Security Breach? It Won’t Happen To Me They Said
A few months ago, WalkMe employees received a seemingly routine email in their inbox, notifying them of an impending expiration of their Gmail account password.
But, if we take a closer look, something about the email was fishy — or should we say phishy.
Upon closer inspection, it can be seen that the description of the email contained discrepancies from the subject line.
Additionally, the slug contained a subtle but out of place dot under the letter “m.”
WalkMe employees are not easily fooled, however, and it wasn’t long before someone blew the whistle and we found our perpetrator.
All signs pointed to Daniel, WalkMe’s Chief Information Security Officer.
No typo there. This was all a carefully devised plan, to keep WalkMe employees on their toes.
This test was meant to bring awareness to potential security threats and their significance as the dangers of cybercrime continue to rise.
With an estimated damage expected to hit $6 trillion by 2021, it got us thinking about the role of our security team keeping WalkMe’s employees and our thousands of enterprise users safe and sound.
We turned to the mastermind himself for insider information. No password needed.
WalkMe: Daniel, Can you tell us a little about the fake phishing email test?
Daniel: The purpose of the email was to test the awareness of WalkMe employees and push them to pay closer attention to details. The phishing test was nearly identical to a legitimate email.
I recreated a plausible scenario of an attacker that managed to take control over the WalkMe mailing list service and send a phishing email to all our employees. The phishing itself was not 100% accurate, as we tried to exploit the “vulnerability” of phishing unicode domains, which created a big hype in the security industry — even though it is an older strategy. In addition, we placed the attack strictly internally so we could not target those outside the company — that is how we were able to utilize an official Gmail domain.
The one fact people don’t know is that I tested it first on our senior management. I sent this email to our CEO, Dan Adika, and President, Rafi Sweary. A day later I sent this email during an R&D Meeting to our CTO while I was sitting right next to him. I wanted to see his response and how he would face such an incident. They all caught on to the scam, which was very impressive.
After the email went live, the first people to identify the phishing attempt not only avoided clicking the link, but also reported it and created an internal channel to warn others within their office. For me, this was a great success.
WalkMe: Besides office prankster, can you give us insight into your role as CISO at WalkMe?
Daniel: As CISO, I am responsible for the security of IT. My main goals are to secure the company and the product itself. This includes building a secure development lifecycle and ensuring our safety policies are constantly enforced.
This spans from design and architecture development to QA testing and publishing. We continuously analyze our security procedures and undergo third-party audits to protect our customers’ data and private data from within.
It is also my role to ensure internal security of our data and maintain our security culture. Every employee plays a valuable part in creating a strong security culture.
We set out to make sure that everyone understands how important it is to be knowledgeable, aware, and most importantly, vocal of these types of situations.
That is why the test we ran was important; it helped all employees to understand that security is a group effort.
WalkMe: WalkMe is a swiftly growing software company, doubling its employees in a year. How do you lead the security team to keep up with the privacy of data?
Daniel: There’s no denying that it’s definitely an ongoing challenge, not just for the CISO, but for the entire company. Some of the most dangerous threats are internal. The first step is to get management on board, make them understand the importance of security and also the business benefits of delivering a secured product.
The larger task is to continuously communicate the importance of security to the rest of the company. It is vital that all employees, no matter what department, understand how to perform daily tasks while keeping their data secure.
WalkMe: What certifications does WalkMe hold and what is their significance?
Daniel: One of the most important tools of a CISO and any company, in general, is to work according to security industry best practices.
We don’t need to reinvent the wheel in order to be a secure company. One of the most familiar security certifications is the ISO 27001, which is very important for every software product — especially SaaS. It covers all the security sections and measures the company every year to ensure security is always improving.
Another security certification is SOC 2, which has become very popular in the past couple of years. Unlike the ISO certification, the output of the SOC 2 (TYPE II) is a report that includes a deep explanation of the company, the product, and a list of security controls that were examined by the auditors, as well as the results of each test. This report provides the customer with good visibility of the security in practice.
In addition, we are:
- ISO/IEC 27032:2012 certified for Guidelines for Cybersecurity
- SO/IEC 27017:2015 certified for Cloud Specific Controls
- ISO/IEC 27018:2014 certified for Personal Data Protection
- ISO 27799:2016 certified for Security management in health
- SOC 2 certified to meet AICPA’s Trust Security Principles
- EU-U.S. Privacy Shield (IP/16/216) certified
- TRUSTe and Safe Harbor certified for data privacy
- CSA Security, Trust, and Assurance Level One: Self-Assessment certified
- Graded Enterprise-Ready by CloudTrust program
WalkMe: What security measures are taken during our development process?
Daniel: The security in the development process is very important, especially from a business point of view.
Discovering vulnerability at the end of the development task cycle or in the production process costs much more than addressing the issue at the beginning of the development. That is why security takes an active role throughout the development cycle, from the design phase through deployment.
We believe in secure design, secure development, secure coding, penetration testing, vulnerability assessment, security automation, and security testing.
WalkMe: How do you keep a company with global offices on the same page in terms of security culture?
Daniel: Communication at the company level is very important.
For example, exposing new employees to security and enforcing policies on their first day is much more effective than enforcing it later on. Therefore, as part of the employee onboarding process, we make sure to expose them to our security policies.
We keep employees in-the-know, whether that’s providing notifications of security threats in software updates or keeping them in check from time to time.
WalkMe: What tools are built into the WalkMe product to ensure its security?
Daniel: We follow security best-practices, which means building our security in layers to protect our infrastructure and especially our customer’s data.
Another important task is to always be up to date, read and learn about security incidents within other companies, and apply the lessons we learn to security at WalkMe. More of our guidelines and processes can be found here.
WalkMe: What’s your security motto for WalkMe?
Daniel: Encrypt everything! We encrypt everything possible; that’s our approach. Every system, legacy or new, is encrypted. This is the easiest way to handle any potential risk.
WalkMe: Looking ahead at 2018, what else are you working on to ensure data safety and protection?
Daniel: Major tasks for next year include preparing for preparing for the EU’s General Data Protection Regulation initiative (GDPR). This is a new regulation that will help protect users on web-based applications and increase transparency. This guideline will protect users from big companies collecting and keeping data after a service contract has ended.
We will also be looking to improve ISO, HIPPA controls, add more security controls to our systems, and additional security controls to emails.
WalkMe: What Challenges do you foresee?
Daniel: Everyone is moving to cloud-based applications. Companies, especially those with SaaS business models, have no choice but to adapt and take the necessary security steps to stay abreast of new technology advancements and their accompanying new security weaknesses.
Bottom line, our motivation for security is for our customer’s welfare and security. This is why we do everything we can to secure WalkMe and go above and beyond. First class enterprises use our product. Fortune 50 and 20 companies use our product — because our security is top notch.