Michael Argast is a veteran in the world of cybersecurity. Prior to starting Kobalt Security, Michael ran several security functions in large enterprises including TELUS and Sophos. Michael is now the CEO and co-founder of Kobalt Security – a startup providing cybersecurity monitoring services to small and medium-sized organizations.
COVID-19 has impacted the traditional working arrangement. Many organizations are changing to a work from home arrangement, to minimize the spread of the virus within the workplace. However, this new working normal exposes organizations to a multitude of cybersecurity risks.
In this episode of “A Conversation With”, we sat down with Michael virtually to chat about common work from home cybersecurity issues and solutions for mitigating these cyber risks across the organization and home offices.
Stay safe and stay secure. Here’s a Conversation with Michael Argast from Kobalt Security (Transcription below).
A Conversation with Michael Argast
Omar Visram: Hello, everyone. Very excited to introduce to you, Michael Argast from Kobalt Security, a cybersecurity services company here in Vancouver. We're talking to Michael about all things cybersecurity today, and particularly how the world of cybersecurity has changed with COVID-19.
So Michael, to kick things off today, tell me, all these people are working from home and I've heard, I've read. I'm hearing that there are greater concerns around cybersecurity. There are greater risks. What are you seeing in the world today?
Types of Cyber Risks associated with working from home
Michael Argast: Yeah, so I think there's a couple of things to note. Obviously organizations have got greater concerns and risks, but we're actually seeing an increase in the number of attacks. And there's a number of reasons behind that.
One of the things to know is whenever there is a significant event in the world criminals will take advantage of that event, right? So in the case of COVID, people are doing a lot of searching. They're doing a lot of information gathering and criminals know this, and they will find ways to poison that so that they can find entryways into organizations.
But the other thing that's really relevant is when I'm working in the office and I get a suspicious email, or I get a request from the CEO to transfer money to an account, I can walk over and talk to my IT person or the CEO directly and validate that. And cybercriminals know that we're no longer able to do that. They’re watching more of these kinds of business email fraud attacks and phishing attacks, knowing that users are more likely to click on links and less likely to do the normal sorts of validations that they could do when they're in the office.
Other things to consider is we do a pretty good job generally, as businesses of securing our offices. You know, we've got downtime hours running on your computer, we've got firewalls in place, all these sorts of controls, but home is, you know, it's whatever 50 different employees happened to set up in their home networks. And so there's a big issue in risk associated with keeping company data secure in these kinds of environments.
How to secure your home network
Omar Visram: I saw a tutorial or a learning session that you did online about securing your home internet or securing your home for work from home. Can you maybe give us a few tips from that session, I think it could be quite useful for our audience.
Michael Argast: Yeah. A lot of the principles of securing your home network are similar to the ones that you would use to secure your work network, just smaller scale, right?
So obvious things include making sure that your machines are patched and up to date, right? So that, you know, you take some time maybe once a week to run security updates on your laptop, on your router, on other devices that are connected to your network. So that they're not a point of vulnerability.
A second one is often we'll be running antivirus or anti-malware software on our work computers, but we're not necessarily thinking to do that on our own computers. But when they're all connected to the same network, they can present risks to each other. So making sure that we've got security across all of our different devices, those are two obvious ones.
The third one is actually, most people for their home networks these days, it's all Wi-Fi, it's all wireless. And an easy thing to do is to create two separate wireless networks, one for maybe your internet of things, devices, or the things that are less likely to be secure and the things that are your critical devices in your work machine. Right? And so that way you've got some separation and one area of risk doesn't leak into the other.
So those are the three obvious things, and we actually make our securing your home network course for free for our customers and for others because we're really a big believer in this.
Importance of Multifactor Authentication
Omar Visram: Let's talk about Multifactor authentication. I know that this is an initiative that is close, near and dear to your heart. And I've learned a lot about it through you and through the content you've put on LinkedIn and also I've been following your petition. So, tell us about multifactor authentication, like in its basic form, what does it do and why is it so important?
Michael Argast: Yeah. So normal authentication is typically two things, your username and password. And if you know your username and password, you can break in or you can get into a site, right? It's a good basic first level of security. But if you happen to use that same username and password somewhere else, and that site gets compromised, it can be used to compromise other sites where you happen to use those credentials. And I can often guess those things again and again. So single-factor authentication has got some limitations, and accounts are being compromised all the time.
Multifactor authentication combines two factors, typically something you know, or something that you have. So if you think about your traditional bank card, you need to have your bank card and you have to have your pin. You have to know your pin. So having your bank card alone, doesn't get your cash out of the machine, having your pin alone doesn't, you have to have the two of those things in combination. So it's not the things I know, but two different types of things.
So the classic application of multifactor authentication these days, there's two of them. One of them is in addition to your username and password, the site might send you a text message to your phone and you enter a code in order to authenticate. That's a weaker form of multifactor, and it can be compromised by taking over your phone number and stuff like that. So there's a bit of weakness.
Another one is an App that runs on your phone and generates codes on a regular basis. I have to know my username and password, and I also have to have that device. It can't be compromised from a text message. The really interesting thing about multifactor is Google and Microsoft, have both independently done studies on the effectiveness of adding multifactor to protect your accounts. And it increases the effectiveness by over 99%. So it reduces the likelihood of success of an attack to less than 1% compared to what it would be normally.
And in security, we're a big believer there's no such thing as a silver bullet, but multifactor is as close as it comes to having a really, really strong impact. And it's effectively zero cost for the sites that support it. As you know, my petition is all about, wishing the banks in Canada would support multifactor authentication, especially on consumer accounts. I mean, if I can get multifactor on my Facebook and my Twitter and you know, all these other sites, why can't I get it at the bank?
Omar Visram: Yeah, it's interesting. So in following you and your, I almost want to say obsession about MFA. We have MFA enabled on all tools in the business. But my personal email, for instance, didn't have it until recently and my wife's personal email did not. And a lot of personal things go through that email account, right?
Michael Argast: Honestly, your email account is even more important than your bank account because all of your life flows through it. And especially in a work environment, it's your life, but it's also your T1 forms and your HR records. If I can compromise your email account, your email account is usually the account recovery for all these other accounts, I'll basically get access to everything in your online world. So multifactor in your email account is the most important thing you can do.
Security around Financial Data
Omar Visram: Okay. That is good to know. Thank you. Let's shift gears a little bit and talk about financial data. Of course, for a lot of our audience and our clients, their financial data is top of mind. What are you seeing in terms of the most common schemes today around financial data and what are potentially some of the things that we can do to plug those holes?
Michael Argast: Yeah. By far the most common scheme that I see is some combination of email or transfer fraud. And so classically, if you haven't used multi-factor on your email and maybe one of your suppliers or customers hasn’t, one of these accounts will get compromised. And sometime in a chain of communications, the attacker will lurk in that account for weeks or months.
A request for payment will come across and new information will be inserted that will allow the financial transfer to be redirected to another destination, right? Say I'm exchanging information with you and we're talking and you know, the attackers in my email account. And then you say, Hey, by the way, it's time for you to pay your invoice. Here's our ACHR account information. Send the money to me. The attacker will swap that email out for another one, with the actual illegitimate account information and redirect the funds.
If you don't detect that quickly, that money is then gone within hours. And the attackers have walked away with a hundred thousand dollars, for example. So those attacks are actually incredibly common and it's kind of, I always like to use the kind of Willie Sutton quote. Willie Sutton was a famous bank robber back in the old West days. And people would ask him, why do you rob banks? And he's like, that's where the money is. And so these business email fraud is a really easy way for attackers to directly get money, a lot of other schemes that they have to go through.
And so there's a really easy way to help remove the risk of this attack. And it's not a security control specifically. And it's what I refer to is ‘out of band alternate direction verification’. For example, you're sending me a communication that says, “I've got new payment information. Please put your money here.”
Instead of responding to that email, or just trusting it, I'm going to pick up the phone and call a number that I have for you on file and confirm that the bank information is accurate, not in that email. And so, I've changed the channel of communication. If the email is compromised, I don't have to worry about it. We’re changing the direction of the communication. That simple five-minute step of validation will dramatically reduce the risk of email frauds being successful. I only need to do it like during the initial account set up or during any sort of changes in payment details. And can really reduce the risk of that type of attack.
What you should do if you think you are a victim of a cyberattack
Omar Visram: Okay. And let's say that, I do think that I have been the victim of an attack of some sort, what do I do? Where do I go? Like, what's the first thing I should do?
Michael Argast: Yeah. It depends on the type of attack, but generally like, so if it's one of these business email fraud, you should contact your bank immediately.
They will put a stop on the payment and the transfer, if they get early enough, notice can often prevent the money from being sent further offshore. They can recover the money before it's permanently lost. If you can get to that bank within hours, then often they can stop and recover the money on your behalf. So that's the first rule in business email fraud.
Just general security things, if you're unsure about something that you've done – For example, you've clicked on something and you realize later that it might've been a phish or something like that – the first thing you should do is let your IT or security professional in your organization know or security team, and that happens to be Kobalt. They can immediately do an investigation, figure out if it's a problem. If it's a phishing email, they may want to notify the rest of the staff, so nobody else clicks on it. They can do an investigation to see if your laptop has been infected. They can reset your account password, that kind of stuff. So what we tend to do as humans is we go, ‘Oops, I did something wrong. I want to hide it.’ But the opposite is actually the right thing to do. Let somebody know right away, who can take action, investigate if it's a real problem and address the problem.
Prepare your organization to work from home in the long term
Omar Visram: Okay, great. Any final tips for our audience in regards to what they can do to themselves, especially in this new era. And who knows when the end is, looks like we'll be working, you know, in some shape or form from home for the foreseeable future, any final tips?
Michael Argast: I think your closing comment about that is we don't know how long COVID is going to last. If this is the new normal, then you’ll want to properly prepare your organization. Take the time to ensure that your users are going through online security awareness training, so they're less likely to fall victim to attacks and have secure home networks. It's a good investment of time. It doesn't need to cost a lot, and it'll dramatically reduce the risk to your organization. So I would say awareness training, in general, is a really, really positive thing and has a huge impact on outcomes.
Omar Visram: Excellent. Well, thank you, Michael. Why don't you tell us a little bit about Kobalt and how Kobalt is helping small to midsize businesses and the clients that you serve?
Michael Argast: Prior to starting Kobalt, I had been in security for about 20 years. So, you know, I have a bit of grey hair and most of the security problem in the large enterprise is a relatively solved problem. And what I mean by this is, it's not the attackers are going away and it's not that attacks aren't being successful. But large enterprises can hire a team and buy technology and do all the things necessary to properly defend themselves. And even if they have a security incident, it's probably not going to be business ending.
When you look at small midsize companies, they can't afford to hire full-time security professional, and know how to select and implement the right technologies and put the right processes and policies in place. And so we built Kobalt to help bring the enterprise-class capabilities down to the small, mid-sized businesses. So they can benefit from improved security at price points and in ways that are accessible to them. Because unfortunately in today's world, half of the attacks that exist in cybersecurity go after small midsize companies, because they know that they're soft targets. And so we're hoping, and having great success, helping organizations up their game in a cost-effective, fast way, so they can focus on their core business and addressing the needs of their customers.
Omar Visram: Well, thank you very much, Michael. It's been great chatting with you today.
Michael Argast: Likewise, and good luck with everything.
Omar Visram: Thank you. You too.
Michael Argast: Stay safe, stay secure.