DELIVERED

Protecting your business from cyber threats with Bojan Belušić

Infinum Season 1 Episode 8

In this episode of Delivered,  you can learn about the best practices for safeguarding your organization from cyber threats.

We sat down with Bojan Belušić, a seasoned cybersecurity expert, to discuss how to identify and prevent the most common types of cyberattacks today, the impact of emerging technologies on cybercrime, cybersecurity regulations, and the Security by Design approach to product development.

Key learnings:

  • Learn how to identify and prevent the most common types of cyberattacks today
  • Discover the impact of emerging technologies on cybercrime
  • Explore the Security by Design approach to product development
  • Understand the importance of external penetration testing
  • Get familiar with the most important cybersecurity regulations and standards



Thanks for tuning in! If you enjoyed this episode, hit that follow button so you don’t miss our next delivery.

Delivered newsletter
Delivered episodes are recorded live. Subscribe to our newsletter to stay informed about upcoming live events. When you join a live event, you can ask our guests questions and get instant answers, access exclusive content, and participate in giveaways.

About Infinum
Delivered is brought to you by a leading digital product agency, Infinum. We've been consulting, workshopping, and delivering advanced digital solutions since 2005.

Let's stay connected!
LinkedIn
YouTube

Hello Bojan and welcome to Delivered my friend. 

Thank you, Chris. It was a wonderful introduction. Thank you so much and thank you so much for having me. I'm really, really excited to be here and honored to be here as the first local guest. It's great. Thank you very much for having me.

It's quite emotional. Yeah, yeah, it is. And also, I'm really pleased you're here as well because just learning about your world and what you do has brought me kind of hope and fear equally and equal measures based on what is happening in the world right now. So before we jump into that, I think we should, just for the benefit of our audience, let's talk about you. Let's just talk about who is Bojan and how have you become this kind of cybersecurity Jedi almost?

Nah. Yeah, I wouldn't go that far. So I graduated actually in engineering and electronics and I graduated during the years of financial crisis. So there wasn't much work there in the electronics in Croatia. So I stumbled upon it into it and my first job was an system administrator in a payments and card business card industry. So there I started working with the security experts and starting to work with the security standards and got taken into disaster recovery concepts, business continuity concepts and stuff like that. After that, I worked in an IT audit department in a bank where I even more gotten into security, privacy, compliance, IT governance and stuff like that. But ultimately I wanted to return to IT, to development, to engineering. So I came to Microblink to work as their head of information security. I have been there for a year and a half now and I'm really pleased to do this for Microblink because it's a great company. We are a great product. So yeah,

I'd love just maybe take in a little bit more mean, I sort of mentioned very briefly it's computer vision software powered by AI, which most things are, I'd love to just maybe explore what that really means just for the audience. So we are doing software components like mobile SD case or self-hosted applications that do document verifications or document scanning by using AI models. So machine learning. And we managed to do that in such an efficient way that the AI models can be powered and run on mobile devices. And we have been doing that for 10 years now and even more so it's really, really efficient and even our clients are surprised that this is all run on mobile devices. So I'm really, really proud of the company and the product we have.

Yeah, sounds super cool actually. And it reminds me, I used to back in my years, 20 years ago now doing it for my first job and doing system administration and threat prevention. So it feels like the world has definitely moved on much more now the world is all connected and becoming more and more connected. And when I was researching around this and INM of some great research on this as well, and it's also the thing that really surprised me and scared me a little bit was this whole thing about the breach that happened earlier this year in January about data being compromised and I think it's 26 billion records and emails I have here as my prompter, which for me I was like, how is that even possible? And the fact our research was saying about the 9.5 trillion in damages across the world, these numbers, I was like, it's so much bigger than I actually thought it is.And it looked even worse in the beginning, but then the research researchers found out that it's just data being sold from various previous data breaches. Some new data was there, but yeah, it's still a huge thing. And these kind of data sets of breached data are then after sold to other cybercriminals and criminal groups or state-sponsored groups that use that data to do even worse crimes.

So it's a whole chain of just madness and chaos. I think that's what also makes me think about this, it's more like it isn't just about keeping yourself and your devices and your personal profile safe. I think at the kind of, because what I've always realized is the single point of entry or failure sometimes is the person and at a business level where you have hundreds if not thousands of people, this is where we need people like yourself to maintain a level of security framework and just keeping people aware.

But it should be you would holistically as everything else in the world and security. It's not just accounts or data and it's also about human resource security. It's about thinking about procurement and analyzing stuff you buy and you use. And so it's whole thing connected. It has to be viewed from different perspectives and only in that way the security will become on a bigger level. You can be certain then that it's doing the right thing. 

Absolutely. I'm thinking about an example here that I also learned on this discovery of cyberattacks and the threats and the name that came up quite a lot was LastPass. Ironically they are the password protection come to me. Sorry, LastPass. We were listening to this. But yeah,

We were a client of LastPass and at LastPass disappointed a lot of people in the world last couple of years. They had a big breach in August, 2022 where a hacker stole some source code, some documentation credentials and use the IT to copy customer database, some data encrypted passwords, but also some stuff that wasn't encrypted. And so they used it to gather more data and even try to break into some other accounts vault and stuff like that. And it all happened just because one DevOps guy from LastPass used his personal computer that was really unprotected, patched and he used it to gain access to some, I'm not sure, was it a test environment or a production environment? And he had old malware infested program on it and it took the credentials and the hackers gained access to all of this data. It's crazy. And it was a huge, huge, huge problem. 

For context as well, I'm just looking at the numbers here around this. I mean I feel like I'm perpetually being surprised over time. I read about the implications here. It's like hackers siphoned off 4.4 million worth of crypto from the last batch users in one day in one day, 35 million total over 150 victims. That is insane.

And the reputational damage was tremendous. They lost a bunch of customers and in the end there came to the lawsuits from the people that were directly affected. So it was a whole bad ordeal.

It's so true and it's a really good point actually. It made me think about when we are trying to, not so much, I mean it's not really selling, it's more just advising. We always try and be like the guide with our customers at Infinum and it's like you can pick what services you think you want, but we'll always tell you what we believe is best for you based on your circumstance. And with cybersecurity as a service that we have in SecOps, and those are the very technical but safety driven services, it isn't just about the technical like you're saying. It's like actually we're trying to protect you from legal repercussions, reputational damage, mistrust from the customers. So really we may come in at a technical level, but we're trying to help 'em at a business consultancy level. So I think that example is, yeah, great,

You have to have the trust of your customers, but you also have to have and build the trust from internal stakeholders, employees, owners of the company and stuff like that, shareholders.

So, you have to think about all of this together.

It's a lot, isn't it? I think it's just, if anything, it is trust. It's a very hard thing to what's that saying, it's easy to lose, hard to rebuild. And so I think buying a cybersecurity anything or at least being aware of it is so, so important for companies that scale as well. And I think just looking at what cybersecurity brings beyond that, I mean, what else can we do? What are the measures I suppose, and the benefits of cybersecurity beyond just keeping you data safe, is there any other benefits I guess for people watching this that it brings to people?

It is definitely the financial side. The penalties from regulators, they can be tremendous.

This is the first thing. And the second thing is loss of trust from customers. When you start losing customers, start losing revenue, but then in the end, if something happens to the data of your employees, you could have people leaving the company because of that and not getting new employees because of bad reputation. 

So it is, it's significant, isn't it? It's big. So I'm just thinking about practicality here. So let's just role plays out with me. I have a shoe company, a global shoe company, we'll call it Bradshaw Boots. I have 10,000 employees around the world. It's a big company, great boots. What are the common types of cyberattacks that me as a business owner should be conscious of and could be at risk of for once? 

People are the weakest link as always. And the most typical entry point for an attacker is the phishing email because it is the cheapest one, the most common attack. And they mostly try to do a financial scam where an attacker tries to towards an employee by giving fake account numbers or something like that, or acting like a CEO trying to make a hasty payment, something like that. Yeah,

Got it.

But also these phishing attacks could be used to prepare some carefully planned attacks called spear phishing to steal account credentials. And another also very popular tactic right now is to try download or upload malware on people's computers. Yeah, malware. It is still there. It's still popular. It didn't go away, sadly.

And the most popular right now are info-stealer Trojans. They are trying to also get account credentials like tokens and stuff like that.

Yeah, I suppose it worth mentioned the phishing thing as a very baseline level because all these different things are more sophisticated version of the phishing acts and that phishing is essentially when you are given an email or a message that you believe is from something trusted, it obviously isn't. And then I action that email or message and do something or click something and that's just the start and then it starts to build up and build up. Right. Okay. And the final part, the most popular and the most lucrative way of attack is ransomware. Right now. It's really a business, a cybercrime business, and they said that it exceeded 1.1 billion in 2023. And you have this big criminal groups like Lockbeat, BlackCat, they target the vulnerable computers and servers together, sensitive data and then extort companies and nobody's safe, they will attack anybody, especially if they know some companies have money and they will attack government agencies, they will attack healthcare hospitals, even.

Just anyone, nyone, anyone. So it is a big problem. That's a big problem. Yeah, it really sort of puts things into perspective. That is the level you're dealing with as well. It's like if you are perceived to have any value that could be leveraged as ransomware almost sounds like it could be a movie as well, the ransomware attack or whatever, but a really bad movie maybe. But I also want to talk a little bit about, so they're the types of attacks, a sliding scale of attack. It wouldn't be a conversation delivered, I don't think by at least mentioning AI because every single thing in the world at the minute, especially in this year has an AI component to it. How does that apply to this equation? Because I see it as the hackers, you have the black hat and the white hats and it's like AI can be used for good but can also be used for amplify terror in a way. Definitely. Where do you see AI in this equation?

I mean AI helps every kind of business and it also helps cybercrime business, but it also helps people like me that are trying to fix stuff. So yeah, people in cybercrime, they're using generative AI to write better sounding phishing emails. They're trying to make fraudulent phone calls, even fake videos. So this is used to make some sort of financial fraud usually, but it can be used for anything. And we also had proof of concepts that tools like ChatGPT was used for writing malware. So it's not that sophisticated to attack maybe computers and servers at the moment, but there are low hanging fruit in operational technology in internet of things. So even FBI is trying to get us aware that these tools are being used at the moment

For that. Yeah, I would say that topic as well as this topic together are the two most exciting and concerning ones I've come across when we're doing Delivered is where it goes. I suppose what makes me think about a little bit is the recent research Microsoft and the Atlassian engineering team have been producing where it just really real videos of people now where they can feed it a still image and it sounds completely like a human being that makes me wonder how easy is it to replicate someone's face to prove verification, authentication, et cetera, et cetera.

My company is doing that. We are trying to reward it and yeah, we have really great results in that and we are using AI to spot out AI and fake stuff. I've noticed that in a minute. One of my favorites says a lot about me, a human being when I see posts or maybe even blogs, which is clearly been written by AI, you have that sixth sense and they've also got AI detectors now you put it in there and it's like, yeah, 80 20%. So I'm like, come on. I mean you've just done that fine, I get it. People need to do that. But yeah, I mean I guess that's a real life thing now that we will have to continue on forever continuous new innovation to cyber threats but cyber protection. Yeah, it blows my mind a little bit how fast this is moving. I suppose just talking about on the level of cyberattacks and things like that still to stay in this dark region of pain, what are the most recent ones in the recent years that you know of? Because I'm a big believer, even if it's happening, it's been bad for the world, we can learn as a species from that to adapt and again, keep this endless battle of good and bad.

Definitely. And this is especially true for the security community. We need to share more information about incidents happening to other companies, especially similar to you that are using the same tech stack. So there were attacks and breaches all over from health industry to government. But for us, for me especially coming from a software developer company, to me the most interesting is the problems happening to similar companies. And one of the biggest learning point was the LastPass incident, but also similar is the Equifax incident that happened a couple of years ago. Interesting. So the cyber attacks are most painful to the companies that are dealing with security and trusted services because customers lose their trust in those kind of companies and don't want to use their services anymore. But they're also in the security community. The biggest spotlight is not on data breaches but on supply chain attacks because these kind of attacks can have effect on a huge base of companies and state supported a PT groups, the cybercrime groups that are funded by the governments and they have the most resources and they want to use target to the most widely used software like open source like software used in development CircleCI, ALA had incidents in the past couple of months.

They also target software used in service provision like Okta. They had a big incident a couple of months ago and their incident overflowed to AIA. So it's all connected. And their example, like AIA example and Okta example, that's a great example where how cyberattacks that should be disclosed to the community to help us prepare ourselves better for similar events. It's

A good question. I always think about that. It's like at what point is it right to share this information? And of course like you're saying, the more we can share as company to company, the better we can be as a community to prevent and wrap our arms around protecting ourselves. But it's not always in the interest of the company driven by company trust, shareholder value to disclose that. It's really interesting how that happens. And I believe what you're saying, we should be a more open source and we should be doing that. And I think half the people in the world would do that. The other half might not, which is just the human nature I guess. Yeah, it is. Unfortunately we can't change that, but what we can do at least here right now in this conversation, so we talked a lot about what has happened and what can happen with great examples of big companies. So going back to I guess my weird little boot company, if that was to be attacked and had a threat and say I'd employed a Microblink or Infinum or someone as a partner and we say, Hhey, business owner, we can see that something's happening. What is the first, what's the first steps you would start to take? I think if you were to be flagged as a threat and it's maybe compromised something, where does that start as a business owner? I mean you see strange things happening. You see strange emails, you strange use of your accounts, something like that. And it becomes the worst when you see something is missing or something is unavailable or you can't reach a disk or a server or something like that and then it becomes a real problem. But it's really important that all companies have incidents, incident management trainings, so they are aware and prepared to do what are the steps they need to do if something like this happens.

Yeah, definitely. I always think about what you said before about it's a people first problem, essentially that's the highest impact. And I think about these big corporations where you could have high ranking individuals in that corporation who could be then imitated in some way, sending a request to a lower ranking officer in the business with a really hard urgency, do this thing right now. And by the nature of someone wanting to please their boss, they're like, yep, okay, I'll just click the link. I'll do the thing. I guess that's the thing people need to be aware of. If something is happening like that and this happens every day, you wouldn't believe it. I can imagine every day. Yeah, it's like pretend whatever, VP, CEO, whatever, saying to someone, just do this thing, which is quite often pay this company this amount of money, it's urgent, we have to do it right now or the company will stop existing.

So I guess the first level of protection is just well awareness and a little bit of skepticism as a human being to go, why am I even doing this? Yeah, maybe that's the first phase of everything. But yeah, that makes a lot of sense. And I guess it wouldn't be a conversation about security and about regulation creeping in. I know regulation sometimes can feel a bit like, isn't that a governmental thing? Actually it's not, is it? It's actually a bit of a, both,

Especially in Europe, even likes to impose regulation for everything. But I think in security regulation is really, really important and standards are really, really important. And regulation is also a way a lever to raise awareness in some way, especially for the stakeholders that are deciding on things. And especially if you point them to the hef defiance, then start investing a lot of money on resources and stuff like security. And I think we should have more support in our cause and more resources and more people doing stuff to get on a better security.

It almost like a mandatory service that really in everything you build, it should just be a line item. There must be some cybersecurity of some sort put into whatever, whether it's a product, a service, an automation, whatever. And it is a big thing that we're trying to really educate both our new clients and existing clients here at NY is like it really is a mandatory thing that you should be aware of. At the very least have a conversation with us about it. And of course we do free audits, things like that for people. But yeah, it just makes sense to have it now, doesn't it? Because getting more and more sophisticated, it's not just sense. You really have to have it. You need to have it. And there is so much regulation right now you already have the DORA and these two directive that is affecting finance, government, utility and service providers. And now we will have a cyber resilience act in EU that will be directive, that will require software developers that provide code for devices that are connected to internet, to have some security standards and do security in all of the steps in the software development life cycle. Interesting. And think about security in all of the things you do. So you really have to start thinking about it and not just thinking about it doing something.

I know what you mean. Ideas are kind of cheap so to speak. As I suppose talk in some respects. It's like actions, what really matters. And I guess we looked at things that have happened in the past, we've looked at what's going on right now in the world, maybe to look to the future a little bit, what sort of trends are you seeing in cybersecurity? Is there a trend business owners, executives should be aware of that they can start to explore if they're keen to do something after hearing this particular conversation?

So it, and especially in software development, we have started using it in sixties, seventies starting writing code. And we have started thinking about security in the nineties, the good old days. My role didn't even exist like 15 or 20 years ago. So things are starting to change and are starting to change for the better. But it's a process. And I would say that especially in the software development, software development industry, the biggest thing at the moment is Security by Default and Security by Design. Interesting. And even the regulation, as I mentioned, is pushing us there. So the EU'S Cyber Resilience Act, US cis A, the government agency for IT infrastructure really is their own guidelines for security by design. And I think that's the biggest trend there because they want us to shift the responsibility from the users, the clients to the companies that are providing the products.

Yeah, absolutely. Yeah, that's interesting, isn't it? How it's an accountability game really as well because where does it start and stop? And I guess the reality is it needs to be, everyone has a piece of that journey to make it, otherwise it's just going to again, find a point of entry where it all falls down and then you get another example, LastPass, et cetera, et cetera. So that's a trend. But in terms of things like I always, you hear terms of cybersecurity, things about SecOps and penetration testing and things like that. And these are just words that I guess if you illustrated in the business, you're like, what does that even mean? So for me, what does that mean? Let's talk about penetration testing for example, and maybe some common frameworks or methods that you see. What are the practical things to help people understand that really from a business point of view?

So first of all, you need to understand your products, what your company does and what are the biggest risk. You have to start with the risk assessment and a penetration test is great to check the risks, what are the risks of your product? And especially if that product is something that's online like API or a web webpage or a web app or exposed.

Something that is exposed or some app. And especially if it's dealing with some confidential data or private data, that's the most valuable data right now. And you have to start there and you definitely need to use any method there to make your product safer. Penetration test is a great way to do that and it has to be done by an external provider, somebody that's independent, somebody that's not burdened with your viewpoint,

Maybe like Infinum, potentially.

Someone like Infinum, definitely.

Maybe because it needs to have a fresh set of eyes for sure. Seeing that, and then somebody like that will try to see all the nooks and crannies where you can take something that you shouldn't have or get into something that you shouldn't have and stuff like that. And it's not something the best practices are that you do it with every major release when you do a bigger change or start using something new, implement some new technology. But you definitely need to do it also periodically because sometimes you forget what are all the building blocks of something and you need to periodically reassess, okay, is this building block still safe or is it starting to rot? Yeah,

Yeah, like a house metaphor almost. Yeah. Got it. Okay.

And you really need to do it periodically and as often as possible. And it's the same with penetration testing, vulnerability scans, code reviews, code scans, as much tools you can use, your security posture will be better.

Absolutely. It's almost like everything has to be accountable across the board, isn't it? It's like the people, the technology, the process, which is why you probably need that partner to just really guide you through it essentially. And also, I imagine it's a rhetorical question because I know there is an answer to this that has lots of abbreviations, but I also ask you about standards because obviously you hire someone to come and help you with your business, they give you independent advice to guide you to look around, find the floors, help you fix the floors, but then there's obviously standards in place. And I've got a list here of so many to even know off top of my head, 27001, SOC2, PCI DSS financials and HIPAA in healthcare, there's probably even more than I imagine, but someone who isn't in this industry essentially or understand that abbreviation. It's a lot, isn't it? It is a lot,

Yeah. What is the importance of these standards in the industry for business owners.

Yeah, but the standards for me are great because they are done by industry people that are in that business, in that area for a lot of time they're experts. And these standards have been improved and improved year over year and especially like ISO standards. And I feel that ISO 27,001 is a really great standard because it's not just for IT company. It can be applied to any company there is, and it can be done in as much as detail as someone wants to. And it's a good standard that can be used to protect information, protect availability, protect data. So I really love that standard.

Right?

Another very popular thing right now, I would even call it the buzzword is the SOC2, and it's mistakenly known as also a standard, but it's really a standardized way of writing reports or conducting audits and writing reports. And it's also focused on security and privacy and handling data. It's a good report, it's a great report, but when something like a buzzword comes to the open to the light, then it becomes a thing that's thrown out. And people just compliance department of various companies just ask, do you have this SOC2 report? Can you give us that? And they just do complete the checkbox and they do nothing with it. And I think that's the whole, it's a bad concept. You have to check, is this something that really suits me? Is this even affecting the business or the services I'm getting from this company? You need to reassess the things that are in the report.

So it almost feels to me like, so cybersecurity, I'm trying to put this in a really neat package. So much to package essentially. It's definitely not just a journey because you don't really end the journey. It's a circular, ongoing mission where there's checkpoints, it all points in the circle, which goes from people, process, framework, standards, technology, and the back round again, which is why really when you are in the arts of running companies have anything to do if digital. I think my video this morning just talking about our talk today was like, do you use the internet? You do. You probably need to use some sort of cybersecurity, something in your life. So yeah, so basically be accountable, keep that accountability going and flowing, keep education flowing, open source where possible, even if you're a company that's been breached, open source and talk about it. Yeah, it's a lot there to package, isn't there? A

Lot. Yeah, there is a lot. And the biggest thing, and I think this show, this event is great to also raise awareness and you have to start thinking and doing things regarding security right now or even better a couple of years ago. And that way you will get to a point where you're good at sooner.

Absolutely.

And everything is at stake right now. Everybody is vulnerable and the more controls you apply, the better.

Absolutely. That's it. Almost. It's like a final thought to the conversation, but with a thought of not fear, but a little bit of apprehension. Start something now, at least asking questions and exploring this. That's where good practice starts.

And companies should have a designated employee or external partner that is focused only on security and privacy because people need to have this in focus and not some internal processes like service provision or how is it working and stuff like that. People need to be focused just on security.

I always think about in a real life situation like insurance, you never want to think about it or talk about it, but unless you have it and then when you need it, you really need it. And this is obviously magnified tenfold, I'd say. So we've got a lot of questions coming through from many people, which is we'll try and get through as many as we can. So I'll just casually read them out to you and then we'll see where we go with this. Okay. That's the best way. Okay, so the Q&A, so we have one here. Thank you for the question. How critical will the role of a chief information security officer, that's CISO, so that was in the industry, become for an organization in the future, what will their job be? So how important is a CISO in the future organization and how will that job evolve?

I think it should be more and more important in especially big organizations dealing with data, dealing with services that need to be available all of the time. And now everybody wants all of their services to be available nonstop. And people rely on data more and more right now. And I think CISO should become a really important part of the company and a proper stakeholder there and like a seat at the table almost.

And because every aspect of the organization should have some concern about security, you can't rely just on it. You can't rely just on anti malware software and stuff like that. You have to think about it, as I said in the beginning holistically.

Yeah, absolutely. Because that's quite interesting because that links to another question I've been looking at here, which is how do you assess the effectiveness of your organization's cybersecurity measures, and what metrics do you use to measure success?

And that is a good question and that is a million dollar question.

It's not mine. I'm just a messenger, but, continuously having internal audits, risk assessments, external audits, and as the person mentioned, having concrete key indicators like affected computers, affected accounts, phishing emails, trying to see if your company is maybe being targeted or not, having DOS2 reports and stuff like that. So every possible number you can have so you can measure trends. That's great.

Yeah, absolutely. I mean, that's a pretty good way to look at it. I wouldn't personally even know where to start. So I guess it's an iterative process. Like all this, it has to be done. I mean, I think we could probably do one more question if you've got the energy for it. I know we've kind of gone through quite a lot of things here, but I feel like we could do one more. Okay. Could you share some insight into your approach to risk management within the organization? Cybersecurity framework? That's a big question.

Yeah. So risk management and risk assessment is also a tricky topic because you have all these bunch of methodologies. And again, I like the ISO methodology for the risk assessment, but the most important thing for risk assessment is starting doing it, start doing it. And the more iterations of risk assessments you do, you will get better and better in it. And in the end, you will adapt the methodology to your organization what suits you best. And another important aspect of it is doing threat modeling for if you're a software developing company, doing threat modeling in the risk assessment process.

Interesting. So the moral of all this really is just get started. Don't ignore it. Even if it's just asking questions, start yesterday, stop listening to this show. I'm just going to do something right now. I think I will start after this. I feel like I need to. So do that. Be accountable. Be open to sharing awareness and education, your team, your people, maybe even the world if you can. And yeah, just start, start and try not to get too lost in the chaos that is out there. There's a lot. 

It's a lot. But at least you're doing something to prevent that. Okay. Yeah, I feel quite educated. My head's slowed in a little bit from the education, but look, Brian, look, thank you so much for coming, undelivered, it's been great to have you on and to just go through this world of cyber, cybersecurity, cyber threats. It's been great.

Thank you so much for having me. It was a wonderful experience. You're a great host.

Thank you very much. Yeah, well our first live guest, so thanks again and we'll speak soon. Thanks so much. Okay. Take care. Thank you.