Importance Of CyberSecurity Awareness With Yuri Drugach

January 12, 2024

7 Mins Read

Awareness and education are critical shields against the increasing sophistication of hacker attacks.

Today, we have the privilege of engaging with a thought leader, Yuri Drugach, whose expertise in cybersecurity, particularly in raising awareness, promises valuable insights.

We aim to discuss the challenges, fears, and strategic approaches associated with cybersecurity awareness.

Moreover, we seek to understand the evolving nature of phishing attacks and the future trends in social engineering.

Let’s explore knowledge with our distinguished guest.

Hello, Mr. Yuri. We feel privileged to share the space with you today.

Q1: What motivated you to choose cyber security as your career? Mainly, what took you into creating awareness strategies about rising threats?

Mr. Yuri: Cybersecurity has been my hobby for about 20 years. I’ve been reading magazines and articles on this topic, but I’ve worked in completely different fields unrelated to cybersecurity.

Sometimes I came across hacked sites and tried to contact their owners to report the problem without demanding anything in return. About once a month, I called 50 hacker victims. I just liked it.

People often suspected me of hacking, that I was calling for money. But I didn’t need anything, I just wanted to say that they have a problem with the site.

Then I tried myself as a bug hunter and found vulnerabilities, for example, in Google and Paypal.

My second hobby was email marketing, and at some point I came up with the idea to create a company that would combine sending emails and cybersecurity. This is how my partners and I began to raise awareness of cybersecurity issues among employees. When we first managed to reduce the risks of hacking an organization by 30 times using social engineering, we realized that we had founded this company for a reason.

Q2: In your experience, what are the most significant challenges organizations face when attempting to raise awareness about cybersecurity among their employees?

Mr. Yuri: There is a problem that we need to give users some freedom to use the Internet and at the same time maintain the security of the organization at a high level. When we can’t force a user to apply security rules, we have to come up with ways for them to learn and not fall for phishing. The main problem and task is to create Security champions among ordinary users, not just developers. But this task can be solved.

Q3: Before launching a cybersecurity awareness program, what do cybersecurity departments within organizations commonly express as their top concerns or fears?

Mr. Yuri: The most common fears I’ve heard are two things:

– If I conduct an employee awareness check and a lot of employees get phished, I will not be able to show the report to the management, because they will think that I am not working.

– If I regularly send phishing attacks to my employees, they will complain that I do not let them work.

In fact, these problems are easily solved by properly positioning a cybersecurity awareness program.

Q4: Given the multitude of cybersecurity measures, do you believe awareness raising is the primary defense against hacker attacks targeting employees, and why?

Mr. Yuri: We can install a dozen technical means of protection, but a call from a fake director asking to transfer money to a certain company will bypass any technical protection.

However, I would identify four components that significantly reduce the risks of hacking an organization:

1. To implement technical means of protection as much as possible, special attention should be paid to all communication channels through which an attacker can contact an employee.

2. Write and introduce the employee to the regulations that describe his actions in certain situations. For example, what should an employee do if the director called him directly and asked him to transfer money to some company.

3. All employees should learn the basic rules of information security. A separate category of employees are those whom we cannot fully protect with the help of technical means. They must undergo advanced training materials and trainings.

4. Imitation of situations when an attacker attacks an organization, for example, with the help of well-known phishing mailings. The main rule in this paragraph will be regularity. If you check the skills of employees once a quarter, then you can say that you are wasting your time. As our practice has shown, employees forget about the danger after a month.

Q5: Phishing attacks have historically been on the rise globally. What factors, if any, do you believe contribute to the decline of this trend?

Mr. Yuri: I believe that drawing attention to this problem at the level of national governments and heads of large corporations is the right thing to do. For example, Information Security Month is held annually in the United States. I know that this initiative extends far beyond the United States and international companies are bringing this culture to all continents.

Also, in many countries it is not customary to talk about incidents publicly. When a company was hacked, many people don’t want to talk about it. Other companies in these countries think that nothing is happening and it is not necessary to invest money in cybersecurity. But besides hacking, you need to make your successes public. For example, tell us how you have significantly reduced information security risks, with the help of which tools and solutions. We need to share our experience with colleagues.

Q6: Do you think conducting simulated attacks, are there particular types of phishing attempts that employees consistently fall for more than others?

Mr. Yuri: Yes, I’ll give you two examples when it’s hard to resist clicking a phishing link.

1) An attacker, sending phishing to an employee, can insert an email of the director of the company into a copy, but this will be a fake email address of the director. For example, the director’s mail yohn.d@company.com , and the hacker puts an email in a copy ceo@company.com In the letter, the attacker mentions the director and the employee thinks that if the director is aware of the letter, then it is possible to do what he is told.

2) The use of official domains and subdomains in phishing links is a real problem. When an employee (or technical means of protection) sees a link with a domain in an email archive.org , evernote.com , bing.com , microsoft.com , google.com, adobe.com It is difficult to understand that it is phishing.

Q7: What criteria should organizations consider when developing training materials to ensure the effectiveness of cybersecurity awareness programs?

Mr. Yuri:

Q8: In your perspective, which social engineering trends do you foresee gaining momentum in the future, and how can organizations prepare for these evolving threats?

Mr. Yuri: Now it is customary to talk about AI and what a huge danger threatens the whole world because of its use by hackers. I believe that it is not AI that is dangerous, but the person who uses it. Yes, AI helps to scale the attack, but it is not perfect either in writing phishing emails or in correspondence with employees whom a hacker wants to hack. But there are also larger-scale techniques of intruders that can be used.

AI is just a tool, then everything depends on the skill of the hacker.

Therefore, of course, we should be wary of attacks using AI. For example, deepfakes, BEC attacks using AI, and attacks when a hacker introduces himself as the head of a company and tells an employee to do various malicious actions.

I will not tire of reminding you that employees’ awareness of information security threats from the point of view of their personal safety will be the main aspect in protection. But of course, if all four points that we discussed above are implemented.

Q9: How do you balance the need for creating awareness without creating a culture of fear or paranoia among employees?

Mr. Yuri: We need to raise awareness gradually. First, easier training attacks, then more complex ones. Employees must learn how to defeat hackers. Then they will study the letters with more involvement. A game, that’s what you need to create in the fight against phishing, and not occasionally conduct training attacks and give boring courses to study.

Q10: Considering the remote work paradigm, how has the dynamic of employee vulnerability to social engineering attacks shifted, and what strategies do you recommend for adapting awareness programs?

Mr. Yuri: Working remotely, an employee is of course less involved in the corporate culture, his colleague does not sit next to him, with whom he can talk, he has not seen representatives of the cybersecurity department for months / years. He has already forgotten most of the cybersecurity rules that he has memorized (in addition to technical means, if they are installed).

Therefore, of course, employees working remotely should not be deprived of attention. Awareness raising should be exactly the same as for all other employees. Of course, the training materials of such employees should be relevant for remote work. After all, in the office, the child did not sit down at the employee’s work computer and did not go to dangerous sites until his mom / dad went to the kitchen.

Q11: Are there specific industries or sectors that you believe require tailored approaches in cybersecurity awareness due to their unique challenges or threat landscapes? (For example, the Oil and Gas sector)

Mr. Yuri: I believe that Organizations whose hacking can endanger a large number of people should comply with more information security rules. They have a great responsibility and in such organizations top management should actively promote information security. In many countries, governments pay attention to such organizations. Not everything is going smoothly, there are problems when interacting with regulators, but this can be solved, because when the lives and health of thousands of people are at risk, there is no time to argue.

The last thing I would like to say is, do not ignore the regular awareness checks of your employees. One phishing training attack every few months is a waste of time. After a month, employees forget the rules of information security. If you don’t check their skills, hackers will do it.

I wish you success.

Anas Hasan

January 12, 2024

4 months ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Have Your Say!!

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Importance Of CyberSecurity Awareness With Yuri Drugach

What is the Golden Ticket

How it works: