know those those discussions, but that's what we're talking about is being that proactive having conversations about The changing the technology that's being used the processes that are in place that the The usage patterns of our of people and constantly looking at that with the changing Business patterns and business rules and requirements that are out there and looking at all right How do we best adhere to that? What patterns of behavior do we see? What threats are we seeing that are increasing? What breaches have happened or what? You know what forays by bad actors into our system? Like what are we what are we seeing that we need to strengthen education for end users on these topics or Hey, we need to shore up our our security on this or be prepared with to make sure that we were doing Weekly backups we need to move to every night While we look at this this this issue so that we aren't as open to to risk But that should be that matter of discussion Across stakeholder organizations on a regular basis. I think yes. I agree. I agree with you But I want to add one more one more point for that We we discussed yesterday on the twitter on the call up call up talk around this That we should we should find which informations are sensitive for us Which means which informations need to be protected because The organizations have a tendency as well. I see this to okay Because we need to protect. Let's protect everything and sometimes It not necessary doesn't make sense because You know, you could have a some completely testing tenant Which you don't care completely because even that tenant will explode nothing happened because it's just a testing tenant Yes, or you could have some repositories. I remember the sharepoint 2010 times and one of my client He put the iso files into the sharepoint. Yes, and he was very happy. Everyone have access for iso files Okay, but your database is You know huge and it's works very very slowly Do we need to have iso files for our systems or for our applications keeping in our Backup procedures every night. They are not changing. Here's they changing. I don't know. Maybe once per quarter Maybe so maybe once per quarter back different practices different policies and social and maybe finally We have a data of our users our users working on the multiple different devices. We synchronize Everything to the one drive. Yes, it's super super efficient for the user synchronize every desktop and Donuts and the my documents to the one drive and everything is sorted automatically for users then We don't care about the device. Yes, because that laptop or tablet. It's just the physical thing the interface Right interface. Yes, if it's encrypted if it will be stolen. Okay, let's take another one from the stock Demote the adult one block this in the systems give the user new one Don't everything from the cloud and and it's done. Yes So the approach must be different the management on every single levels Supporting of the management supporting of the it specialist and Again education knowledge and understanding for the end users. They need to know why We as organizations doing those things When we doing this and how they can help us to doing this in the right way then Everything maybe not everything but a lot of things will be much much much easier for our organization Agreed. Well, Tobias really appreciate your time today Uh for folks that obviously if you've got if you're watching this, uh, you know, Tobias is a great resource Which out of the uk, um shadow land consulting, uh, they're uh, you know connect with them I'll have the links, of course within the blog post and within the youtube video as well that you can get reach out to To him, but it is great seeing you and uh, hey, i'm over your way in June I'll be in london for the comms verse event. I might be staying a few extended days So, I don't know maybe I will jump if that if you know if the train will work because My friend went for the london yesterday and he cannot go back home because no trains are working I was gonna say that maybe I could come up and visit. It's been a while since I've been up in the awning ham But uh, um, but if the trains aren't working. Yeah, that that kind of puts a Damper on things. Yeah, you can you can always visit nothing. Um, we can we can find some nice places to to discuss about the technology