Quality Automotive Products in an Age of Cyber Crime
Ensuring quality automotive products in the age of cyber crime is becoming harder and harder due to the amount of endpoints that can easily be compromised within the supply chain. Regardless of where you sit within an organisation, with the increase of hybrid working and remote work, risks of ransomware still remain at large.
CyberAngel recently released a report that stated that there are vulnerabilities in Ford, Volkswagen, and Tesla Advanced Driver Systems. Furthermore, a semiconductor shortage has made profit tighter and production more difficult. If that's the case, how can we know that the products are truly reflective of quality automotive standard? What vulnerabilities in their supply chains will end up affecting the consumer and how stable are the companies that are producing quality automotive vehicles?
According to this same report, 1 in 10 employees have exposed publicly accessible credentials available online. Joining us on this episode of The Next Phase of Cybersecurity is Pauline Losson, Cyber Operations Director at CybelAngel. In this episode, we will be exploring topics such as:
- Why automotive industries in particular are vulnerable to leaked credentials
- How you can ensure a strong cybersecurity strategy within your organisation
- The best way to prevent credentials from being leaked online
- The trends across North America and Western Europe.
You can also find this podcast on Spotify and Apple Podcasts under "The Next Phase of Cybersecurity."
Hello everybody and you are listening to The Next Phase of Cybersecurity podcast; an EM360 production. My name is Max Kurton Head of Content here at EM360 and your host on today's show. Make sure you stay up to date with all of our latest episodes by subscribing on Apple Podcast, Spotify, Google Podcasts or wherever you go for your podcast fix. In today's episode, I'm very pleased to be joined by Pauline Losson, who's the lead analyst and cyber operations director at CyberAngel. Pauline is here to share her thoughts on the proliferation of sensitive external data leaks in the automotive industry in response to CyberAngel's 2021 investigative report titled the race against external threats in the automotive supply chain. So, Pauline and welcome to the show and thank you for coming on today.
Thank you Max for having me.
It's a great pleasure and I'm looking forward to kind of delving into the subject matter because I think it's an area that people are going to be very curious about but, before we get into the questions and we start breaking down the report, could you let our listeners know a little background on yourself and CybelAngel.
Sure, um, so my names Pauline I have been working at CybelAngel for more than 4 years. I was initially a cyber security analyst and I'm coming from a security indifference industry and like this I arrived at CybelAngel. So, CybelAngel is a DRPS solution. So basically we're digital risks protection platform and what we do basically is we detect and resolve external threats before hackers find them and exploit them and we do this using a combination of technology and human intelligence to provide our customers with zero false positive incident reports.
Excellent stuff. So you guys are never short of work at the moment, I can imagine so keeping you busy. Excellent. Well I'm excited to kind of delve into the topic matter because the report has a lot of interesting stuff in it that people in the automotive industry or people who even just own smart cars or anything in that area might not even be aware of and I think it's a warning sign for other industries as well to really be paying attention to as we kind of go on this digital transformation journey. So there's a lot in the report, so you don't have to give us everything. But, if we draw on the kind of report key findings, can you give us an overall picture of the current state of cybersecurity in the automotive industry and across the supply chain?
Sure, so maybe about the report, we wanted to cover all types of automotive industries. So we chose a panel of 14 different companies that represent all activities in the automotive industry in the world, so covering all regions and any type of manufacturer. We wanted to identify and to check with all the parameters we're checking if they were seeing leaking data, vulnerable assets for example, or exposed credentials.
So, we went and checked everything about this about this industry and what we see is that the automotive industry relies on the very long and complex supply chain which actually create a lot of endpoints or places third parties that could actually be vulnerable or even leak information. So, this structural system in this industry actually raises the chains of facing digital risks and also what we see is that the industrial systems that is behind this automotive industry is more complex to administrate.
So, if you have all this operational technology, what you can find and you can have more vulnerabilities or it might be more difficult to make sure that everything is secure. Maybe the last point that I wanted to mention here is that this industry is settled and across all countries in the world and when you go to certain regions, you can have also the risks that the cybersecurity culture may not be as mature as in other countries. So this also causes the risks that you will rely on maybe a manufacturer or a software company or even just a shipping company that may not rely on the same standards as the, I don't know, let's say the major manufacturers we know. So all of this causes a higher chance that you will have potentially leaks or being targeted by ransomware, or just some like negligence among your employees and also the third parties you're working with.
Yeah, there's a lot there to kind of unpack in terms of the threats that we are kind of facing. As you say, having that many third parties, having that big a supply chain, changing up the industry as well, obviously a lot of industries are going for this digital transformation. And the automotive industry is no different from that and having people outside of the organization just adds that risk so much more and it's always a bit of a worry when you have that large a stretch going across, as you say, countries and organizations.
So, I think one of the standout statistics that was was in there you mentioned about employees and having multiple wants, even ones in for party elements. But one of the statistics did say that 1 in 10 employees have exposed public accessible credentials available online. Can you just put that into context of how severe that kind of cyber data leak is and the impact it's likely to have on those automotive companies and the employees in general?
Sure yes, so credentials and leaking credentials is a very basic event for a company. So, their employees are relying on a number of IT systems, and for this they need credentials. So here we're talking about just very basic email passwords to get to your professional email account, and what's happening here is that these employees, they're using their professional emails on a numerous number of websites or services application. And the fact is that these, all these services may be ah, very vulnerable and being hacked by hackers and these people are then publishing these lists of emails and passwords on dark web forums. And then basically everyone can reuse these lists of emails and password, test them, and what happens there is that it's very likely to happen and I guess all of you have seen their emails leak, and they're going to send you maybe a broad communication, like hacker communication or just spamming you.
But sometimes what can be sensitive for enterprise and companies is that, so the hacker is going to send a list of fake emails, inviting their employees to maybe download a pdf download a video or just very urgently send an email to the CEO with, I don't know, "proceed to a wire transfer," let's say for example, so what happens here is that all your employees with the credentials, they actually become entry points for hackers. So whether it's fraud, whether it's just a basic phishing attack, it can go all the way up to a ransomware attack.
So the consequences can be very different but what known, and this is why this figure is important, 1 in 10 employees, is that all companies, but here we all obviously talk specifically about but the automotive industry, but of course all companies and industries will have these risks: from phishing to ransomware, potentially.
Yeah, definitely. I don't know how many times I've been saying this on this podcast or have people say it's me of just people using their work emails and and just letting stuff leak so easily is 1 of the biggest things that could be shut down so quickly. But obviously it's so easy to do, and it's just such a slip of the mind. How do you view it from your personal standpoint of addressing that problem of kind of cutting down using work emails and opening up those vulnerabilities?
Awareness is obviously the biggest aspect however, it's very difficult when you have so hundreds of thousands of employees with very different backgrounds very different knowledge about cybersecurity. But obviously maybe blocking some very basic websites or reminding your employees, also trainings and fake campaigns can be very useful because they actually see very easily that it was not the right decision that they took, so I guess there's a lot of tools now that are available for cybersecurity teams to actually launch real-life tests and training. But, apart from awareness, I'd say that blocking websites will always actually push employees to actually use work around and they always and do the wrong thing. So awareness I would say is still the maybe the most important aspect
Yeah, couldn't agree more It's it's a long battle. But if companies kind of invest in it then they will see the results kind of going forward so I hundred percent agree. There was another element that was kind of interesting that kind of popped up here. So, when the report was kind of being done, it found that automotive companies from the us and Western Europe specifically suffered the most exposed credentials in the first six months of 2021. Why do you think that's the case?
So I would say that we found like a better representation, or a bigger representation, of these regions mostly because they maybe are more targeted by hackers. We know that either it's hackers motivated by political ideas or just because they they know they will find maybe the most data they actually target more of of these companies. Yeah I would say that it's more about the the reasons about why they were targeting more Western Europe companies or US companies that we see a higher representation of of these employees.
Yeah, so do you think it'll be, because obviously we've said that these organizations are spread Worldwide, west to east, would it be a better case from a cybersecurity perspective to put a focus on these higher risk countries or do you think it needs to be flat across the board?
I think maybe that the risks may be different in terms of of regions. Maybe more credentials in these regions of Western Europe and the us and maybe in other regions like in Asia maybe in Africa or even South America we would have more data leaks, for example, or vulnerable assets because the maturity about cybersecurity could be different across regions.
Yeah I think that's fair to say. Excellent. So let's get into, we've been speaking about obviously the threats that are there and the risk that are there, but let's try and give the listeners some advice in terms of what we've been talking about here today because we've obviously been discussing how big the attack surface is and how the natural consequence of digital transformation, although it can be fantastic, does open up a lot more risk.
So, from your side and CyberAngel's perspective, how can the automotive sector and really just the enterprise as a whole best safeguard sensitive data and assets without compromising their digital transformation ambitions?
So yeah, as you said the idea is not to stop digital transformation and to keep everything and to go back on paper or anything. The idea is just maybe to identify what are the main causes. So in our research, what we found is that in most cases, it's still these leaks and this risk are still caused by third parties and external partners or yeah, external parties I would say, so the first of all would be definitely choosing the right partners about this. So, in this you can rely also on maybe legal procurement teams to actually help and and identify and put the right clauses in the contract to protect and potentially to help and to justify to these partners why they should invest and respect the same standards in cybersecurity.
On the internal side, obviously your employees and the employees are the first partners in the cybersecurity area. So obviously training users as we earlier mentioned is very important but also maybe choose the methods that would not encourage them to find work around. So not block them in their daily life and not create more processes and more hurdles that could actually cause and maybe generate frustrations about cybersecurity programs.
And I would say the last advice I could give is obviously even if you put in place all the methods, all the training, at some point the data and information you're using in everyday life to work will eventually go out of the IT system of the company. Because you rely on a long supply chain, because you have partners that are outside of your company, you have to just make sure that you all also kind of use a trust but verify policy that even if you put in place everything you will have to go out of your parameter and check if there's information outside. So in this, it's about checking outside of your scope and really you know, checking this potential data leaks checking on the dark web and making sure you're not just protecting your inside but also making sure you have eyes wide open on the outside.
I think that's fantastic advice because it can be very easy just to focus on your company, the problem in front of you, and there's so much more going on out there at such a fast rate. So I think that's very key for kind of people to be on the ball and looking at all options as they're kind of going forward. So, one final question for you before I let you go here today:
There was another element of the report that kind of looked to a recent Gartner survey and in that it revealed that seventy one percent of automotive CIOs are likely to increase investments in cyber and information security in 2021. So in lights of the reports discoveries and the year is almost up now, we've got a month left, is there hope for automotive companies or do you think they can turn it around before 2022?
I'd say there always there's always hope, so we definitely have to see that everything that happened in 2021 and good things or even bad things like attacks, like all these thins from with lists of of companies that have been targeted are just another proof that there is real risk and maybe it's more arguments to defend their budget and showing that there's needs to invest in Innovative solutions in nontraditional cybersec security tools to actually have a stack of tools that will be maybe better or maybe more complex for 2022. We know that there's always leftovers in the budget that are spent in Q4. So basically, maybe identify what's innovative solutions or maybe trials or like short-term solutions like 6 months trials on the new solution could be a good idea to actually start 2022 with new solutions potentially to fight all these risks.
Excellent stuff as we say we keep on moving and learn from the mistakes and then keep progressing forward. So it's interesting to see what's coming in 2022 for sure. Pauline, all I can say is thank you for coming on today. It has been an absolute pleasure talking to you and thank you for walking us through this report.
Thank you very much Max for having me and yeah, really encourage you to go and check the the report directly. It will be very insightful I guess.
Exactly that we will make sure that we include a link to the report in the description down below so listeners can check that out because as you say there's a lot of good information in there that'll be relevant to everyone in the cybersecurity industry. You can also head on over to the website which is cybelangel.com. They've got some fantastic resources there and again we'll include that link in the description below. Thank you everyone for listening. We'll be back soon with another episode in the meantime you can join the conversation at EM360tech on Twitter and Linkedin. Subscribe to all major podcast platforms and of course for more great daily content head on over to em360tech.com.