Privacy Policy
more

Celerity Security Panel – S2E8

Celerity Security Panel – S2E8

DAVID TAYLOR [00:01:17] Hello and welcome to Security Panel brought to you by Celerity. I’m your host David Taylor. Today, we gonna be talking about a very apt topic, which is Securing Your Remote Working Environment. And to help me talk about this today. And I am joined by two security guests. I’ve got Andy Yeates who is Incident Response Specialist at IBM Resilient. And I’ve got Josh Reed, who is Lead Cyber Security Analyst at Celebrity. Hey, guys. Welcome. So I just before we kick things off, might be good to get a better introduction on yourself. So, Andy, tell us about yourself.

ANDY YEATES [00:01:50] Yeah, absolutely. So I’m Andy Yates. I work for IBM Resilient. I work in the instant response phase within a security portfolio. So under the security business, within IBM, there’s threat management and I look after that IBM Resilient. I went there for three and half years, prior to that I worked at RSA Security and Microsoft prior to that.

DAVID TAYLOR [00:02:11] Perfect. And Josh?

JOSH READ [00:02:13] Yeah, I’m the Lead Cyber Security Analyst at Celerity Limited. Basically run the show with security items, sufficient simulations, vulnerability assessments. You name it and I’ve done it.

DAVID TAYLOR [00:02:31] Perfect. All right, guys. Well, jumping into the first question as we were talking about talking about secure in a working remote working environment even. And do you think we’re more vulnerable to cyber threats now we’re working remotely? Andy?

ANDY YEATES [00:02:45] Yeah. I think we’re more vulnerable. I think it’s it’s due to multiple reasons why I think that’s the case. And I think firstly, we see that organisations are being remote their machines are not necessarily gonna be connected to the network in the same way. So some of these security controls initially deployed, you know, these security measures are bypassed. We already see that… you know, actually, I know a lot of organisations because of this remote working and over the last few years, all they decided to from something move to the Cloud. And that’s great. But one of the big challenges we have here with that is the identity access, aspects of employees. As we start to make that information more publicly available to employees. That’s that’s a huge challenge. Right. I’m concerned who exactly those and points are and confirming that they are and should have access to that specific information. And then we see the additional challenges around BYOD, so bring your own device. We’re essentially having confidence in the employees, these uses of machine, securing them appropriately while giving them potentially some very, very sensitive access to information. Right. So I think there’s multiple branches to why we are more vulnerable to cybersecurity threats by what, you know, working remotely. And I think, in summary, Josh I don’t know if you would add to that at all.

JOSH READ [00:04:15] So, yeah. Well, I think it’s contextual, I think, as well. And I think it’s understanding what industry you work in, but then also understands, what areas your business provides you to work in as well as in, you know, does your laptop and false VPN connections force you to go through the organisation and then does that organisation adds security by, you know, with either through proxy seem any of those to secure technologies that may add to that skill of the device. And I think when work remotely. I wouldn’t say that you’re gonna be exposed to more threats. It’s just that the work environment that you are in is completely different to what you are in office. So I figuratively speaking, you are more vulnerable because you’re out of your comfort zone and you know, you’re being exposed to almost the same threats and you’re potentially the devices you’re using less secure than what they would be if you were working in office.

DAVID TAYLOR [00:05:31] Thanks, guys. So, yeah, there’s not necessarily more vulnerable, but we don’t have the same protection as we would have in the office. That’s some good points there, guys. Next question, what do you think has been the biggest security challenge for employees who are now working remotely?

JOSH READ [00:05:54] I think, when working remotely the biggest challenge from an employee point of view is really understanding what if… It’s so easy when you work in an office just to your friend and say, you know, does this look right? Is this, you know, a genuine link? Is this you know, is this benign? Is this relevant? But then when you’re working from home, you’re almost in this isolated environment, which is a massive playing factor on cybersecurity risk is if you are sitting in your house just by yourself, you perceive things in a completely different manner. And that in itself is a recipe for danger because people’s then human weaknesses are amplified and then become more susceptible to the likes of phishing, vishing, SMS phishing, all of the social engineering aspects that are so common throughout the cybersecurity landscape. And for me, it’s that is the biggest challenge is not having your peers around you are easily accessible to, you know, vet things with. Yeah. And VPN in as well. That is a big challenge because organisations don’t necessarily make VPN into the organisation in easy and rememberable task, having given the onus on the users to remember that they most VPN in isn’t really effective because. Urine user base and users have other things that they need to focus on and get into VPN isn’t a. Top of their priority list, should I say. So they need to make it more accessible and rememberable, the most rewarding that they connect to VPN, especially in small to medium businesses. Otherwise, you’ve got to upstander.

ANDY YEATES [00:07:55] Yeah, I completely agree with your points right now. I think it’s very difficult to to say probably narrow down to a single security challenge. I think collectively, what organisation is the challenge with there’s multiple security challenges to create one big problem where we look at VPN, for example. Yeah, I’m sure. We also want to secure the traffic between the endpoint to where it’s going. But fundamentally, the organisations need to be prepared for that. Right? They need to have the ability to scale. Righ? whereas before a lot of employees were working on an office space, now VPNS were capable of dealing with the volume of VPN connections. Now working remotely, that might have increased significantly in the way that the organisation structures its security measures. So, you know, I think that’s part of the examples where based on the impact of slow connection based from using VPN. And that’s they should be used to be very clear. Right? During, you know, working remotely, you should be using a VPN. But it is impacts on speed. And then we get the behaviour side of things right. So what you are touching on there, Josh, I thought was really great about the isolation of employees. People working remotely can act and behave very, very differently. And the impact of that is they would come off VPN. They would potentially take longer lunch breaks. But importantly, what more is the impact of security that I think is the behaviour and the psychology behind it. Right. So they’re gonna be more inclined to use their work laptop for looking at personal websites, logging at their personal email accounts and potentially compromising the machine. They could for example, get BYOD device that isn’t secured properly, that isn’t patched. It’s asking various sensitive data based on their user account information without now being publicly available and compromising the machine’s result that we’re stipulating workplace. You know, it’s a lot of people that may not necessarily use that work platform that desktop machine log in using and log into that hotmail account or whatever and be susceptible to things like phishing attacks. So, again, coming back, I think identity again is actually a really, really big challenge in the industry as well. And we need to know who the users are and actually apply them the correct privileges, you know, for that take a role and responsibilities. Again, you know, as we move and migrate all of our data tools that the public-Cloud. The big challenge there is about making sure the right people have access. So a unified voice does get compromised. You know, we’ve got the appropriate security measures in place to identify who the user is, to take the threats as early as possible and minimise the amount of vulnerabilities we have so using things like VPN to secure traffic between the end point and where it’s going.

DAVID TAYLOR [00:10:45] So you see, you’ve mentioned the VPN’s are really important for employees to be logged on to them. But do VPNs give employees complete protection from cyberattacks or more secure in general?

JOSH READ [00:10:58] I’ll take this one to begin with. So it protects it, part of the story, right? So it encrypts traffic between one point and another. Right. So this would stop attacks such as man and the middle attacks and four years, what’s the recommendation for people that may not necessarily be security aware is that actually, for example, a cafe or coffee shop on public Wi-Fi we need to secure the traffic. So if somebody tries to listen in to a network again as people start to work from home. There’s also the risk that people might start going to other areas where they might have, for example, better Internet connections. People at home may not necessarily have great bandwidth on their home broadband. So that could be due to sharing with other people. You know, we need to secure the traffic between, you know, the endpoint and what it’s connecting to. But that doesn’t mean that we are fully protected. The endpoint is still vulnerable to a lot of different cybersecurity attacks. And first and foremost, you know, it’s the end-user. We need to secure the most. Right. Being able to make sure that they are aware and educated around different types of attacks that these threat actors isn’t going to play on it. Great example is things like phishing attacks. Right. You click on a link, is gonna download a malware. And actually, you know, VPN is a great, but we need to apply VPN in the correct way as well, because we apply them or configure them wrongly. We can actually bypass some of our additional security controls. So we need to make sure that whatever we are building into our security posture works with what else we’ve also got to point for security you know against security software. Josh, I’ll hand over to you.

JOSH READ [00:12:45]  I think you touched brilliantly on the what I call a functional VPN vs a secure VPN. And there are two characteristic differences between those two. A functional VPN is your VPN that your users will use to access the likes of you file shares that is hosted internally, stuff that isn’t in the Cloud. Stuff that isn’t any DMZ, stuff that is in your internal network that you would usually access by connecting to your office network. Now, connecting to that necessarily doesn’t provide you with any more security. The only security that provides is it tunnels your traffic from your house to your organisation. Now, if you add in any security in your organisation, either via the same proxy endpoint protection, antivirus, you know, you name it. I think in the security related, then you aren’t necessarily adding security to that traffic. All you’re doing is making it slower because you’re doing it through your organisation in an out of your organisation. If you have a secure as a secure VPN as in like a security related VPN and you’re adding a proxy in any traffic that comes from endpoints through into your organisation, let’s say I had a Trojan on my laptop and I was VPN into the organisation. It could be that the proxy that we have internally would stop that communication to the C2 server that is situated in China. That’s pulling down a secondary malware. Now, if you’ve got a proxy stop and that and or if you’re not connected to VPN then that could talk straight out to the VPN. Straight out to the C2 server and download the secondary malware. Things like that. It’s understanding that yes, a VPN is a good idea and yes, it should be used, but it also needs to be understood at the same time. It needs to be understood that a VPN isn’t a be all and end all of security issues is a part is a jigsaw piece of a larger puzzle. And it’s understanding that, you know, yes, you should have a VPN, but alongside that you should have a proxy, you should have another, you know, all these other different security tools that will add to the security of that VPN.

DAVID TAYLOR [00:15:18] Thanks, guys. Well, I think you touched on a little bit before there Andy about phishing. And, you know, it plays a huge part in the life of cyber attacks and a lot of successful data breaches. And so how can organisations help employees stop being fished when they’re working from home?

ANDY YEATES [00:15:35] Yeah, that’s a great question, right? And, you know, I think this is an example where we can start looking at more of the psychology behind working remotely and people doing things differently such be for about being able to log into their personal email accounts. So, you know, obviously, as an organisation you have the ability to control or buy solutions that allow you to limit or search for phishing campaigns within your corporate email inbox, right. The solutions can support that. But the challenge of working remotely is again going back to that problem, that employees could, for example, start using that their end-point that that corporate laptop or the device that they’re using, could again be BYOD. And using it to log into two passive devices that may not necessarily be patch or secured correctly. In terms of preventing those types of attacks. Again, from my perspective, I think it really comes back to due diligence around education. Making sure… Actually with what’s going on at the moment. Everybody is very, very aware of exactly what the types of security attacks are going to be against them as an employee, right? They are  a, you know, part of a weak link in that. People will try to take advantage of that and use that because they use privilege accesses. And we need to just train them. We need to make sure that they aware of what efficient campaign looks like and how to debunk it. Right. I think the other thing that’s also really important is not necessary just about preventing a phishing attack. Right. So we can do that as much. We can prevent as much we can. But also detection and response is absolutely key. Right. Thinking again, from a system perspective, it’s only going to be as strong as its weakest link. So, again, we want to prevent and detect a threat. But when we do get a phishing campaign in an organisation, we need to think about how we respond effectively. So, yes, absolutely I do want to think discretion on how we stop it. But stopping is at multiple stages, stopping from initially outranking, but also stopping it from spreading further. So having an ability that the employee is working from home, they are aware how to escalate that into a security operation sense. It will make somebody aware that they may have received a phishing campaign email. Right. Because, again, working remotely and I think, Josh, you touched on this beautifully is the behaviour is completely different when you work from home. You can’t just go to a colleague and say, can you look at this e-mail? Does that look wrong to you? Or, you know, popping down to your local I.T. department and things that. I’ve got this email. Is this right? Can I click on the link? I think this is from my colleague that doesn’t exist. Right. So how are they gonna escalate that to security operations? So organisations really need to give more thought process around how employees are going to engage. And again, that’s that’s. Yeah. That there needs to be some serious talking about that. So, Josh over to you if there’s anything you’d add to that.

JOSH READ [00:18:35] I think definitely phishing will always be a difficult problem for any IT team, or any organisation throughout the world, because essentially phishing is. It’s hard to detect. It’s hard to stop. It’s hard to educate against and all three of those which makes it so potent and both so effective. So can really stop an employees from being phished, it’s combine those three elements. It’s making sure you have the technology to stop the phishing emails or help stop the emails because you’re not 100% gonna solve them by just detecting them. It’s educating your users and that is also understanding what access to all users how is the least privileged model, you know. Does this user have the right permissions to do that work? I’m not gonna give them any more than they need. It’s far too easy just to throw up an account so everyone, just because they need access to, I don’t know, a particular server just for one day, but it’s understanding the wider picture, is this user now has not been accounts that we need to provide them with more education. We need to provide them with more protection. And we also need to make sure that there’s mitigation in place so that almost all the repercussions of being phiished are identified and remediated quicker or, you know, fixed quicker. So it’s not an easy question to answer and it’s not an easy one. Solution fix is all. It’s you know, it’s a lot of factors played into one thing which will help remediate the issue.

DAVID TAYLOR [00:20:25] I think that makes sense, given how successful phishing can be that you do need a quite a lot of there, a lot of tactics to combat it. So going to you Josh, you talked about a lot of your work involves around vulnerabilities and patching. So is it harder to patch boys when they’re working remotely?

JOSH READ [00:20:45] Yes. It goes back to the VPN. A lot of organisations will have a perfectly valid patching solution. There will have a perfectly functioning DMZ and Cloud solution. But, you know, the typical agent managed system that is, you know, being patched by a centralised management that’s on site or whether you’ve got a group policy that tells the machines to automatically update or check through update. It’s all well and good doing that. But it’s the communication from the user’s home environment into the organisation to receive those commands and receive those update packages. That is the problem element with patching when we’re the ones working from home. It’s going to continue to be a problem element because it’s way, you know, the risks of putting a patch relay in your DMZ. It’s opening up, you know, a potential security risk. Anything in the DMZ is a security risk. Anything in the Cloud could potentially be a security risk if it’s not configured correctly. So it’s understanding both. How do I configure this correctly? But then also, what are the risks of me doing this versus the rewards of me doing this? Overstate patching is essential, especially at this moment in time. I think the volume of patches that are coming out since COVID-19 has happened, especially its Microsoft patches. They’ve massively got over 100 patches a month and they haven’t come down and they seem to be gradually going open up. No, I don’t think security researchers as well. They seem to be much more focussed on homeworking stuff. Sort of like Zoom, Teams, Microsoft Office products full stop. Everything just seems to be targeted at the moment from key research point of view. And they seem to be haunted in and find in vulnerabilities left, right and centre in those platforms. So patching is no easy fit when people are working from home. A laborious task because uses one VPN in, but then to combat that you’ve got to make sure that your users really do VPN in. They’ve got to know it’s a human element that needs to be educated against the need to understand the implications of not connecting to VPN. And it’s just best to be honest with your user bases, look, if you don’t VPN and we can’t patch you, you’re not going to get your latest antivirus definitions. You’re not gonna, you know receive X, Y, Z. So from my perspective, that’s how it needs to be approached. I don’t know if you have anything to add Andy?

ANDY YEATES [00:23:37] I completely agree. I mean, yeah. Yeah, absolutely right. I mean, from a simple factor this is where VPN is at a huge amount of value. Right. It’s about replicating that employee essentially being within a corporate network. And we need that to patch. And let’s take a step back. Right. Forget about remote working. It was difficult to patch full stop, right before employees started working remotely. And we know that’s been a challenge. You know, when you think about the value of assets that organisations have and, you know, the job and responsibility to patch of these devices, you said there. Hundreds of patches across multiple thousands of devices every month. It’s a huge feet full stop. So this is where VPNs, we need him as a bare minimum. Right. VPN needs to exist on these endpoints on these machines that work remotely in order to patch these devices. And we need to patch. Right. Full stop. It’s a big preventative measure on preventing these machines from being compromised. How we then do that and work for it. I mean, this is where you then need to start thinking about where we consider things like automation, how we can actually automate patching process. Do we use solutions like Ansible, for example? Is there a ways in which we can accelerate that patching process and take away some of the arduous task of doing that? That is the really big question going forward.

DAVID TAYLOR [00:25:05] So good points there, guys. So we took a little bit earlier on about, you know, BYOB, bring your own device. And some organisations might actually have their employees working from their own personal devices. Do you have any opinions on that? Is it good? Is it bad? Is there work arounds with it.

ANDY YEATES [00:25:37] So BYOD, I get why organisations do it. It makes a lot of sense. I mean you’re essentially delegating the cost of an asset or a machine to an employee. The problem is you’re balancing something that has potentially very sensitive corporate data with employee data. Right. And there’s not meant for both sides, because if, for example, let’s say there is an affection on that machine and it’s going to be wiped the employee is going to lose his personal data, right. It doesn’t just impact the organisation, it impacts the employees. And I think firstly, the employees, aren’t aware of that? Right. The impacts, they’re also the same people that are not necessarily security-aware and understand that they could be creating a huge vulnerability. It’s not the going to be patched. It’s not going to be security measured, may not necessarily have a VPN. If it does, it’s not going to necessarily be, you know, configured to be patched for the rest of the software. And that’s the risk of BYOB. Right. It does create huge controversy. And organisations need to weigh up financially. Is it worth it? Right. Again, you got to think about your security controls and maybe a particular physical asset that needs to come into that conversation. If it costs you 20 million pounds to secure your environment. Right. But then in terms of actual liability regulations and all the rest of it, it’s going to cost, you say know, an obituary, 10 million pounds. The argument there is you’ve got to get that security cost down. Right. And I also get why organisations looking at financial because it is a contributing factor. Now, if organisations do you want to go to BYOD, there are some things that they can do to minimise the impact. Firstly, having an appropriate and solution, something like Office 360, right. So you can apply all of your security controllers, AV. It can be given all of the security policy. So it’s gonna you know, pros and cons, yes, but it is now a security is a corporate asset. Right. That’s how it needs to be looked at. And it will be able to, for example, segregate each round so it knows what’s personal data and whats corporate data. And that’s really the recommendation. Right. So personally, I would avoid BYOD but if you’re going to use it, apply an MDM solution. Josh, if there’s anything you would add to that, too.

JOSH READ [00:27:53] Yeah, I completely agree with you. BYOD in my head is just a disaster. I think there is a place for bring your own device. It’s built infinite scenarios. So if that’s often occasion, a lot of people, you know, an organisation, maybe can’t warrant buying everyone a mobile device just so it can be their multifactor authenticator for the likes of your Office 365 environment or your even your Windows log on. That is quite a substantial outlay for an organisation. Now that should have been assessed when you wake up the options for multifactor authentication. Now, it would have been cheaper to buy hardware, as in the hardware tokens that have numbers on or even like RFID tags or even using fingerprint so then it’s physical to your end user. Now, when it comes to bring your own device, you’re technically opening a whole Pandora’s box of issues. You have no control over that users own device. You have no control of what’s on that end user’s device. You can’t. It gets complicated if I say having my own device I’ve been looking at inappropriate stuff on the Internet. And I connect to the VPN and that’s proxy through. And then the security team pick up that I’ve been looking, you know then it starts getting complicated. If I have inappropriate stuff on my laptop and then it’s picked up by antivirus or even if  I have trojans or ransomware. And then that then communicates across the VPN and start spreading sideways throughout the organisation. I look at it on a scenario-based situation and I think through my head every single time someone mentions bring your own device. I think of all the scenarios that could happen based off of bring your own device and trust me, I’ve seen these scenarios happen before in other organisations and other roles. And it is not a pleasant and not it’s not a pleasant scenario to be in. It is not a pleasant scenario to being from an end-user point of view as well. So it’s not, I wouldn’t advise bring your own device. I think that the risks that are associated with the BYOB are too great for the reward of what you know, your organisation or you are going to receive. I think it’s put it into context. Multifactor authentication. Yeah, it’s practically headless. And it doesn’t have a lot of requirements on the end-users actual device, you know, it’s not invasive. It’s not gonna take a lot of information from that device. So it’s relatively risk-free but as soon as you start going into accessing, you know, likes of your e-mails or opening documents on your phone or even using a device to actually work on. It opens up a minefield of issues. So it’s yeah, it’s something that should be thought through very, very carefully.

DAVID TAYLOR [00:31:24] Yeah, yeah. No worries. It sounds like it could that could open up a lot of trouble for some people. Yeah. Thanks for that, guys. So when we’re talking about, when we when we think about securing our remote working environment, we always thing about hacking, cyber threats, phishing and whatnot. But is there ever any other security threats to them that’s not specifically cyber or digital?

JOSH READ [00:31:47] Tons. Where do I start? I mean, I think the main one, for me is physical security. You know, it’s you think your office environment, it’s often locked wave, either a door code or you have a clarified dtag or even fingerprint scanners it will have maybe an onsite security team. Your server room will be locked with a code, hopefully, and a lock or key. And they’ll be numerous other physical measures. Now, those types of measures, I’m guessing, won’t be present in your average UK home. You’d maybe have blocking windows and locking front door or back door. And that’s the only physical measure that you have. Now in terms of the physical, that was just one element of, you know, the security risks of working in a remote working environment. But, you know, there’s all the things such as, you know, shoulder surfing and elements of sort of USB Bating other cyber-attack methods that you’ve become more potent from if you’re working, like you mentioned before, working in a cafe. It’s far too often people will literally surf on your shoulder and look at your screen and see what you are on. And there is also the hype of everyone taking pictures if their remote working environments and putting it on social media is that’s a big no, no, don’t do that. You can send you can essentially zoom in and reconstruct pixel by pixel and see, you know, look at IP addresses, anything that’s an intellectual property on the computer screen. People were aware of what they were actually taking pictures of. Especially on their monitors, you know the quality of the displays nowadays is really, really, really high quality. So you can almost zoom in to the individual pixel and see what colour it is and then rebuild it. And this is things that people might not think are security risks when they’re doing them. But then. Putting it into context in the South Security’s is mindset is how valuable is this to a cyber attack? It completely changes everything and it’s something I personally do is what I’m thinking. You know, what value would this be to a cyber attacker. It completely changes every single situation I find myself in.

DAVID TAYLOR [00:34:31] Andy, you got anything to add to that?

ANDY YEATES [00:34:34] Yeah, I mean, again, absolutely I agree, physical security I think is the biggest concern for me working from home. Right. You think about our traditional security parameter in organisation. We’ve got security guards. We’ve got we’ve had some instances dogs in here like code locks and RFID tags every time you go into a different area. It really extensive. And you get a home and you got one door to break into, and obviously unencrypted hard drive. It’s like an incredibly low is all organisation’s security measure massively. And then beyond just the physical side of security as well. You’ve also got things like there are ways in which we are connecting to our Internet currently. Right. Now, as an individual in control of. Right. So our routers. When was the last time we patched on routers? Like honestly, I can put my hand up there. Probably did mine a couple of years ago. And I know I need to do more often than not. But, you know, it’s we have to think about the vulnerabilities we have in our own household. You know, is our router currently patched? You know. What other security appliances do we have running on the same network? Again, coming back to Joshua’s point about VPNs. Again, we’re not encrypting that traffic? Doesn’t matter if we’re home or not. We just need all of girlfriends, boyfriends, husbands, wives, children’s machines to be compromised. And they “might be able to then attack is never” across the network. They might be compromised the router. And then you’ve got all of your traffic being watched. It doesn’t really matter at that point. So, yeah, I just think, you know, working from home definitely has its own series of challenges that I think we are still unravelling exactly what the impact that is going to be to organisations.

DAVID TAYLOR [00:36:22] There are some great valid points there. So I think just to close this session out today. Can I have both of you give us your top tips for people looking to secure their remote work environment?

ANDY YEATES [00:36:39] That’s right. So I think its system is only as strong as its weakest link. Right. So I think you really need to think about working from home remotely. What do we need to protect from the employee’s, right? Do best and foremost risk analysis that is specific to organisation. What types of threats you face? How do we want to secure those right workers? Well, absolutely we need VPN, right. No question about it. All organisations should be implementing VPN. If you’re gonna do BYOB you need to think about a MaaS360 with some kind of MDM solution that is gonna protect those devices. All those preventative solutions that, you know, your ABs, your files but make sure that you review how you’ve configured your environment right. So make sure that it works within employees working from home. So, for example, with you kept VPN or you’re using a proxy, that encrypted data is still going to be seen by your firewalls. It’s not going to be encrypted. It’s not gonna bypass any of those security controls. Finally, you know, that complete security portfolio. Right. So it’s about prevention, detection. And then when we do have a security instance, let’s say an employee does fall victim to a phishing attack, you know. And again, education is the key thing. How do we respond to that cybersecurity threat? How a process in place. And think about how you gonna adjust your process to allow for people working remotely? Because that’s gonna have a distinct change to how you respond to these cyber instances as well That’s my advice anyway. Over to you Joshua.

JOSH READ [00:38:18] Yeah, 100% when I mean, the weakest link in my mind is the end-user. And it is always been the end-user systems, whether it’s the end-user configuring the systems, whether it’s the end-user access in the systems, whether it’s the end-user using the systems. It’s always the user. These systems are designed to work and it’s up to the user to make sure that they are securer. So in my mind it’s making sure that your network perimeter is both patched, not vulnerable and settled correctly in the way that it’s meant to be settled. And then, it’s understanding you know, are my users connected to VPN. I got anything that can help them connect to VPN and make it more enticing to connect to VPN. There’s a lot of human best aspects measured in that. Then it’s understanding that users educated against the likes of phishing, social engineering, physical security risks then you know, the likes of phishing campaigns that are going out and keeping everyone in the loop. That’s one thing organisations are really better is keeping their employees in the loop and making sure they’re aware of to what is happening in the organisation cybersecurity wise is often such huge damage, the locks behind doors in the back of the server room. No one knows what they look like they just do that thing. It shouldn’t be like that, it should be open, you know. Relationship between all I.T. teams and the cyber security team and almost all users in the same team so they understand now they see a human face on the end of cybersecurity. So there is countless things that we can do to make sure that you are almost protecting your workforce from home. But for me, VPN, perimeters, set up and configured correctly and making sure that you are monitoring and tracking what is happening on your network, both home and in your organisation.

DAVID TAYLOR [00:40:38] Some great advice from you both there. And unfortunately that’s all we’ve got time for today. So I’d like to thank you both for coming on and giving some great tips where everyone who, I mean, majority of the world’s probably working from home in the moment, they’re gonna be invaluable to them. So thanks for coming on, guys. And to everyone else, thanks for watching Security Panel, brought ou by Celerity. We’ll catch you next time for some more cybersecurity discussions.