In a recent interview with SafetyDetectives, Jai Aenugu, CEO and founder of TechForce Cyber, discussed his background and the company’s evolution into a cybersecurity-focused entity. TechForce Cyber now offers core services like cybersecurity assessments, penetration testing, incident response exercises, and security awareness training. Aenugu stressed the importance of engaging and frequent cybersecurity training for employees, especially in the face of emerging threats like investment fraud and business email compromise. The company aims to be a trusted security partner, addressing the lack of awareness and skills through educational initiatives. Overall, Aenugu highlighted the need for businesses to stay proactive in addressing evolving cybersecurity challenges.
Could you please introduce yourself and share a bit about your background in IT and cybersecurity?
My name is Jai Aenugu, and I’m the CEO and founder at TechForce Cyber. My background is in IT. I have a master’s degree in computer science with a focus on advanced computer networking from Edinburgh Napier University.
Later on, I worked as an ID Support Engineer and progressed to the role of IT manager, where I had nearly seven years of managerial experience. Eventually, I made the decision to leave my job and establish TechForce. Initially, our intent was to operate as an IT support company, given my background in IT support.
However, after a couple of years in operation, we observed a shift in customer demands, driven by significant ransomware incidents. We are based in Scotland, and saw that not many companies were focused on cybersecurity. We sold the IT support business, retaining the brand, and refocused on providing cybersecurity services.
TechForce, evolving into TechForce Cyber, emerged as a cybersecurity company. Given my experience in IT support, which included security responsibilities, I had a solid foundation. We started by offering consultancy and value-added reselling, coupled with managing the products we sold for our customers. This marked the beginning of our journey, but as time progressed, we decided to exclusively concentrate on cybersecurity. Our focus now spans consultancy, advisory services, and the provision of managed services.
What are TechForce Cyber’s core services and mission?
The core services we offer are:
- Cybersecurity maturity assessments for businesses
- Penetration testing services, including the Cyber Essentials Certification approved by the National Cybersecurity Center for businesses involved in public sector tenders
- Cyber Incident Response tabletop exercises
- Security awareness training
Our mission is to protect businesses from cyberattacks.
Do you work with SMBs or large enterprises?
It varies based on the service. For advisory and consultancy, our focus is on SMBs and mid-market companies. In terms of product-based selling, value-added reselling is geared towards large enterprises. Our clientele ranges from the largest, with approximately 30,000 employees, to the smallest, consisting of just one employee.
How can small and medium-sized businesses effectively protect themselves against cyber threats?
Following basic cyber hygiene is crucial. From our experience, especially in SMBs, the primary challenges include awareness issues, skills gaps, and the perception that cyberattacks are exclusive to larger companies featured in the news. This perception often leads to a reactive rather than a proactive response.
Effectively protecting against cyber threats involves adhering to basic cyber hygiene practices, such as:
- Implementing two-factor authentication
- Using strong passwords and encouraging the use of Password Managers
- Keeping systems up to date
- Locking firewall ports when not necessary
- Removing unnecessary software from systems
- Implementing access controls, including the principle of least privilege
- Knowing the location of shared data, particularly in cloud services
One key piece of advice I have for SMBs is to enable two-factor authentication, as it can significantly enhance security. Many businesses still fall victim to cyberattacks or financial losses simply because they haven’t implemented this basic security measure. While it may not be a comprehensive solution, enabling two-factor authentication you have improved your cybersecurity.
What are the biggest challenges companies face in implementing effective cybersecurity measures, and how does TechForce Cyber help?
The biggest challenges are the lack of awareness and a lack of skills. That’s where we come in. We do lots of educational pieces, events, conferences and we publish a lot of blogs and videos. We follow the innovate, educate, inspire method and sometimes we entertain as well.
In addition to publishing lots of information, we talk to the business owners and leaders to find out where they are on their security journey on where they would like to go. We take that information and put a roadmap together in the sense of what are the high priority items on the list. We’ll fix these now and let’s put others in a roadmap like 3, 6, 9 or even 12 months down the road. We see ourselves as a trusted security partner, rather than just a supplier
How important is regular cybersecurity training for employees?
If you look at 95% of the successful cyberattacks, most of them start from an email, followed by a human reaction. It can be clicking on a link, providing information, or transferring money based on an email threat. Whatever the case, it usually is caused by a human decision.
How do we combat that? We need to have the technical controls and mostly importantly the admin controls. A company can have all the security controls, but then comes an employee and decides to click on a link, there’s nothing much we can do. That’s exactly why we need to have the security awareness training in place. For it to work effectively it must be short, sweet, fun, engaging, and memorable. If it’s not changing the behavior of the people in the company, then what’s the point? There’s no point of providing the security awareness training.
We see many companies do security awareness training as a “tick box” exercise. They do once a year for an hour or two. That’s not a very effective plan, and it’s so the employees aren’t taking it seriously or retaining all the information. That’s why we say make it fun, make it engage, and make it more often then once a year. We perform monthly phishing simulations, month, incident training, and regular security awareness training every month, if not more often.
Some departments need to have proper and more frequent training, especially a finance department who holds the keys to the kingdom.
Security awareness training should be part of an induction process as well. When an employee starts at a company, they should go through security awareness training as part of every other training and then they will be enrolled into continuous testing and training as well.
What emerging cyberattacks should businesses should be aware of?
I was reviewing some stats from the past year, and the most financially impactful cybercrime was investment fraud, particularly targeting consumers. It stands out as the largest type of cybercrime, resulting in substantial financial losses.
The second significant threat, which I am particularly focused on, is business email compromise. Over the last year, businesses suffered losses amounting to $3.7 billion from this type of attack. In comparison, ransomware attacks cost businesses $60 million, excluding recovery and downtime expenses. It’s crucial to note that these figures are based on reported costs, and many businesses choose not to disclose their losses.
Despite our efforts in education and awareness, business email compromise remains a persistent threat, causing substantial financial losses annually. It is a relatively straightforward form of attack, relying on social engineering manipulation. Hackers often send fraudulent invoices posing as suppliers or customers, urging recipients to change their buying details and transfer money to a new bank account.
Compromising one account, hackers monitor emails and strategically target specific accounts with substantial amounts at the time of payment, requesting changes to bank details. We’ve encountered numerous incidents of this nature, and enabling two-factor authentication can significantly mitigate such attacks. Additionally, thorough employee training can empower them to recognize and counter phishing and impersonation emails.
Ransomware continues to pose a threat, with new variants emerging regularly. However, with the evolution of Endpoint Detection and Response (EDR) software, its impact is gradually diminishing.
Data protection presents a growing challenge for businesses, especially with the influence of artificial intelligence. While AI benefits cybersecurity efforts, it also empowers malicious actors. Adapting swiftly is crucial, as cybercriminals are not bound by rules and can exploit tools like ChatGPT and various other AI technologies to launch sophisticated cyberattacks. This underscores the pressing need for businesses to stay vigilant and proactive in addressing evolving cybersecurity challenges