The story of Joe, as he calls himself, was on the agenda of "the Crook the boss" event 2021. Unfortunately, corona threw a spanner in the works and Shenouda had to be absent. A few weeks after the event, he is fit enough to tell his story. "Fortunately, I haven't had it as bad as many others, but you can tell."
The conversation takes place via Teams and Shenouda turns out to be a versatile expert. He started as an installer of security systems, already during his studies, and then made the switch to consultancy. "Whether I inform, advise or train companies, my main message is always that you can do a lot, but then you have to dig deep enough for the risks. If you have a treasure in your home, you have to protect it. Everyone understands that. Most companies also know very well what the risks are, but they do too little."

Is that the most common mistake: doing too little?

"The most common mistake is that companies rely too much on hired knowledge and then think that it will be okay. You should always ask yourself how quickly you can straighten things out when it's your turn. I have been working with cyber on a daily basis, for years, and am still learning every day. There are also new techniques every day, so you have to consciously work with them to master it. Above all, companies need to invest heavily in their own knowledge. When I enter a company, I say in advance: I'm coming for six months and then I'm gone, but the work isn't finished, isn't it? What do you do with the accumulated knowledge? Will there be a project group? A complete team? Or do you prefer to lean on two people from the supplier you have walking around? I have experienced it at large companies that hackers have come right through the firewall and then everyone pointed at each other. Then you don't exactly have it under control, right?"

Why is cybersecurity still in its infancy?

"Cybersecurity experts have only been listened to since 2014. Moreover, steps have been taken in those seven years, but that has always been more out of necessity and threat. Consciousness is lacking. Cyber is still not an integral part of our working lives. In fact, many companies are only just getting started when it comes to measures. I always ask: do you have one hundred percent insight into what is happening on your networks? Do you monitor that? Do you get the suspicious things out of that? Are you alert to suspicious movements? Make no mistake, a company gets plenty of opportunities to keep a hacker out. That hacker must first go through the gate. Then he has to walk through the corridors, then up the stairs and then open the safe again. We call this the lateral movement,or the movements that the hacker makes on the network. These are easy to follow, but if you don't pay attention, you won't see those movements either. Compare it to a surveillance camera. Nice to hang, but if the guard is reading a book in between, he doesn't see any suspicious behavior."

What are the chances that a hacker will be caught?

"If you arrange that monitoring properly, the chance is perhaps as high as 99 percent. Just as big as a good guard signals a suspicious movement when he continuously looks at the camera images instead of reading a book."

It seems to me, frankly, to make easy money. If you do ten attacks, surely one will be hit?

"Besides the fact that you are criminal and can end up in prison if you are caught, it is indeed made easy for cybercriminals. Hackers scan and sometimes they see windows and doors wide open. With this you invite a hacker, as it were, to come and see if there is something to get from you. It's just like with regular burglaries. If you are properly secured, they will go to the neighbors. A smart company therefore looks at its own company with different eyes to find out whether a hacker easily enters. Companies often think that they are skipped, because there is not much to get, but you are very simply an IP address on the internet. And once they're inside, they often have a bite."

The risk of a hack is increasing very quickly, but the number of cyber insurance policies is not. How is that possible?

"Because insurance is not mandatory. A cyber insurer requires a certain degree of security, but many companies do not (yet) want to give up that control. They prefer to decide for themselves what they do or do not do. Only when cyber insurance is taken more seriously, as is the case in France, will the level of security rise. After all, every company is then obliged to meet certain conditions."

Are you in favour of insurance?

"Absolutely. Companies must first start very basically with components, including the NDR analysis (Network, Detection & Response), but that is only the beginning. For better security, you will have to take many more steps. Cyber insurers often work with standards (ISO 27001, CIS-Controls (CIS = Computer Internet Security) and Sans). These are a kind of playbooks for making a company more cyber-secure in all areas. As companies learn to embrace those standards, they can take their security to the next level step by step. It is now often thought that hackers are so smart, but that is the world upside down. We make those hackers successful ourselves. We have not given it priority for too long and will now really have to pull out all the stops to raise the level."

Do the risks increase when a company is bigger? Or could the butcher around the corner just as easily be hacked?

"The more people there are in your company, the more activity there is and therefore the more complex the security. So yes, the bigger the company, the more risks. Every person in a company is a risk item, because anyone can click on the wrong email or a wrong link. A butcher can certainly also have to deal with a hack, but the impact is usually limited to that butcher. A large company like VDL is still dealing with the claims settlement after three or four weeks and is out of the running for weeks."

You've also designed programs for military organizations and NATO. Is that much different from other companies?

"In fact, the security mechanisms are broadly the same. Only for the army you have to tailor the security a little more. There is no uniform sausage in defence and if there is, it often still has to be cut into small slices. With the army you have to think more in customization, because you have to take into account an enemy who also thinks differently. At ordinary companies I mainly look for generic solutions, with which I create a shell, as it were. In short, you can say that the more standard the company is, the simpler (and cheaper) the solution can be."

Insurers have, as it were, a double hat on. They have to inform companies about cyber insurance, but in the meantime they also have everything in order internally. Which cap is most important?

"That internal stuff, without a doubt. You can't sell a cyber policy if you ever get bad news or get hacked. Do you envision an insurer imposing requirements on a company that wants to take out insurance, while they have had an open house themselves? Then nobody takes you seriously anymore. A carpenter doesn't have a squeaky and creaky front door in his own home."

What knowledge does an insurer need to have in-house to be able to sell cyber policies?

"Every cyber insurer must always have its knowledge in order and respond to developments. What threat do we face when? Now it's ransomware,but tomorrow or next week there will be something else. The world of cybersecurity does not stand still, so an insurer must constantly take new steps and continuously update its products."

Are they doing that enough now?

"Yes, they do it well. Most insurers have (sufficient) support for these three standards (ISO, CIS Control and Sans), which constantly update themselves and thus 'automatically' respond to new threats. Based on these standards, insurers do not have to do much more themselves. Until they end up in a higher segment. If an insurer wants to insure a large multinational, it has to look at a thousand more things than when it comes to an SME."

Is offering a cyber policy a task for insurers?

"I think so. Cybersecurity can cause damage that can often be prevented. That seems to me to be an ideal playing field for an insurer. The alternative would be for the government to provide coverage. That does not seem desirable to me, because it also takes the dynamics out of the market. If there is no competition, there is nothing for the customer to choose."

Recently someone said to me that it's only a matter of time before an insurer is hacked?

"I think so too. I have seen several insurers from the inside and I am honestly quite shocked by that. It is often lacking in top-level knowledge to really prioritize it. For example, it should not cost too much and to be honest, you get what you sow. In that sense, there is still a lot of work to be done at insurers, but the same applies to pension funds, for example."

What are the biggest risks that insurers run?

"That they lose data from their end customers that go a little further than just a name, address and bank account number. The second risk lies in the data of the company itself, for example in that of HR. Suppose a hacker gets hold of files of an employee who is in debt. Then that employee can just be the ideal target to log in to such and such a place in exchange for 20,000 euros. The third risk concerns no longer being able to function as a company. If an insurer is hacked, he is also out of business himself. And I haven't even mentioned the reputational damage. If an insurer is hacked, it can at least no longer sell cyber insurance. That reliability is really gone."

Unfortunately, you could not attend the Boef de Baas event. What had been your main message to insurers?

"That they have to invest in what we call vulnerability management. This is a continuous process and means that you have to constantly scan all your assets for vulnerabilities so that you can take action if necessary. If you constantly scan all the equipment, ranging from computers and laptops to servers, many, many vulnerabilities will come out of it. You should prioritize this, preferably by means of a padge, which you can best compare with a software update of your computer. In most cases, the holes are already filled. Because that's what you actually have to do: fill the holes and remove the vulnerabilities."

What would you do differently tomorrow if you worked for an insurer?

"I would make more noise. Cyber is still a neglected child among insurers. They can show much more the importance of good cyber security. So there's work to be done, because they also kill two birds with one stone. Insurers not only lift the company to a higher level of security, but they also take away the pain if a company is still hacked. And the latter is only a matter of time for most companies. They now often think that it does not happen to them or that they have their affairs well done. Pure underestimation, because certainly afterwards companies, no matter how big or small the hack was, usually regret that they did not pay better attention."

(Text Miranda de Groene - Photography Ivar Pel)