Major incidents like cyber attacks, terrorism, and pandemics are likely in the making right now but it doesn’t mean they’re inevitable. Learning from past incidents, asking the hard ‘what ifs’, and helping businesses build organizational resilience is always top of mind for security leader Sarah Armstrong-Smith.
Chief Security Advisor at Microsoft and author of the book Effective Crisis Management, Armstrong-Smith has more than 25 years of experience working on the strategic, tactical, and operational response to major incidents and crises.
Read her interview from Random but Memorable (or listen to the full podcast episode) to learn why security is actually a business problem, how leaders can build an effective security culture and the costs that companies bear if they don’t prepare and protect themselves.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Matt Davey: How do you stay optimistic with all the ‘what ifs’ associated with disasters?
Sarah Armstrong-Smith: I used to think I was a little bit jinxed! Wherever I go there are these major incidents. I thought, “Is it me?” But actually, slowly but surely, I’ve realized I’m exactly where I need to be. And over the years, it’s made me think more about where the opportunities are, and where there are lessons to be learned.
Writing my first book, Effective Crisis Management, came about by accident. I never intended to write a book, but for Cyber Awareness Month in 2021, I wrote an A to Z of crisis management. It made me reflect on those incidents over the last 20-plus years. What works well and what doesn’t? What are the opportunities around these lessons learned, and what are we going to do to make positive change?
MD: Can you share a few insights from some of the challenging incidents you’ve experienced?
I’ve always been interested in the human side of security. When someone has physical injuries, people sympathize and show empathy for them. But when you have mental injuries like PTSD, it’s not visible, and you get treated very differently.
I think this is synonymous with cybersecurity. If you’re the victim of a physical crime, people are like, “Oh my goodness, how did this happen?” They show empathy and sympathy. But when you’re the victim of a cybercrime it’s very different. It’s your fault even though you’re the victim – whether you’re an organization or an individual.
“When you’re the victim of a cybercrime, it’s very different. It’s your fault even though you’re the victim."
When I was 12, Piper Alpha happened. It was fascinating to me that there’s normally a series of events that lead up to a major incident. Missed warning signs, audit reports and test reports that are ignored, poor culture, poor leadership. Slowly but surely, over time, these things escalate into a major incident.
What I’ve put into the book are some of the worst examples of major incidents. I’m reflecting on 9/11, Deepwater Horizon, and other major events. Again, how bad does it have to get before we take action? It’s really about stopping the cycle. That’s what I’m trying to aim at.
“It’s really about stopping the cycle. That’s what I’m trying to aim at."
It’s similar to what we see with cyber attacks. They’re slowly but surely escalating. And at some point, we’re going to see a cyber attack so big that it’s probably going to cause fatalities, particularly when we think about some of the attacks on critical infrastructure and operational networks.
We’ll have this major incident, and at that point, we will look backwards and say, “How did we get here?” And then questions will be raised again. But if we look back at the history of some of these major incidents, we shouldn’t be surprised when we see these types of incidents occurring.
MD: If you want to get better at mitigation, you’re saying there’s a pattern of events that slowly gets bigger. How can organizations and individuals prepare themselves to manage and spot these events?
SAS: In the last three years, we’ve not one but three major incidents. We’ve had a global pandemic, we’ve had one of the most sophisticated cyber attacks we’ve ever seen which was attributed to SolarWinds. And since the beginning of last year, we’ve had the war in Ukraine.
If you think about the pandemic in particular, what it showed is how many organizations and individuals understand what it means to be resilient. That’s organizational resilience, emotional resilience, crisis management – having these kinds of major events right in front of you and dealing with them.
“The pandemic showed how many organizations and individuals understand what it means to be resilient."
We’ve seen a lot of companies rethinking their business models. We’ve seen companies embracing hybrid working. I’ve seen a mass acceleration to the cloud. We’ve seen companies invest in new technologies, new innovations, smart technologies – AI in particular – over the last year. These are positive changes that we can take away from that.
But the reverse of that surfaces if we think about SolarWinds and the war in Ukraine. We’ve seen this willingness, in particular, from nation-sponsored actors – Russia, North Korea, Iran, and China are the big four nation-sponsored actors. Historically, these actors would’ve been focused on espionage and stealth.
What we’ve learned is they don’t care when they’ve been detected! This thing that we’re looking at right now is going from disruption to destruction. We’ve seen this in Ukraine in particular where there’s a huge increase in destructive malware, wiper malware – you can think about it as ransomware without the extortion demand. It’s locking up networks, it’s encrypting machines, it’s wiping machines.
“What we’ve learned is they don’t care they’ve been detected."
We’re seeing more actors who are doing these things, and it’s alluding to what I mentioned before with the scale of attacks. We see the run-of-the-mill things all the time, but ultimately, we need to be prepared for major events that are going to shift our perspective and make us pivot into having to take different types of solutions, and different types of actions as a result.
MD: You mentioned that fatalities and destruction of information are what these bad actors are building up to. What would you say are some of the true costs of these major incidents that probably go unseen?
SAS: A lot of it comes down to reputation damage. When you think about the cost of downtime, we’ve seen a change in tactics, even with ransomware operators. Some of them are foregoing the initial encryption and just moving straight to the exfiltration of data. They’re willing to take their time with reconnaissance and learn about the business. They want to know which data is going to cause the most impact and which data you really care about.
When these things are played out in the public domain, it’s about trying to stir the emotions of the general public. Whether it’s personal data, private data, maybe medical data, and even what we’ve seen in the last few months with regards to the Electoral Commission [in the UK], people are concerned that a lot of their private data has leaked and has been leaked for a very long time. Even though you can argue that a lot of that data is already in the public domain. But again, it’s the emotions behind it.
And arguably, a lot of attackers want it to be played out in the public domain because it puts more pressure on the organization. It’s in the media, it’s in the public domain. There’s lots of pressure coming from you, from customers, consumers, and partners. All of those things are bearing down on you. You’re under extreme pressure to decide whether you pay or don’t pay or whatever the case may be. They’re trying to bring that level of manipulation and control to force you into making a decision that maybe you wouldn’t normally make.
“Why would I waste my time trying to break into your network when I can go directly to the source? That source is people themselves."
And as technology gets better at blocking known threats, a lot of the attackers are going backwards into social engineering. Why would I waste my time trying to break into your network when I can go directly to the source? That source is people themselves.
We’ve seen actors who are very blatant with regards to their willingness to buy credentials, buy a multi-factor authentication (MFA) bypass. You can think about it in the current climate, that there are more people who might be willing to turn a blind eye with the economy potentially going into recession and the interest rates going up. Sometimes they’re going to be willing and able, and that means they turn into an insider threat.
MD: How does Microsoft promote a culture of security among its employees? And what advice would you give to other organizations that are seeking to improve their security culture?
SAS: It’s a lot of “lead by example”. If you think about Microsoft, it’s a household name. It was founded in 1975, which makes it the granddaddy of Big Tech. Think about how many individuals and organizations are utilizing Microsoft products: Windows, the cloud, Xbox, Bing, LinkedIn. When you have that many people across the globe utilizing one or more products, you bear a lot of responsibility for that.
If I think about Office, for example, and Teams, and lots of people all of a sudden utilizing collaboration tools – they’re maybe not familiar with those tools and what should be shared. You might have people who are trying to copy sensitive data from an application and put that into Teams. Teams will fire up with a policy tip and say, “This is personal data, this is financial data, it’s intellectual property. This is outside of policy.” This is educating people as it happens or when they’re doing it, rather than a week later when it’s been and gone.
“It’s working with them rather than against them."
It’s about empowerment. That’s a really big thing about how we help people to be more security aware without them even realizing it – when it’s actually being built into the process. It’s working with them rather than against them.
MD: Have you found any other initiatives or strategies to be effective? A lot of companies do just two weeks of training a year.
SAS: The problem with doing “30 minutes of e-learning once a year” is that it’s done from a compliance perspective. It’s a tick-box approach that focuses on how many people did the training. It’s very simplistic and not relevant to people’s different roles. What’s going to be relevant to marketing or someone in HR or an engineer is completely different.
When you have this one-size-fits-all approach, people just get despondent. They don’t particularly care. That’s one aspect with regards to having the security built in – making it personal.
“When you have this one-size-fits-all approach, people just get despondent. They don’t particularly care."
How do we turn things around? A lot of that comes down to the language that we use. We have to stop referring to people as the weakest link, repeat offenders, a problem to be fixed. Telling people the things they shouldn’t do. All of these are negative and turn people off. So a lot of it is, how do we make it relevant, explaining why they should care, and making people feel empowered about what they can do rather than what they can’t do.
MD: Cybersecurity threats are always evolving. How should people stay up to date and keep their skills sharp?
SAS: The attacks are evolving at pace, and some of that is a result of access brokers – cybercrime as a service. The barriers to entry for many cyber attackers have reduced substantially. For a few dollars, they can buy exploit kits on the dark web and they’re ready to go.
We hear a lot in the media about the sophistication and the ferocity of some of these attacks. The reality is the vast majority of attacks aren’t that sophisticated. Over 80% of attacks are phishing – they’re still trying to do the simplest thing possible. If I can get you to willingly give up your credentials, or click an attachment that downloads malware in the background – happy days!
“The vast majority of attacks aren’t that sophisticated. Over 80% of attacks are phishing – they’re still trying to do the simplest thing possible."
Again, put that into perspective with regards to identity and phishing and password sprays. Microsoft identifies and blocks over 77,000 brute force attempts every minute, and that’s because it works. So unless you’re a nation-state or a ransomware operator or some of those bigger types of organized crime, the vast majority of attackers are still doing the same thing they’ve always done.
From a resiliency perspective, it’s not about stopping every attack, it’s about anticipating them. It’s about how quickly you can detect and respond. The most important thing is learning from each attack. How did they get in or get access? If we’re talking about social engineering, did they have a specifically crafted, well-engineered email, or was it just luck of the draw because the person was stressed? Are we the target? Or are we just unlucky?
“From a resiliency perspective, it’s not about stopping every attack, it’s about anticipating them."
Analyzing these things is what actually provides the resilience. What I find is when we have near misses – you’ve evaded an attack, you just stopped it in the nick of time – people wipe their brow and move on. Actually this is a brilliant opportunity to learn and follow it through. What if it didn’t get stopped in time? What would’ve happened? What would’ve been the impact? What are the lessons learned? What are the vulnerabilities? What are the things we need to think about?
And on the positive side, the reason why it was stopped might be because you had a great plan. You had great technology, great processes, people are really alert – all of these things should be celebrated.
The key is that no matter what size organization, it’s thinking about the type of technology that they’re investing in. Sometimes we feel like we have to buy more tools, the newest thing. The reality, and even what we see at Microsoft, our people are vastly underutilizing the technology they already have.
“We feel like we have to buy more tools … the newest thing. The reality is that people are vastly underutilizing the technology they already have."
Instead, think about what you’ve already invested in and how you can get the very best out of that technology. Is that technology being integrated? Is it getting the full visibility, or are things falling in between the cracks? I would hazard a guess that a lot of companies have already made investments in lots of different capabilities. They’re just not utilizing them or they’ve just not refined it. They’ve not set the right policies and the right conditions. They’re not doing that evaluation.
One of the great things is automation. Automation blocking known threats as quickly and efficiently as possible. And having something as simple as anti-malware. Anti-malware should be one of the key things that everyone should have, irrespective of the size of the company. Anti-malware, when it’s tuned properly and it’s detecting and it’s blocking and doing all the things that it’s expected to do, makes a huge difference.
MD: Where can people find out more about you and the work that you’re doing?