Mohammed Al-Yousuf shares a few tips about cyber security, in an interview with Al Sharq newspaper

1. How far has the field of cyber-security evolved from what it was ten years ago? How has this translated into additional responsibility for the cyber-security team in an organization? 

As technology becomes increasingly powerful, generating and sharing information becomes easier. The amount of information accessible to the public is beyond anything that could have been predicted ten years ago. This means that protection of information becomes crucial, both at an individual and organizational level. 
ExxonMobil and other major corporations have always recognized the impact, both negative and positive, that technology can have, and have taken steps to secure their data and information against different levels and categories of cyber security threats. 
No organization or individual is immune to cyber threats, which is why we believe that each person plays a critical role in protecting the company from cyber-attacks. 

2. What sort of training do corporations and organizations, such as ExxonMobil, normally impart to their staff, to ensure that they are capable of identifying and handling software security threats? In your opinion, what specific aspect of this training needs to be improved on, to provide the safest possible work environment? 

There is an increased awareness of cyber threats and the importance of adopting more proactive behaviors towards it. Cybersecurity is a top priority for the company, and each year ExxonMobil conducts cyber security training for its employees. The training imparts practical information about the different forms of cyber security threats. During the sessions, ExxonMobil employees are trained to recognize characteristics typical to cyber breach attempts, and to take immediate preventive action. In my opinion, both cyber security instructors and IT users need to stay up-to-date on current threats. The training needs to be dynamic - it needs to reflect the possible threats that the latest trends in technology bring with them. 

Employees are also sent mock phishing attacks to test their ability to identify inbound attacks. This is key process to increase awareness and attention in this critical area and has proven to significantly improve recognition of these types of cyber threats. 

3. The terms phishing and social engineering are often used interchangeably by the public. What are the key differences between them? How far can raising awareness prevent users from falling prey to such threats? 

Phishing is direct, straightforward and fairly broad. An email, seemingly from a reputable company or organization, is sent to a group of individuals. The email requests personal information, such as account numbers, passwords and credit card numbers, from the receiver. These emails are likely to include links to malicious code that would compromise the user’s computer. “Spear phishing” is a more targeted variant of phishing, where the recipient is specifically identified and thus makes them more likely to think the email is legitimate. 

Social engineering, on the other hand, can be direct or subtle. This specific type of cyber threat manipulates individuals so that they reveal confidential information. The types of information that these criminals seek can vary. Generally, when individuals are targeted, the criminals use persuasive language to trick the receivers into revealing passwords or bank information. Additionally, they may be attempting to secretly install malicious software into your computer, giving them both access to your data and control over your computer. 

Either way, users need to be trained to practice caution when opening emails or giving their personal information over the internet, to avoid any breach in personal or organizational data. 

4. Defense in depth is the coordinated use of multiple security measures to ensure the horizontal and vertical protection of data and information. What are the key points that an organization (like ExxonMobil) needs to keep in mind when designing a defense system that is both effective but not overly restrictive?

The first step would be for organizations to conduct research into their individual cyber systems in order to determine the level of restrictiveness and protection they would like to achieve. Key factors to take into account are: the size of the data and the size of the user population. This approach will ensure that an organization’s cyber security experts install appropriate cyber-defense features. As defense layers become more complicated, organizations consider alternative solutions that they can provide to their employees or clients, in case they are forced to restrict certain applications or forms of technology. 

5. Removable media consists of flash drives, hard drives, and CD’s. What are the key concerns posed by removable media? How can they be prevented?

Removable media are quite handy – they are mobile and can store large amounts of data. And for those very same reasons, they impose high levels of risk, as viruses and malware can be easily installed/stored on them. Malware threats continue to escalate and can be passed between devices either accidentally or intentionally. 
Sharing information with individuals or organizations in necessary part of doing business, however it can put the company at risk. Users, whether at home or in office, are always advised to and use only devices are that are from trustworthy sources, and to use them with a certain degree of caution. This can be done by routinely scanning the mobile device for viruses or malware 
Companies may decide that the risk introduced by removable media is too great, and may introduce policies that limit or prohibit the use of removable storage devices. 

6. Organizational staff often access their official emails while on holiday. How can they ensure safety and confidentiality of information when accessing their official mail/data/domain from an unknown computer while travelling? 

Employees are increasingly required to access their online work and correspondence outside of their normal office work hours or locations. There are certain steps that they can take so that that they do not accidentally become victims of cyber-threats while travelling. First, they need to make sure Company emails are accessed only from Company-managed devices. Second, while connecting to wireless sites, users should choose a secure site, avoid free public WiFi ‘hotspots’, and use virtual private networking (VPN) to protect their data in transit. Finally, employees need to educate themselves about the risks involved in spam or phishing email.