Daniel Hurel, Westcon-Comstor: “sophisticated phishing and social engineering attacks are on the horizon”

The growth of technology and the acceleration of digital transformation have raised new security concerns.

Fraudsters are focusing their efforts on unwary users, implementing increasingly sophisticated scamming techniques to perform malicious online acts. At the enterprise level, threat actors are taking advantage of the changing work environment to attack companies. Luckily, companies have been architecting ways to enable a secure path to digital transformation and help organizations unlock recurring revenue in a cloud-first world.

To dissect the cyberattacks that are on the horizon and solutions that the cybersecurity landscape offers, we spoke to Daniel Hurel, the Vice President of cybersecurity and Next Generation Solutions at Westcon-Comstor, a global technology distributor.

How has the company evolved over the years? What were the major milestones for Westcon-Comstor?

The truth is – the world has been overwhelmed with years of disruption – from Brexit through to Covid. Because of this, the business has built a strong foundation of resilience, meaning that when the pandemic hit, we were already prepared. We had 90% of our 3100 staff members fully and securely working from home within 48 hours of the lockdown being announced, with all logistics centers remaining open and operational.

This resilience also meant that our global revenues increased by 4.6% to $2.6 billion – with the UK market contributing $511 million.

Unlike the other broadline distributors, we’ve grown into a specialist meaning that we only work with best-in-class vendors where we’ve got the people and resources to support them. In addition to the impressive growth these vendors are experiencing, thanks to the Westcon-Comstor partnership, we’ve received 11 vendor awards this year, including Distributor of the Year for Mitel, Palo Alto, Check Point, and Cisco. On top of expanding our relationships with our current vendors, we’ve also added 15 exciting new vendors including AttackIQ, CrowdStrike, Claroty, Menlo Security, NoName Security, Pure Storage, Infoblox, Ruckus, and Zscaler to the roster this year.

Over the last year, we’ve had significant success in the security marketplace by attracting and retaining a record number of UK security VARs/SIs/MSPs compared to any previous year. We’ve increased our Palo Alto Networks market share and have become the fastest-growing Cisco Security distributor with a 45% market share, which accounts for a growth of 14%.

Can you introduce us to what you do? What are the main challenges you help navigate?

I am the Vice President of cybersecurity and Next Generation Solutions at Westcon-Comstor. Westcon Next Generation Solutions (NGS) provides the channel with the solutions to enable a secure path to digital transformation and help partners unlock recurring revenue in a cloud-first world.

My role includes unlocking new security opportunities for our partners and identifying areas of the security market which are set to grow and create the most value for the industry.

Have you noticed any new threats arise as a result of the pandemic?

The pandemic forced organizations and individuals to embrace new practices, such as social distancing and remote working. As a result, this generated a renewed focus on cloud acceleration and a shift to greater workplace flexibility. With these changes, significant security challenges came along.

In 2020, home networks and devices became an attractive attack vector as workers stayed at home. More devices and more access to public networks (not just at home but in cafés and on public transport) meant a larger attack surface for bad actors. This led to an increase in phishing attacks and device exploitation through public wifi. With workers at an increased risk, many businesses opted to implement Zero Trust Access (ZTA) models for the first time.

Zero Trust Network Access can be defined as “never trust, always verify” access to the internet, data, and applications, with verification applied to people, devices, traffic, and interfaces before access is granted. Even as the hybrid work model brings employees back into the office, businesses will be looking to expand this further as they invite potentially compromised devices into their network.

Even though there are so many security options and providers out there, why do you think certain companies and private users still hesitate to upgrade their security?

A big part of this issue is an over-reliance on MSPs (Managed Service Providers). Many businesses rely entirely on MSPs and MSSPs to keep their IT infrastructure secure. While these service providers do indeed have a big role to play, they are not fully responsible for the security of every business.

Putting the entire responsibility on MSPs’ shoulders could lead to companies becoming complacent. However, every business needs to make sure they understand the responsibility that they have to protect their cybersecurity posture themselves.

In addition, any business that hasn’t been breached before can feel invincible with minimal security protection. And because they’ve not been breached, they feel the investment in additional resources might not be necessary. In a time when budgets are tight and companies struggle to expand, it’s especially difficult for the business owner to justify putting additional resources into security if they can’t see the ROI. It’s unfortunate as this attitude means the organization’s days are numbered, as they’re leaving themselves open for attack.

What would you consider the main challenges new business owners face today?

A major challenge for businesses will be understanding the cybersecurity landscape and what threats they’re under. While some businesses might be able to hire more specialist security staff, the current talent shortage is making this increasingly difficult. As a result, many companies are unaware of safely managing their security environment, ultimately leaving them open to a breach.

The good thing is the opportunities for MSPs and MSSPs have been growing. Large enterprises which are unable to get specialists who understand future cybersecurity threats, will be looking to the MSP community to act as a consultant, giving them the opportunity to explore new security solutions and embed themselves better in their partners’ businesses.

As work from home becomes the new normal, what do you think are the worst cybersecurity habits that can put not only an organization’s workforce but also its customers at risk?

In addition to being unconcerned about cybersecurity, which I’ve already talked about, there are several bad cybersecurity habits that employers and employees are taking back into the workplace. Here are some of them:

• Poor password hygiene. While there have been some innovations in credentials such as 2-FA and biometrics, single-use passwords still represent the most popular access token for people to use. The number of new collaboration tools and platforms that have been made available has given threat actors a gold mine of new vectors where they can steal user credentials.
• Sharing personal details over instant messaging. Credential sharing is another nasty habit users have picked up over the pandemic. The rise in new tools and particularly the use of instant messaging collaboration tools has unintentionally given workers a false sense of security when sharing credentials. All a threat actor needs to do on a compromised device or account is search for “password” or “username” and they’ve instantly been given access to an even larger dataset.
• Insufficient email protection. Many businesses forget the importance of good email security and instead rely on their provider’s built-in protections. While basic email protection will filter out the most dangerous phishing attempts, other more sophisticated malware phishing attempts backed by intelligent social engineers can still make their way into an employee’s inbox. Businesses must deploy comprehensive email security solutions, like malware scanning, and anti-spam.

In your opinion, what kind of threats can we expect to see more of in the next few years? What actions can individuals take to protect themselves?

More sophisticated phishing and social engineering attacks are definitely on the horizon. The biggest security threat in any business is its people. Everyone represents an entry point and human error is the most direct and cost-effective route for hackers and it’s the one that’s most targeted.

The first port of call for combatting this kind of threat should be the implementation of more endpoint security protection tools, such as multi-factor authentication. This not only acts as an initial buffer against bad actors but also provides a robust shield against ransomware and supply chain attacks. We’re seeing this happen more and more, as businesses come out of the pandemic, and start to adopt these practices as part of their ZTA architecture. However, like in any arms race, this will result in more sophisticated phishing and social engineering attacks moving forwards.

Therefore, businesses should start having open conversations with their staff about cyber resilience and cyber education. Every individual that knows and understands how to protect themselves is another endpoint protected.

What do you think the future of business technology will look like?

The acceleration of digital transformation and cloud adoption has created a bigger appetite for 5G adoption and represents a huge opportunity for the industry. Faster speeds and better connections mean that businesses will be able to manage more devices and make better business decisions based on richer, more abundant data.

On the flip side, from a cybersecurity perspective, businesses’ eagerness to take on a relatively immature technology could put them at risk as many will be ill-equipped to handle the security requirements of 5G. This would make the early adopters of 5G the perfect target for bad actors testing new vulnerabilities and exploits. SIM-jacking is one avenue that we expect hackers to take advantage of. Mobile devices are going to be expanded for use as authentication tools and hijacked SIM cards can give bad actors all they need to get into a business email account as the hardware is regarded as “trusted.”

Although many are excited about monetizing this next generation of technology, its security must remain a priority. 5G security will be a new and exciting area that will certainly grow as we learn more.

And finally, what’s next for Westcon-Comstor?

The focus over the next year will be our increased expansion into the cybersecurity marketplace so that we can offer our partners the best cybersecurity solutions to combat modern threats.

My aim is to position Westcon-Comstor as a true cybersecurity solutions and services aggregator enabling partners at every stage of the sales cycle via a single digital platform. To do this, we’ll be improving our sales process and developing a frictionless sales model to accelerate end-to-end integration with vendors. Our company mantra is built on partner success, meaning when our partners succeed – we succeed. Improving the integration experience, making it more seamless, and improving access to best-in-class solutions helps everyone.