Exclusive interview with Lisa Forte – Social Engineering & Cyber Security Expert
Lisa Forte began her career working in anti-piracy intelligence off the coast of Somalia, before moving into counter-terrorism intelligence for a UK Government agency. Forte researched the process of online radicalisation by terrorist groups and the risky social engineering process undertaken by terrorist recruiters.
How did you enter the world of cyber security and how does it feel to have won the Top 100 Women in Tech Award?
I was thrilled to win the award. It is such an honour. I’ve undertaken a great deal of research and innovation in the field and I hope I can use this award to encourage more women into this amazing industry.
I got my first taste of cyber security whilst working in intelligence for a Government agency. I started focusing more and more on cyber tools and techniques to gather intelligence. My fascination with cyber security grew from there. I then led a big project that examined how the terrorist group, Islamic State, were radicalising British and European citizens online. I discovered that they were using “social engineering” also known as human hacking. It is a way of manipulating people into doing something they shouldn’t do to compromise security. My interest in cyber, and social engineering in particular, grew from there and eventually I left to join one of the UK Police Cyber Crime Units.
The Unit worked closely with other agencies such as the FBI and I noticed that almost all of the cases that we dealt with involved some sort of social engineering. Anything from a member of staff clicking on a link in a phishing email to giving out sensitive company details over the phone.
When I finally left the Unit to start my own company I decided to focus on social engineering and wargaming to help businesses protect themselves.
In your opinion what can be the biggest weakness in a company’s cyber defences?
I would say staff, however what is important to remember is that they can be a company’s biggest weakness or greatest defence. Investing in great training, ideally face to face, and hiring engaging speakers to deliver lunchtime awareness sessions can be a great way to raise both awareness and enthusiasm for security. When company’s have really invested in their staff’s awareness and training you can see that there is no better frontline defence!
Company’s should also test their staff to ensure that the awareness measures they are taking are in fact working by hiring an expert company to “pretend” to be the hackers. They will call up, send phishing emails and even attempt to gain physical access to your office. This will help you to identify the vulnerabilities you have before the real hackers do!
How big is the threat of a cyber-attack?
I am often asked this question. My answer, based on many years of experience of attacks, is- if you are a company that has staff, is connected to the internet and has money then you are very much a target. That pretty much includes everyone and that can leave people feeling a bit overwhelmed and even helpless. What you have to understand is that, for the majority of hackers, they are simply after money. They are running a business and therefore need to see a return on investment for every attack they attempt. For that reason if you make your business look less attractive or more challenging to attack a large number of these criminal groups will move on to an easier target.
You are also an expert in cyber attack wargaming. What does that involve and why is it so important for companies?
Cyber attack wargaming is a way of preparing your company for an attack. In the cases I have worked on I saw that often companies who didn’t have a tried and tested plan end up making the damage from the attack far worse. I help companies come up with plans and then test those plans a bit like you would with a fire drill. Wargaming involves creating immersive attack simulations that will force the C-Suite, I.T, comms, HR and other key staff to make quick decisions and try and save the company. That way, if and when you are attacked, you will be able to respond swiftly, regain control of the situation and hopefully keep your company afloat. Too many companies never re-open after a serious attack and of those that do almost 60% don’t survive longer than 2 years. We have to change that both for the companies we work for and the U.K economy.
How do you raise awareness of the cyber threat?
I do a lot of public and private events where I speak on these topics. I also have a hugely popular blog where I discuss cyber in a way my mum and dad could understand.
I think I am in a fairly unique position because of my background. My talks, for example, all focus on real cases that I worked on, what happened and the lessons that can be learnt from that case. Many of the cases I talk about are so shocking that people have even said they sound like they could be made into a Hollywood movie!
I think by using these cases I can really help audiences appreciate the true chaos and impact of an attack better than statistics ever could. For instance, in one case that I worked on the CEO of the company actually had to be sectioned and placed in a psychiatric hospital because they lost absolutely everything after the attack. In another case involving a law firm the attackers stole £1.7million from the firm. The bank refused to reimburse and their insurance didn’t cover the loss, so the partners actually had to re-mortgage their houses to pay back the money to their clients.
One important thing to remember is that whilst the company is the direct victim of the attack there are always multiple human victims. That is something everyone can empathise with I think.
I love what I do and if audiences or readers can take away and apply just one tip afterwards then I see that as a win.
2018 saw cyber attacks increase at a shocking rate. Are we set to see this increase further in 2019?
I fear so, yes. Take phishing emails for example. Some of my FTSE 100 clients have reported that they were receiving around 10,000 per month in 2017. In 2018 this rose to almost 40,000 malicious emails per month! What is more concerning still is that the percentage of these emails that were spear phishing has soared. Spear phishing emails are far more dangerous. They are malicious emails that are targeting a specific member of staff. Attackers research that individual and write a very convincing email to lure them into clicking the link.
Attacks are not just increasing in number but they are also getting more sophisticated and harder to stop. Hackers are innovative and well-funded and that makes them extremely challenging adversaries.
Finally, one thing that has aided the increase in attacks is the sharp rise in connected devices that we have seen. Everything from connected assistants, kettles, fridges, trainers, thermostats and cameras means that there are more devices out there for hackers to attack. What is now referred to as an “old school fridge” for instance never connected to anything so hackers couldn’t connect to it. It was, in that sense, secure. Now that has changed affording more opportunity for hackers.
As well as attacks against companies, personal attacks are just as prevalent. You are an expert social engineer, are there things that we can be doing as individuals to protect ourselves against personal attacks?
Attacks on individuals are increasing. In some ways they can be even more damaging than an attack on a company can be. One thing that I have seen a lot is people receiving highly targeted and convincing phishing emails usually with a malicious link or attachment.
In order to write these sorts of emails the hackers need information on you. They will likely go to social media to find out who you are. Let’s say you attended your child’s sports day last week and like most proud parents you posted on social media about how proud you were that little Daniel came first in the three-legged race. If I were a hacker I could discover the school Daniel goes to and write you an email that went something like this:
My name is Rob. I was the photographer at the Bristol Boys School sports day last week. I am contacting all the parents to see if they want to buy any of the photos from that amazing day. I actually got a few of Daniel winning the three-legged race! You can preview them from my website, link below:
robphotos.com/BristolSportsDay (since the publication of this post, this link has been deleted)
Would you click on that link? That small amount of personal information will leave you convinced it must be real. If you paused and thought about it though you may remember that the photographer was female or query why the school handed out your email address without permission. The problem is people don’t pause and think.
So as for my tips:
- Be cautious with what you post online. It can be used against you later.
- Never click a link or open an attachment unless you are 100% sure it is safe.
- Make sure all your home devices have updated anti-virus and firewalls.
- Use different passwords for each account. Ideally use a password manager to ensure your passwords are long and complex
We read a lot about cyber attacks being launched by countries and elections being meddled with. How concerning is this new style of cyber warfare?
The first thing to note is that for 99.9% of companies state sanctioned cyber-attacks are unlikely. Your most likely adversaries are criminal groups. That being said, State cyber-attacks do threaten our critical national infrastructure and an attack on that would cause country-wide chaos.
I think cyber weapons are a tough thing to manage on an international level. If you think about how nuclear weapons are controlled there are weapons inspectors that go into countries and can detect if they are developing nuclear weapons, they can check the condition of those weapons and we can use satellite images to see if a country is moving/hiding or developing nuclear weapons. This would never work with cyber weapons. A country could be developing them anywhere, hiding them on USB sticks and using them anywhere in the world. Attribution of any attack is tough. I’m not sure we are ever 100% sure who launched any cyber-attack so for that reason alone it is a new, more anonymous dimension of warfare.
Fake news, meddling with elections and bot accounts on social media also threaten the free, democratic society we live in. Individuals will have to start thinking more critically about the things they read online and start checking sources of information more carefully.
Interested in booking Lisa Forte as a keynote speaker for your next event?