We sat with Karan Khosla, co-founder and chief offensive officer at Privasec who shared his personal experiences and thoughts on hacking. He also imparted some useful cybersecurity tips for both businesses and individuals.

Experiences and thoughts on hacking

Karan has been in the information technology industry for about 14 years. Who would have imagined that an IT professional like him, would also have had experience of being hacked. “I sent someone money through Western Union. Whilst it wasn’t a very sophisticated hack, it got me interested in security and that’s how I got hooked.”, said Karan, who subsequently went into the profession and later delved into the strategy, risk and compliance side of security.  When asked about what it was like being hacked, both from the user and business perspectives, Karan described it as feeling “violated”. He told us how it triggered questions on why businesses did not get themselves protected properly so that consumers would not be phished and accounts hacked. Basically, the whole idea of how “you don’t want to have robbers breaking in, to learn importance of locking the door”.

As businesses today face the pressure of protecting privacy and preventing data leakage, Karan felt that naming and shaming companies whose security are breached through hacking attempts, has negative impact and harms reputations, especially those of small medium sized enterprises who would face immense difficulties recovering from such reputational damages. “When smaller organisations go through such breaches of getting hacked, they will never come back, because they have a handful of big customers they rely on. If you lose the data of these big customers and you tell them that you’ve lost their data, chances are they will switch, if there is an alternative.”

When asked about his experience in working in the red team, Karan shared about the fears and tough situations red teamers can experience during the ethical hacking operations: “If you are claustrophobic or you are nervous, it’s probably not going to be an enjoyable experience for you. In addition to the risk of being caught, there were times when we locked ourselves in and couldn’t get out!”

Helping companies prepare themselves for security breaches

In his sharing with cybersecurity professionals in Singapore last month, Karan advocated the need for companies to be prepared for security incidents. With the end goal of assuring customers and stakeholders, it is important for companies to get into incident response war rooms, walk through an incident and do their due diligence to be prepared for security breaches.

Karan sharing his surprising discoveries from actual Red Team attacks with our audiences at the ‘Incognito War Stories’ event, held earlier this month.

“Preparation is key, you have to be prepared. Some people are doing this and there is a level of awareness now. People know that they will be hacked. It is not the question of if but when,” said Karan. Breaking into businesses for good and discovering where the holes are and where to fix these before a hacker comes along,

Privasec, with its Governance, Risk and Compliance (GRC) arm as part of its main brand and specialising in red teaming, helps businesses to further improve their security posture by prioritising efforts and capital to fix the real risks and building practical and cost effective roadmaps.

Cybersecurity advice for individuals

Karan reminded us about the importance of being aware and protecting ourselves against potential threats. He advised everyone to keep systems up-to-date, adopt strong passwords and not re-use these passwords. “The idea is not to have complex passwords and never be able to remember. Choosing a complex password and writing it down in a text file, is not practical” advised Karan. He recommended using passphrases, which are sentences , phrases or random words put together to make a easy to remember to hard to guess password. This will greatly strengthen any password beyond the insertion of special characters. In addition, users should use one password per Internet site and consider utilising password vaults and password safes to aid in the recalling of passwords – just one password to the password safe and gain access to the many passwords for various Internet sites.

ICE71’s SCALE programme

Karan is excited about Privasec being part of ICE71 Scale. It allows the startup to be part of the conducive entrepreneurial environment here in Singapore which enjoys strong support from the government in the nurturing of start-ups. He further commented how, with more regulations being put in place, and more people recognising that it is no longer an option but a need for testing, the Singapore cybersecurity industry will mature quickly over time.

About Privasec

Privasec is an independent security, governance, risk, and compliance consulting firm. Privasec is driven by business outcomes bridging the gap between the technical and business worlds to create meaningful business cases and enhance decision making. Over the last decade, it has delivered a broad range of engagements across various industry sectors within Australia, particularly Government, Financial Services, Retail, IT, Health, Entertainment and Not-For Profit. Privasec consultants have worked with leading consultancies in senior roles. They apply industry knowledge and relationships to help their clients navigate the governance, security and compliance landscape and achieve the required outcome.