"The good news is that brands can rebuild trust… but that is an expensive process. So, it's really important to keep a focus on protecting yourself early on."
Nathan Anibaba is joined by Johan Dreyer, the EMEA field CTO at Mimecast – one of the world’s leading cybersecurity companies. Johan leads the UK and Ireland sales engineering team, who tackle their customers’ biggest cybersecurity challenges, such as stopping phishing attacks, fake news, and fake websites.
On this week’s ClientSide episode, Johan shares his insights on the importance of customer trust, as well as the vital role employee culture plays in cybersecurity vigilance.
Transcript:
Speaker 1:
This is ClientSide from Fox Agency. (singing)
Nathan Anibaba:
Johan Dreyer is the EMEA field CTO for Mimecast, one of the world’s leading cybersecurity companies. Johan leads the UK and Ireland sales engineering team, where each day his team take on cyber disruption for their customers, on tackling their biggest cybersecurity challenges, be it in stopping phishing attacks, fake news, fake websites, or helping train their staff to be more cyber aware. Johan Dreyer, welcome to ClientSide.
Johan Dreyer:
Hi Nathan, I’ve been looking forward to talking to you again. Thanks for having me.
Nathan Anibaba:
Me too, thanks a lot for doing this. We had you on our webinar a few weeks ago, and now we’ve roped you into doing the podcast as well so super excited to have you back speaking with us. Let’s talk a little bit about your background at Mimecast because you’ve been with the company for almost 10 years now, you’ve held a number of roles, you’re now EMEA field CTO. Tell us what responsibilities you have and how do you help the company?
Johan Dreyer:
Oh, it’s a pretty cool role, Nathan, and one that I’m proud to have been able to reach in my tenure with Mimecast. My primary role really is to help focus, or help align the priorities of our strategic large enterprise customers with our product team in the direction that we’re taking as an organization. What that means is I get to spend a lot of time with lots of different stakeholders, whether on the ground, technical or senior executive leaders, to understand what’s going on in the market and in the world and then just across our customer and channel community, and then bring that back into the organization and share that with our go-to-market and product and engineering teams to try and inform and define where we go as an organization, but also how we come back to the market and then share the information that we have, or share the tools that we have.
So, it’s really cool. I don’t do this by myself. I’ve got a couple of peers who cover the US and APAC regions as well, so that ensures we’ve got global representation across the board.
Nathan Anibaba:
And Mimecast’s focus is to deliver relentless protection. Tell us a little bit more about the company. Who are your typical clients, what problems do you solve for them?
Johan Dreyer:
We started out as an email security and management company where, when our CEO, Peter Bauer at the time, and Neil Murray, the founder back then realized that there’s a lot of complexity that goes into email system ecosystems and they set this goal to manage and simplify that. Fast forward a couple of years and we’ve grown quite a lot as an organization, and focused our energy on creating valuable integrated solutions to help our customers become more cyber resilient.
We do this by helping customers protect their brand through digital asset monitoring, keep their employees safe from cyber attacks that start with email, and also allowing employees to keep communicating with their customers when something prevents access to their corporate email or collaboration tools. We’ve got about 40,000 customers all over the world now, and that keeps growing, which is incredible and amazing. It was nowhere near that when I started in the organization almost 10 years ago, as you say, and that covers pretty much every industry, every vertical, every size of organization. So generally, we don’t have a specific ideal customer. We appeal to anyone who uses the internet as a means to do business.
Nathan Anibaba:
Absolutely. Let’s talk about the brand trust element of this because that’s one area where you help your clients. I mean, brand impersonation attacks really have been on the rise across the globe in recent years and pretty much everyone is at risk. As you say, it’s not specific to any particular industry or geography. All companies, pretty much of all sizes, are at risk here when brands are impersonated. Explain some of the tactics that cyber criminals are using to exploit brands when it comes to brand impersonation.
Johan Dreyer:
I’m probably going to be a bit biased in my response here, Nathan, given where I work and where we primarily focus our attention, but most common tactics that I see, or that we see, by far are impersonation of email. So, attackers or threat actors, creating emails that look like they come from an organization’s email domain, or that look like or follow the template or branding that they would normally use for communications, and trying to use the brand trust that’s built into that organization or the brand they’re representing to get the recipient to take some form of an action or click on a link.
The other aspect that we see quite a lot of and again, I think this will resonate with everyone that’s listening, is the creation of fake or lookalike domains or websites that look very similar to, or adjacent to a well-known brand and exploiting that trust to get folks to take action. An example of this, is just yesterday, I received an email confirming a purchase of £55 from Amazon, and advising me to click on a link that looked just like an Amazon help link. I mean, it wasn’t, but it looked very similar, and suggesting I click on the link to dispute the payment,
Now, being inquisitive and working for a cybersecurity company, I’ve got access to some isolated environment, so I put the link in there and I clicked on it to see where it would take me. Thankfully, the Mimecast service blocked the link so I wouldn’t be able to be compromised, but what they were trying to do is capture my Amazon login and password and then they’d use that to start enacting transactions and shipping things using my stored credentials, or use those passwords elsewhere.
The same thing happens in the corporate environment. So we commonly see brands such as Microsoft and Google and Salesforce, to name just a few, being impersonated and trying to get employees to click on links that capture corporate credentials, or capture corporate information.
Nathan Anibaba:
I mean, it’s absolutely terrifying. I come across, and I’m sure everyone listening to this has come across, those sorts of emails and links both in their business and personal lives. Talk a little bit about the impact that brand impersonation has on a brand such as Amazon, for instance. Are we forgiving, or do consumers really take that to heart and maybe start to shop elsewhere?
Johan Dreyer:
It’s huge, Nathan. There’s a Frost & Sullivan report and research that showed that 48% of survey responders they had stopped using online servers because of the data breach. That sentiment’s reflected when you look at some of the breaches that have happened in the last five to 10 years. An example that comes to mind for me is, in 2015 TalkTalk had a data breach and that’s estimated to have cost them about £60 million and 95,000 customers, if some of the data that’s on online is to be believed.
Nathan Anibaba:
Incredible.
Johan Dreyer:
Now, the good news is that brands can rebuild trust. You look at TalkTalk now and they’ve rebuilt trust and they’re attracting consumers, and they’ve had record growth since then. So, where consumers will lose faith and trust, brands have the ability to rebuild that, but that is an expensive process. So, it’s really important to keep a focus on protecting yourself early on.
Nathan Anibaba:
So, how can brands protect themselves? Aside from using Mimecast, of course?
Johan Dreyer:
I think there’s a number of different things that brands could do. The HMRC is a good example of exactly this. So, in about 2012, 2013, 2014, HMRC saw massive uptick in tax return scams and scandals, particularly in emails impersonating. So, they embarked on a big journey to implement and ensure that their DNS records and things like that were maintained and up to date. Some of the stuff is going to cost organizations virtually nothing, some of it will require some outlay or investment. So, things like making sure your SBF records are up to date, setting up digital signing, or de-consigning of your email communications to make it harder for parties to impersonate your email communications’ names. Ensuring that you deploy technologies like [inaudible 00:08:42] which allow you to, first of all, define whether something is sending on your behalf is authorized to do so and that is validated as being from you, but then also being able to define what action the recipient system should take if it’s not validated or authenticated as coming from you. So, those are some things that organizations could do, which either have no or very little investment to get them up and running, but do take a bit of effort and a bit of work.
Taking that a step further, we’re seeing … One of the things we do as an organization and one of the things that there’s a big industry that’s, spinning up around, is digital asset monitoring. So, the idea of being able to keep an eye on your domains, your brand, your websites, your log-in pages, and where are similar spaces or similar assets popping up on the internet and what are they trying to do?
Sometimes there’s a legitimate reason for it. Sometimes it is a different organization that’s they’ve got legitimate business interests. Sometimes it’s your website being copied for malicious purposes. When that happens, having an eye on what’s happening in the market means that you know early enough to start taking action against it. Some of these services will offer the ability to support you in the process of taking those down or requesting a take down of those digital assets. That then becomes important because not only are you keeping an eye on what’s happening out in the Wild West of the internet, but you’re also then trying to take action when things happen. So, putting blocks in place and informing search engines that these are infringement on trademarks, on copyright, potential malicious actors, those kinds of actions go a long way in building trust and making sure that you’re protected.
Nathan Anibaba:
So then, aside from impersonation attacks, what other cyber threats should brands be aware of today and how can or should they protect themselves?
Johan Dreyer:
Outside of impersonation, one of the most prolific in the news right now is ransomware attacks. You only have to open your favorite newspaper or news website and there’s probably someone in there that has suffered some kind of a ransomware attack. Those are absolutely key to keep an eye on and what organizations need to be looking at in this aspect is how do you ensure that you’ve got an independent backup copy run that’s there? How do you ensure that it’s tested and you can bring it back online, should you need to? What kind of tools and services have you got to keep your employees and your organization productive if you did get locked of your data, or your systems? So how quickly can you get back online and up and running?
Credential harvest is become a big thing. People’s username, passwords, they’re valuable depending on what the action is that the attacker wants to take. You could sell credential databases on the black market, on the dark web, for immediate returns. You could leverage credentials to access someone’s corporate network and use that as a launch point to be able to launch attacks to be able to compromise additional environments and systems, so credential harvest is quite significant. Again, that goes back to trust, it exploits brand to be to those harvest credentials and capture that, and then leverages the brand itself to then spread that threat further on. So, you want to be careful of those kind of aspects as well.
Nathan Anibaba:
Whose role is it to protect the organization here? Is it the CISO? Is it the head of it? It’s a thankless task in many ways, because if there’s no attack that happens, then they’re not thanked, but as soon as there is an attack, then everyone’s pointing their fingers saying, “You’re at fault.” So, they can’t really win to a certain extent, but a lot of what you’ve described, the actual users, the employees within the company, are the ones who are really responsible for making sure that they protect themselves and they don’t expose their organization to risk. So, who’s responsibility is this within the organization, to ensure the cybersecurity is maintained? Is it the leadership team at the top, head of IT, CISO, or is it employees a little bit further down?
Johan Dreyer:
It’s everyone’s role, Nathan, is the simple and straightforward answer. It’s our role as employees to ensure that we maintain good practices that we stay vigilant. I use the example of not handing out your bank account details, or leaving your bank account details lying around in public. That applies as much in my personal life as it does in corporate life. I shouldn’t leave my passwords hanging around. I should be vigilant and concerned about what links I’m clicking, what kind of conversations am I having around whom? Who can hear me, who can’t hear me? Those kind of things are what I need to be able to do as an employee of an organization. I think the organizational role and responsibility then comes down to how do leadership set and mandate a structure and strategy to be able to facilitate those environments?
So, things like do we have an enablement and education process, and structure, and a mandate? Do we make the tools available for our IT organization, our security organization, our HR department, to then cascade down through the necessary levels of engagement from employees, the necessary education, the work process environment for it, to do it? It could be simple tips, like if you’re working in a public place, turn down the dimness on the screen of your mobile device or your computer, because that reduces the angle at which someone could necessarily see, so they’d have to look physically over your shoulder.
It could be things like handing out privacy screens, that makes a big difference. It could be helping people understand that, having a sensitive employee discussion or conversation in the lounge while working at home with other people around, they’re family members, you think nothing of it because you do have lots of conversations with family members that are sensitive to your personal life. However, when you’re discussing someone else’s situation, that dynamic changes and we may not be thinking about that all the time. That sort of conversation, enablement, discussion is set at the leadership level and then enabled and cascaded and executed at the director, or at the executor of the board … It’s set at the board level and then it’s executed the executive and director and management levels.
Nathan Anibaba:
It’s interesting to hear you say that actually, that the solutions can be as simple as, and non-tech savvy as, turning down the dimness on your mobile phone, because a lot of people would’ve assumed that there’s far more sophisticated technology at play here, but a lot of what we’re doing is really just using common sense. If we’re sitting next to someone on the train and we’re accessing sensitive information, just turn down the dimness on your mobile phone.
Johan Dreyer:
Well, that’s exactly it. Technology is a control Nathan. So, technology is a way of putting a check in place that stops something from happening, or that allows something to happen, or that makes someone think. Behavior is really key. So you could be in a perfectly safe environment and behave in a way that breaches the structure and construct of that safety, and that turns an inherently safe environment into an unsafe one. IT talks about the weakest link in the chain is the one that bypasses the control or bypass the chain. That’s the same thing across the board. So, if we think by default in a safe manner, in a good practice manner, if we’re internet-savvy, if we digital-savvy in the way that we think, in the way that we approach things, or digital smart, then the technology and controls will enable us. If we don’t apply a level of savviness, when we’re interacting with the digital world, then it almost doesn’t matter what controls or technology investments we have in place, or how they’re configured, they’re just not going to be effective.
Nathan Anibaba:
I hear what you’re saying around the leadership team setting the policies and the strategy for the rest of the organization to follow, but it can be … Talk a little bit about the implementation here because organizations that are 5,000, 10,000, 20,000 people distributed globally around the world, it’s one thing to set a strategy at the leadership team but it’s another thing actually implementing those changes on the shop floor in geographically dispersed locations around the world. So, what’s your advice to companies around how best they should do that?
Johan Dreyer:
At the top level, Nathan, we’ve got to set the strategy. So, we’ve got to say, “This is the outcome that we’re trying to achieve. We want to create a culture of digitally aware, good behavior when working, not only in our corporate environment, but our personal environment.” I think we’ve got to try and increasingly link and connect personal digital safety, or personal cyber safety with corporate, because like it or not, they’re very much becoming one and the same, especially in this new hybrid working, work from anywhere mode and environment. More people are accessing personal systems and personal environments using their personal websites and tools using their corporate devices, and more and more people are accessing corporate tools using their personal devices with bring your own device strategies and things like that. So, there is this blend, people are working from home, from coffee shops, from holiday homes even, and that brings a whole different dimension to it.
So, I think first and foremost, is we’ve got to commit ourselves as organizations to driving a blended approach between enhancing personal safety on the internet and the cyber world as well as corporate strategy. So, that’s the first thing.
Secondly, I’d say you’ve got to personalize it. So each country, each region, each demographic that is part of your organization is going to relate to something slightly different, the comedy or the level of humor that you’d see in an American sitcom is very different to what you’d see in a British sitcom.
Nathan Anibaba:
Very.
Johan Dreyer:
The level of banter or conversation that you’d see on a cricket pitch is very different to what you’d see on a football pitch. The level of cyber or digital awareness that you’ll get in someone who’s in their 30s or 40s is going to be entirely different to what you’re going to get from someone who’s in their 20s to 30s, just because of how we’ve grown up, what environments we’re used to, and what we’ve learnt versus what’s been native to our existence. We’ve got to be able to tailor our messaging and our constructs to what works for that demographic and for the territorial region that we’re talking to. So, I think that the lesson there is there’s no one size that fits all, give each part of the organization a reasonable level of autonomy and the right tooling to be able to affect the behavioral change and to drive the cultural change that you’re looking to achieve the outcome.
Nathan Anibaba:
So, you raise a really interesting point there Johan, around the generational divide, because as you rightly say, younger people in their 20s and 30s, they grew up with the internet. They maybe have more of a laissez-faire attitude towards cybersecurity and cyber threat. Whereas people who are slightly older, who remember a time before the internet, like me, for instance, understand that actually by exposing yourself unnecessarily, you expose yourself to quite severe reputational and brand risk, as you’ve articulated earlier on. Talk about how you go about advising or educating a younger millennial workforce who have grown up digital, who are used to sharing their information on the internet and on social media, about the importance of cyber vigilance.
Johan Dreyer:
I think it’s really important to be able to feed short bits of information to people, in the way that they’d like to digest it. So ,if we think about the way people tend to communicate these days, it’s all about short, sharp communications that engage the audience, Nathan. A lot of what we see today is video-based. It’s 60 seconds or less, often 15, 30 seconds. Think of services and tools like TikTok, Instagram Reels, it’s media-related, it’s highly visual, highly engaging, very short, sharp messaging. Then it draws their attention away to other resources that might be of interest. I think that’s quite important, feeding lots of updates into the system or into our employee base on a regular basis, but short and manageable chunks and making sure it remains relatable.
So, it’s got to be … and I keep laboring this point of being relatable. If I get it, if it makes sense to me, I’m more likely to adopt it, I’m more likely to implement it and I’m more likely to stick with it. So, I think that’s quite important how we think about it. At Mimecast, what we’ve done, our way of an example is, a lot of our awareness training is focused on engaging humor, it’s short snippets-based, it’s real life situation or actions, almost like a short sketch of, “Hey, I was in this situation and I accidentally sent this email and all of sudden payroll information was all over the organization.”
You can almost imagine yourself being in that situation and being that person, you relate to that scenario. Then we’ll create the teaching moment off the back of that and create the understanding of these are good practices that you want to bring into it. That sticks with me, that engages people. I’d say that’s a way for us to take it moving forward.
Nathan Anibaba:
Well said, just bringing the interview towards a close now, Johan. I mean, you’ve had a very successful career within Mimecast and within technology. What advice would you give to aspiring brand and technology leaders on how to best navigate their careers?
Johan Dreyer:
I think don’t be afraid to try things, is probably first and foremost. Throughout your career, throughout everything that you do, opportunities are going to present themselves and you have a choice and a juncture to go, “Do I take this on and do I not?” Sometimes they might be big, sometimes they might be daunting, “I’ve never done this before.” Where you can seize the opportunity and advantage and try and do the best you can to progress, don’t be afraid to fail. Often the best lessons we learn, and we only get better when we fail to do something, or when we think we can do something and we fail.
Lastly, don’t be afraid to ask for help. I think this is probably the biggest and most effective way that we learn and we progress in our careers, or the most helpful thing in my career has been just when I got stuck, just turning around and going, “Hey, Nathan, I’ve got this problem. I’ve got this thing that I’m working on and I’m just not sure where to go at.” They may not know the answer, but just talking about it will often help me and will help anyone who’s aspiring to progress their career, to find the answer they’re looking for, or to find a direction that they’re going, or someone else that could ask for help. So be open, ask for help. Often the answer lies within you, but it needs that conversation and that external perspective to bring it out in you.
Nathan Anibaba:
Great place to end. Johan, thank you so much for doing this.
Johan Dreyer:
Absolute pleasure, Nathan, I’ve really enjoyed our conversation.
Nathan Anibaba:
If you’d like to share any comments on this episode or any episode of ClientSide, then find us online at fox.agency. If you’d like to appear as a guest on the show, please email zoe@fox.agency. The people that make the show possible are Jennifer Brennan, our booker slash researcher. David Clare is our head of content. Ben Fox is our executive producer. I’m Nathan Anibaba, you’ve been listening to ClientSide from Fox Agency.
Speaker 1:
Join us next time on ClientSide, brought to you by Fox Agency.
