What help is available for small organisations to counter cyber threats?
In this episode Michala Liavaag and Chris White explore several aspects of cybersecurity for small and medium organisations. Chris White is a detective inspector, working in the South East Regional Organised Crime Unit as a Police Cyber Security Advisor and Prevent Sergeant.
More recently, Chris joined the cyber resilience centre for the South East as Head of Cyber and Innovation. This is part of the National Police Chief’s Council - National Cybercrime Programme; a not for profit, police, private & academic partnership tackling cybercrime by providing a solution to help charities, businesses, SMEs & micro businesses to protect themselves in this digital age.
👉 Cited in this episode:
Cyber Resilience Centre for the South East - https://bit.ly/Cybility2SECRC
UK Safer Internet Centre - https://bit.ly/Cybility2SaferInternet
EU Better Internet for Kids - https://bit.ly/Cybility2BIKportal
Internet safety for children - https://bit.ly/Cybility2SafeguardingChildren
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
00:00:00:11 - 00:00:19:17
Cybility savvy, the quickest way to go from cyber confused to cyber savvy
Hello I’m your host Michala Liavaag. Our guest today is Chris White who's a police detective inspector it's really great to have you with us today so thank you for joining
00:00:20:00 - 00:00:20:17
No problems hi Michala how are you
00:00:21:12 - 00:00:22:15
I'm good, thank you.
00:00:23:02 - 00:00:53:02
I left college and started a career in computing with a multinational technology company I then joined the police in the mid 90s experience in various departments focusing on technological roles always been looking for solutions and keeping up with technology I joined the southeast regional organized crime unit as a police cyber security advisor and prior event sergeant the work contributed to delivering the national cyber security strategy where I worked within private sector raising awareness of cyber security coaching and encouraging positive behaviour and change within organizations
I also assisted during cyber incidents and also managing the offenders responsible for those incidents but more recently I’ve joined the Cyber Resilience Centre For The Southeast as head of cyber innovation is part of the national police chiefs council and the national cybercrime program which is a not-for-profit police private and academic partnership tackling cyber crime and we're providing solutions to help charities businesses small media enterprise micro businesses to protect themselves in this digital age
00:01:20:20 - 00:01:30:17
okay that's great thank you very much Chris uh for introducing the audience to you for those who haven't come across you already I’m really curious did you actually always want to be in the police force?
00:01:30:21 - 00:01:52:04
well I went to gun college like most people um and then I had a few jobs after leaving college one of those was involved working in a big computer company where I think I’ve got the bug a little bit but parents are role models aren't they so they said you need to go out and get a proper job and I looked at the police force at the time I had a few friends that were looking at it as well and I applied and was successful joined up and the rest is history I guess
00:01:59:08 - 00:02:14:10
Right. Okay. Thinking about you know the lessons that you've learned in that journey because you must have seen a range of stuff in your career did you really get involved on the forensic side as well or more the sort of investigation need?
00:02:14:13 - 00:02:37:17
So when you join the police you learn your trade for the first two years and it is forever learning because you just come across new things every day um but I took a few exams um and a few courses which enabled me to deliver short-term problem solving which is generally phone 999 and people come along and solve the short-term problem that's there in front of you then if you get repeat currencies then it becomes a long-term problem that also needs a different team to solve it which could be anything from congregating kids underneath um street lights on the street corners for instance or sitting on park benches you could amend when the lights come on and off you can remove the park bench some of the greatest examples I’ve seen that maybe on a Friday night where people congregate in a certain area and it could be a hot spot for some violence and then the local council jointly is turned that that waiting area into cobbled stones and basic things like that people don't like to stand on cobbled stones so you've designed out the crime if people come out pubs shouting and annoying local neighbours certain pubs and police forces have given free lollipops it normalizes the sugar levels and when you've got something in your mouth you tend not to shout it's that's the basic solutions which I always annotate um straight over to cyber where you talk about firewalls and ports and technical things like that and you lose quite a lot of your audience but if you relate it to conventional issues that we're all comfortable with like fire and floods and fights for instance people get it is quite interesting
00:03:50:19 - 00:03:59:19
Yeah. And of course, the analogy that most people would think about is the burglaries in terms of people going down street and locking the door.
00:03:59:23 - 00:04:17:21
when I was young and out of patrol the sergeant used to send us out at night time and we'd be looking for vulnerabilities weaknesses in housing estates whether it is a car with a window left open or the car door's not locked or on a hot summer's night people generally leave the festival windows open but their ground floors windows dead clothes for obvious reasons and where we'd find those weaknesses or vulnerabilities we would make efforts to notify them so people can make themselves safe again and compare it to the online world it's vulnerability assessments or pen testing that they will look at ports that you might have accidentally left open or you're eager to open up the router plug it into the internet and get going that you've maybe not configured it or set it up correctly so the port is open or closed in technical world put a port in the conventional world is a front door it has a purpose doesn't it you walk in and out of the front door you close it when you don't need it upstairs window in the bathroom the purpose of that is ventilation you open it when you need it you close it when you don't need it so you may have ports on your routers which you need for specific purposes and it's not the massive technical issue is it where we want to talk securely online and maybe the kids want to play on the Xbox and they need a certain port open but when if you don't have kids don't have that port open if you're not using Xbox don't open it but sometimes these things are set up when they're delivered and we don't always have the confidence to understand what's going on inside that little box which we think is complicated so everything's comparable to conventional issues I think
00:05:33:20 - 00:06:05:06
yeah no I completely agree with you um the only thing I would say is that even if you don't have kids you might still be playing on that Xbox um so uh as a lifelong gamer myself me and my husband right so yeah we're all over that um so I’m also interested about that transition where you see you know the criminals moving from real world onto online um and then necessitating the setup of the original organized crime units could you perhaps just tell us a little bit about your experience with that
00:06:05:10 - 00:06:27:05
so yeah as I joined um there was the traditional conventional crime there's always going to be shoplifting there's always going to be car crashes there's always going to be people going missing but crime trends change over time and what we've seen is that fraud grew because people found it easy to misrepresent things or deceive someone into generally getting their money um and then computers came about and then I think when did it first start you'd get junk mail through your letterbox didn't you uh trying to sell your pyramid selling or trying to say things that are probably too good to be true um and the ability it's a manual process isn't it putting a letter into the post box and then putting a stamp on it emails turned up then you could start ascending scams by volume um and we all relate to those phishing emails and we get spammed a lot and there's I think 165 million phishing emails going around the world every day so the expectation is that the firewalls are definitely working really hard um but you are going to receive some you are going to receive a percentage efficient emails and you just need to know what to do with it so criminals have found that to be a very easy method to scan people and businesses organizations out of money they don't know the difference right from the beginning whether or not your cash rich business or whether or not you're a small one-man band or a charity or a school league or a hospital they are just scanning everything to see what the weakness is what the insecurity is and then they take their next phase this reconnaissance stage isn't it looking out there to see who's weak who's vulnerable and then we'll see what we do next
00:07:44:15 - 00:08:15:13
yeah I was actually just watching on the news last night they did a piece on the uh increasing scans of people setting up uh duplicate charity sites uh to help you know victims in Ukraine so diverting those funds and uh it was they had something from save children on um and I know that was something that when I used to work in the charity sector we were always very mindful about you know people potentially uh posing as the charity and you know cycling those funds off
Is that something that you've worked with on our side?
00:08:17:22 - 00:08:46:11
yeah I got asked that question yesterday and spoke to a charity and they said well why would a criminal come after me I’m a charity sure they've got hot gold they don't know your charity at that early stage and that is if you're actually dealing with a human offender because we have these things called botnet dots which are just automated programs that are deployed and probably the person has deployed is having a sleep it's their turn to sleep but the botnets can just do their devious stuff automatically and continuously and they don't know who you are they will just attack where they find that weakness or vulnerability so to say surely people know I’m a charity or I know I’ve got no money why are they going to attack me? there might not actually be a person on the end of that it could be an automated machine doing it
00:09:05:21 - 00:09:36:06
I think the other thing though the uh particularly the charity sector is we tend to trust and believe that everyone's in it you know doing the right thing um but uh one of the things that I was always concerned about was volunteering in a charity is a wonderful way to gain access uh to things that you wouldn't otherwise and you know that sort of insider threat piece I think is something that charities don't really like to think about all other organizations actually too
00:09:38:19 - 00:10:01:01
it is a very good point I mean you meant the insider threat that you could be the malicious insider that someone's wanted to apply for that job to get into that organization to do something you get the accidental insider they're they've got a heart goal they're doing the right thing but then you press buttons and they don't realize um and then you've got the untrained insider that hasn't been told what I guess your local rules are and certainly some businesses don't have a training department and therefore they can't facilitate they'll provide that provision um but I guess you go back to the information commission's office because they're seeing quite a few of these incidents and they're coming up with the best practice which is a massively good thing to do and they set a president that if any new employee that turns up at an organization should get training within one month to be in there so they should understand what you can do what you can't do what company policies are and it should be backed up with an annual refresher program and I know a lot of organizations don't realize that but it doesn't make common sense doesn't it because I remember when I every new building or a new organization I went to you always got told who the first aiders were where the first day box is where the fire alarm panels are what to do where the evacuation point is but cyber security we've not got into that comfort zone yet
00:10:51:18 - 00:11:12:02
no it's interesting that you say that as well because I was just writing a bit yesterday on the analogy between you know fire drills and cyber security response exercising that again you know people kind of like well why do you need to do this but it's about building in that sort of capability and that practice response I’m guessing this is something again that you've got experience with it
00:11:17:06 - 00:11:39:11
yes so health and safety first aid whether or not a decade ago it was the red forest English wasn't it in the corner of the room they were the right thing to do to prevent your building from burning down some people did it some people didn't do it then the government mandated it made legislation and now fire safety fire drills fire alarm panels fire extinguishers they're everywhere and then we've moved on to the first aid where you have a significant number of people in an organization that's first day at work trained I’m sure cyber it will be coming I know there's been chat about it from the insurance sector in the last couple of months where a lot of companies have gone for insurance and the insurance expert basically said you're too risky I’m not even going to cover you unless you do this this and this but they said I want insurance I’m a paying customer unless you're too much of a risk you've not taken any of your strategy seriously yeah
00:12:11:12 - 00:12:39:21
but that's again I was looking at thread on LinkedIn just yesterday about that topic where in order to change behaviours of organizations it needs to be more painful to try and get insurance versus doing the right thing and investing in your cyber security because a lot of organizations just like uh yeah you know it's only going to cost x amount if something happens we'll deal with it and carry on taking those risks and so I think the insurance industry can really help make a difference here
00:12:46:02 - 00:12:58:17
And you've got risk avoidance, risk transfer, some people reward testing. So it's inevitable I'm going to get cyber instead. So I'm going to put a couple of million pounds in a treasure chest to wait for that sort of to payout.
00:12:59:01 - 00:12:59:10
00:12:59:11 - 00:13:27:09
but then I also meet a lot of businesses a lot of directors that want to do the right thing so they pay for cyber security and they also train so people processes and technology they look at the technology they keep it up to date they look at the process within their company and have a gap analysis and find out where we are and where we need to get to whether or not it's a compliance issue that there's a contract you need to bid for whether it's a government contract and you need cyber essentials or whether or not you're going to be a merchant and you need to comply with pci dss because visa and Mastercard want you to so many different legislative issues about doing the right thing and then beyond all that you've got the trust and reputation of your organization that you want to protect
00:13:40:21 - 00:14:05:01
yeah absolutely I think that's one of the most important things certainly for the charity sector yeah I would be interested in your take on that from a private sector perspective in terms of the organizations you're working with because you know there's evidence that some organizations once they have an initial hit on their share price they actually recover and come back stronger. What's your take on that?
00:14:08:18 - 00:14:36:00
yeah I’ve dealt with a couple of companies so one company said you know what yes my share prices are going to go down and the chief executive board are going to get grilling from the shareholders and they said we'll deal with that because give it a couple of weeks and our share prices will bounce back but then I’ve spoken to other companies where trust reputation has been irreversibly damaged and the shareholders have dispensed with certain members of the board because they said well you should be doing better cyber it is just like any other threat risk vulnerability that most businesses see these days and if I can't trust you to do that seriously then let's get someone else in your cat so it's both ends of the spectrum
00:14:52:05 - 00:15:10:23
Yeah. Yeah. And just thinking again about the fact that you're seeing that from board members, have you seen an increase in the awareness of their responsibility besides security risks?
00:15:10:23 - 00:15:37:18
yes I have so we see different organizations across the world uh being involved in cyber instance there's big impact but everybody is looking at the lessons learned and then comparing it to their own organization so certainly I keep an eye on some of the ICO enforcement action and the recommendation actions and I do encourage some of the businesses to review them as well because they're quite handy to compare to your own organizations some senior executives will have a cyber security policy and we've got the boardroom toolkits which are there which just raise the awareness you've got charities you've got schools because schools are a business aren't they effectively yes they get given a budget and they've got to spend that budget wisely and if there is a cyber incident which is impacting on the students or the teachers they need to respond accordingly like you would like in any on fire plan and I’ve seen good leaders I’ve seen developing leaders and I’ve seen lots of good leaders some come with strengths and weaknesses and I think you need to have a team surrounding you cyber security is not a bolt-on anymore to just somebody's job cyber security is a full-time academic occupation now and to get it right you need someone in whether or not it's outsourced to whether or not it's in-house on the payroll but someone needs to be responsible for cybersecurity it is now a proper accountable responsibility
00:16:32:14 - 00:17:03:15
Do you think that we might start seeing and this is a bit of a personal thing, but I feel really strongly that boards need somebody who is really championing sort of information assurance cybersecurity in the same way that you would often say non-executive director roles for a background in finance and corporate governance, I want to see people start asking for people with the security.
I think in the past year only seen one of those. What's your take on that?
00:17:08:17 - 00:17:27:06
you're dead right because if you've got someone that's come from a maths background then they're gonna know the company's finances inside out aren't they and not a lot is going to get past them which is going to be wrong they're going to make sure it's the old sound isn't it all the eyes are dotted and the t's are crossed and they're going to be ship-shaped aren't they that's just the way it is we all have strengths and weaknesses there could be some older directors of more mature businesses that when they started at that organization at grassroots level and they've done a fantastic job and got promotion all the way through their career and they're now leading that organization that that which they were in charge of when they were on the shop floor is probably not the way the company is now and there's a lot of devices that have now appeared to make life easier like industrial control systems operational technology computers emails we don't really have too many calculators on office desks anymore because they're all embedded within excel spreadsheets so you're in charge of a company that's just changed massively and you probably underestimate the reliance that your organization has on computers you don't understand how quickly they can be very disruptive and impactful so to give again real-life examples chatting to a multi-international organization that had a cyber incident in Australia now if they don't respond and protect and isolate and contain their organization efficiently we always hear this golden hour I know that they had an incident in Australia because of the way their network's set up if they didn't respond accordingly within four minutes London was going to be offline as well because that's how quick worms or cyber instance can spread through corporate networks again you know I was like well that's not going to happen to me is it why me it could be anyone that is connected to the internet
00:18:52:17 - 00:19:18:11
yeah just as collateral damage as well okay I’ve spoken about that in another episode I just want to pick up on a couple of things you said there you mentioned about the reliance on people who know I t and people thinking oh you know it's job and in my experience I’ve often found that IT can be the worst offenders on the cybersecurity side and that there really is a difference you can have that sort of conflicting objectives between IT from an availability point of view and when you're investigating an incident is there something you'd like to sort of share from your lessons learned?
00:19:30:10 - 00:20:02:09
yes there are some people that can place them because they're doing very repetitive tasks and it's got to remain fresh and sometimes isn't the most exciting of topics to talk about as it's cyber security so you've definitely got to have some people within the team that know how to articulate to the chief executive board level of what the current risks are because they I think you speak to most i.t executives and they say I need more budget I need to spend on the latest equipment because it does the latest fan down be dozy protection whether it's an intrusion detection device or a prevention device or a hybrid of both I need it for this company to make my life easier so generally I t security want to turn most organizations into Fort Knox now that will upset sales director because if I can't get people into my business to buy things then I don't have any revenue and it will also upset workforce because if they can't do anything which is in relation to the business objectives so I can't get on certain systems because you keep blocking me I can't get certain websites or I have to take five minutes going through lots of different MFA 2FA and MFA it becomes an obstruction and a hurdle to smooth operating that business so there's got to be proportional I.T security in relation to what those business objectives are everyone thinks well i.t just makes life difficult off the i.t security you're saying no I’m keeping you safe i.t is expensive no you need to allocate a percentage of your budget now you pay for a security guard don't you offices and shops the security guard is a visible physical deterrent it would challenge unexpected visitors you have receptionists and they screen visitors don't know they screen phone calls they let pre-approved guests pass the security gate so you do have some sort of security there but when you say i.t security budget well I only pay them what's needed but everyone else gets an allocated protected budget I think people need to on the chief executive board now is really look at how they separate their budgets and allocate a percentage of turnover now to cyber security because it's the quickest and easiest thing that's going to take you offline very disruptive to a business and damage your reputation
00:21:42:08 - 00:21:51:15
Yeah. And I agreed he put a sense of mind of the organizations that are doing that, what sort of percentage they are allocating?
00:21:52:01 - 00:22:17:08
yeah I’d love to find that out but people are protected with their budget aren't they for obvious reasons but certainly if you're going to be proactive and practically mitigate threats then you're going to be thinking ahead aren't you if you're going to be knee-jerking and responding to instances you're always going to be playing catch-up some organizations I speak to they're still on windows xp and windows 7 because they've not realized the dangers and so they've not when they buy a new computer they're not considering what is the end of life of that software or the end of life for that computer they don't even see it as well this computer is just going to last until it blows up or breaks they don't see the issue of unsupported operating systems actually that's the day when you need to unplug it and get a new one probably six months before so you don't have any disruption with conflicting software systems to your business objectives you do an update and then something else kind of goes offline because it's just not compatible as we develop and as generations grow up I speak to a lot of youngsters and I say so cyber security what would you understand about that and I said that's having a really good password so if I speak to an adult and say how many characters as long as your passwords they generally say well eight to ten if I speak to a younger generation they say yeah 18 characters okay slower case symbols numbers or I might use a password manager now that's good they they're using the password manager as well which is probably going to be set up with 2fa or multi-factor authentication but if you speak to an adult and I know I’m being very general and vague here but an adult doesn't really trust a password manager because I’m giving all my passwords to someone or something I don't know who they are I want to be in possession of my stuff because that's just a generational thing we like to be in possession and stuff so we like to save all our precious family photos don't we on a hard drive which is in our house so I’m not too happy about it's cloud thing but youngsters they're all over and they because it's just what they've been born into they know no different
00:23:54:01 - 00:24:25:13
I’ve got mixed views on this one actually yes they're definitely more sort of you know cyber savvy uh than you know certainly my generation however I think there seems to be distinction between you've got those who are sort of learning good cyber hiding practices through school through friends whatever it might be but they're tripping over into actually delving into cyber security as something and learning it as a potential career I feel there's a bit of a schism there
00:24:29:14 - 00:24:53:07
yeah I think it's a generational thing isn't it I mean when we came through certain generations from the 80s 90s and now the tens there was different campaigns wasn't there we had the talk to frank which was the drug campaign we've had the drink aware which is the drink campaign you had the smoking anti-smoking campaign and at the moment I think people are actually realizing there are some healthier alternatives and I’m pretty sure there will be a cyber campaign soon talking about cyber savvy cyber hygiene
00:24:59:14 - 00:25:10:12
Yeah. Okay. What would you say in your experience is the kind of key lesson that you would want to share with people about cyber security?
00:25:10:20 - 00:25:36:15
I’d say the basics a lot of the offenders which we've dealt with sometimes they're not testing their advanced skills because they don't need to yet because we're leaving the door open the weaknesses are still there and vulnerabilities and the national government strategy when we talk about always updating your devices well if a device is telling you there's some recommended action it's because it knows there's a weakness the manufacturers have fixed it and we're just waiting for us end users to install it so the basic things from smartphones there are lives on our smartphones but if you go to a business we've just got bigger smartphones when I talk to people about you've got a big server or you've got a big computer and now you've got a smartphone it's just a smaller version of it that fits into your pocket they will all be programmed to tell you when they need updates some of us advanced users have ticked the box to say can you do an automatic update just when you plug your device in and connect it to wi-fi just let it take on all the updates because you're removing all the vulnerabilities and weaknesses and exports that you never even knew existed and you're making you're safe overnight again on the laptops bottom right hand corner where time and date is if it says you're due to install some updates you get a little orange sign come up do it press the button and I know you're at work and it might say I need to shut down and restart brilliant restart time to get some screen time break and go and put the kettle on ideal opportunity because we've got to look after ourselves as well and forget that we need to get up and walk away from these computers and keep ourselves healthy and exercise so use that as a good excuse but certainly in our home lives when the device says on certain brands you get the little red circle with white number in it at the same time do an update I wouldn't be doing banking or sensitive emailing or internet surfing on a device that says I’m doing update I’ll do the update
00:27:02:18 - 00:27:35:01
yeah that's a really good point our lives are on these devices and we use them for so many services now because everything's you know digital by default these days it's scary I think how many people don't realize the importance of updates the other thing I’m just going to mention on that which is perhaps a little bit contentious but I think it's something that again boards need to be alive to is that if we go the automatic updates route because we're reducing the vulnerabilities in the attack surface What about the supply chain attacks where we had things like SolarWinds and others? It's really challenging, isn't it?
00:27:44:13 - 00:28:15:05
yes and supply chain attacks where'd you start so certainly if you run a medium business and you rely on different companies to provide you stuff into your company you then process and then sell it I mean if you're going to apply certain cyber security policies legislation procedures and framework and governance in your own company and then you're going to be asking other companies to provide you a service then you need to readdress your service level agreements or contracts to say that they need to achieve the same otherwise all of the effort hard work resources and finances you put into making yourself you've just allowed a back door in because you're going to allow that company sometimes connected to your systems but you've done the hard work they might not have so whereas I mean classic example isn't it if you go to the exhibit or conference it's someone else's venue they will mandate that if you want to come here then you need to have public liability insurance and I know some of that's legit but there's certain things that you must do if you want to come onto my land do the same if you're allowing people in to provide you services if they have the incident you're going to get the tarnished reputation because it's you that can't provide the product or service but it might not be your fault so you need to adjust your service level contracts to do what you're doing
00:29:01:21 - 00:29:24:09
I think that's really great point about it's your brand your reputation even if it isn't actually your fault because I think there's so many examples that have been in the news over the past year where it's exactly that I think there's something again that people need to be very mindful of and include something around in their risk registers that perhaps they may not be already a lot of people I’ve certainly found I think you know cyber security is difficult there's a jargon that people I think some people maybe use it deliberately to make it sound you know all fancy and difficult from an ego perspective for themselves but from again a risk perspective it's really important that we use plain language what would you say is a important trait for somebody who is in a situation that on the board they've got this person talking job into them How would you suggest that they deal with this?
00:30:04:22 - 00:30:28:05
certainly if you're going to describe a cyber incident and you're from cyber background or techy background try don't use jargon you will lose your audience because not everybody is at the same knowledge levels of you so use simple language to explain what is going on even when sometimes I see people having a technical to technical conversation because of the amount of different frameworks and the fact that it's a borderless problem it's just like me having a conversation in English to speaking to someone in mandarin I might misunderstand the dialect or the translation because that's not my first language so keep it simple articulate what the problem is don't be scared to check so this is what I understand you to be telling me the problem is and if there's a translation issue or a misunderstanding then allow the corrections to take place so everybody understands what the problem is don't get carried away on jargon and saying oh it was an IP misconfiguration you lose people when you start talking like that keep it simple
00:31:08:01 - 00:31:17:01
Right. Thank you. You do all this work to the place and everything. Do you want to just tell us a bit more now about your work with the Cyber Resilience Center?
00:31:17:13 - 00:31:38:11
yeah so it was home office project from the national police chiefs council a couple years ago whereby it got to the point where cyber security is deemed is quite expensive and those that really need help with cyber security and probably down the bottom end of the scale of the business size as in the micro small medium enterprises maybe the company organizations that got less than 250 staff now the whole point of crime prevention is accessible and affordable and proportionate and some people realized that they hadn't set their computers up correctly to keep their business safe they would pick up the phone after they've gone through that confusing landscape of search engines to try and find some cyber security help they spoke to someone and they just have gone wow that's the quote is it and they probably end the phone call and then they run the risk now we all know supply chain instance that you're only as strong as your weakest link and small businesses do support larger businesses now I know larger businesses will have some sort of outsourced id however they will have i.t on their payroll and they generally can respond efficiently and get configurations right the first time around and smaller businesses just don't have that luxury that normally the managing director of small businesses head of sales had a finance set of complaints had a fleet the head of everything just like we are at home aren't we and we're head of catering at home literally the cyber resilience centres where you ties in the student talent pipeline of all of the universities across the country so if whatever I do in the southeast I look after surrey sussex Hampshire and Thames valley is replicated across the country times nine so we chop up the country into manageable chunks and the 43 police forces all have cyber crime units and there's nine side resilience centres across the UK so we're utilizing the students or undergrads from universities there's a majority of time they're at the national cyber security centre certified universities doing either cyber criminal computer science courses now these students generally students need employment to get them through university sometimes they use it on beer tokens and sometimes they use it on other things but generally they would seek work so they can work with this we screen and mentor and coach and vet them so not everyone's gone on to the scheme but certainly we have our own hand in-house certified ethical hackers and if client comes to the centre to say that I’ve seen our computers up I was very eager can you double check because you shouldn't be marking your own homework so we can do something called vulnerability assessment which is realistically what hackers do they look at your systems from the outside they look to see whether or not there's any holes in your armour whether or not your routers have got little holes where people can just get into your business there's a lot of remote working at the moment where you can see you're at home but you can see exactly what you can see if you're in the office and that's got to be set up safely because if you can see it at home if it's not configured correctly then anybody can see it at home so the cyber resilience centre we look at the triangle don't we we've got the people so are the people trained correctly do they understand the risks we look at the processes do you have the correct processes in place is there a gap we've forgotten things like acceptable use of your internet to password policies and then we look at the technology as well has the technology been set up correctly so we've got nine services which is very affordable to all we're a small business bigger business we won't dismiss the large business and we definitely don't miss charities either but we're a police-led organization not-for-profit so we have very little overheads therefore we can keep our prices massively down and it's something that the police should do it's crime prevention but now as cyber he's got a little bit bigger I think cybercrime the last castle was about 51 52 of all crime in the UK so we need to do something about it because the majority of the incidents that I review every week are preventable whether it was a longer password whether or not it was your passwords appeared on a a breach which again is not your fault and somebody's used that password if you had 2fa turned on even though someone knows your password they're never going to get access to the code that's sent to your phone so having some of these cyber security basics in place people think well I’ve got a good password what's too fair to help me when we look at various layers of defence if you are asleep one night and you wake up in the morning and you see a six-digit code on your phone it's clear that someone knows your main password so that is your notification to change your password so when you originally join whichever organization it is you join by your email you join by a password and then it says what other security protection do you want you'll have the options of two-factor authentication 2FA for sure or MFA multi-factor authentication you can either opt to have a second level of defence which is send a text message to your phone or you can have one of these things called an authenticator app so every 30 seconds the code will change and you need to write in the correct code to then get into that account now if your password is being breached in a data compromise no one is going to get past that second layer of defense without the code so if you have that notification on your phone they didn't get in but that's when you should change your password
00:36:37:09 - 00:37:06:00
Yeah, no, that's great. And I was aware again telling somebody recently that some of the attackers that literally spamming the code, hoping that when people are kind of in that dozy state and they just want the notifications to shut up, that they'll then sort of accept because there's also the option where you have the push notification where you just click on approve rather than having to enter the code into the system.
So yeah, different options come with just slightly different risks.
00:37:11:01 - 00:37:26:04
a lot of social media and account takeovers email account takeovers where just simply any sort of 2FA or MFA hasn't even been turned on or enabled in my view majority of those would have been preventable by just having that second layer of defence turned on
00:37:26:08 - 00:37:35:02
What do you think is stopping people from doing it? Is it just not understanding the need for it?
00:37:35:02 - 00:37:48:10
yeah I think it's an opt-in whereas I think it should be turned on by default opt-out if you're not happy because some people's awareness levels they don't understand what to infer MFA is because those six letters alone that's jargon
00:37:48:20 - 00:37:49:04
00:37:49:14 - 00:38:18:07
and now I know you and I completely understand MFN 2FA it's like second nature to us but for someone that does doesn't even recognize that terminology or abbreviation it needs to be articulated when they join or create an account on whichever organization it is what the advantages and disadvantages are of it disadvantages to 2FA well if I’m trying to log into a system and I’ve lost my phone or I’m in as an area where I have no phone signal or I’ve run out of data those are minor hurdles but they're the only downsides I could see and obviously you fall for a scam where they're asking you if you're 2FA is the extra one but multi-factor authentication whereas an authenticator app and the hurdles to that are I now have to download something to my phone I might not have the necessary storage space I don't understand it it's another app do I really need it so those are the sort of hurdles we see but certainly I think it should be opt in by default opt out if you don't want it rather than the other way around where I don't know what I don't know
00:38:56:19 - 00:39:21:07
yeah no I really agree with you on that I tend to have a bit of an issue with some organizations that I may deal with where they don't even offer the options and there's one particular organization where I wrote to them and said you know they could make a huge difference if they were to implement the feature and turn it on by default their response was that yes they know that's good security practice but they thought they would alienate a lot of their demographic and to me it's still kind of like well at least give us the option to opt in for those of us who want it but do you think there's room for other levers for organizations you know to sort of help persuade them to do the right thing and giving them the giving customers the tools to help protect themselves?
00:39:50:23 - 00:40:16:12
yeah many answers for that one so yes I doubt a few organizations where that very reason was cited I’m not going to fail my platform because it will upset the customer journey if I upset the customer then potentially can go to another outlet and buy what I need to buy well I know there's some issues with 2FA or MFA does cost money but it is brand protection and it is improved cyber security me if there's an organization that doesn't offer it can I get that somewhere else the days of alienating certain end users that don't understand it well every bank has it and if you're going to be banking online you have to use it the generation is getting to that point now where people are starting to understand
it when it's imposed on them and I don't think we've got people are going well I’m not doing that if I have to put my phone number in I think those days are gone
00:40:43:02 - 00:41:05:20
yeah I’ve certainly seen a shift over the past what 10 years around that that there'd been quite a lot of objection at that point but I think with the prevalence partly of social media as well and the different apps people are just getting used to having to provide some information to operate on a platform there's an area I wanted to talk to you about that's nothing to do with cyber resilience centre but about your work volunteering and helping bring that subsequent talent through because everyone talks about the skill gap I think it's actually more of an experience gap but you know we do have lots of people now who are coming through the pipeline would you like to tell the audience a little bit about some of your work in this area?
00:41:26:19 - 00:41:46:05
yeah in my previous role we worked as a STEM ambassador and we've worked with the younger generation wherever it was secondary and then we've actually done some work in primary schools as well we're just teaching for younger people the positive and ethical methods and usage of computers rather than some of the stuff that they can find quite easily on google and YouTube so certainly I’ve seen some youngsters that have learned how to mod moderate things or modify things to their own benefit which would be others loss and then they develop those skills so science technology engineering and maths pretty much computers fall into all of those areas and we've worked with quite a few schools just teaching kids the proper and correct way to use computers and it was quite interesting because all of the adults there whether it was the teachers or the parents they all learned as well because they said we've never been taught this stuff so how we were supposed to teach this to our kids and I do so always relate back to like the ten commandments when parents have always told their kids you shouldn't swear you shouldn't steal you shouldn't hit but not many parents have had that thou shalt not commit the computer misuse act chat because they don't know what that sounds so doing the stem stuff is good because you can see kids going okay so I knew a lot of people did that but I didn't know that was against the law in the UK and that's under the computer misuse that because it hasn't really featured in lesson planning yet or parent planning
00:43:00:05 - 00:43:33:05
you know that I’m a gamer all the way through my life and there was that moment where people would be you know started like cheat codes and things but learning the different techniques to get an edge on their competition honing their skills through that would then inevitably mean that you know they could go either way in terms of the opportunities to make easy money or not from that ethical point of view which is why I think the ethics be taught early is so important what have you seen recently in terms of the schemes that are helping those who have developed their skills but perhaps have started to go down you know wrong path the criminal path the easy path from the finance point of view to help bring them back and uh you know get them into the cyber security pipeline to help defend businesses
00:43:55:14 - 00:44:17:14
trickery and cheat has been around for way before I was even born and it's an age old some people class it as a skill but it's a trait isn't it not everyone chooses that journey so yep certainly years ago I used to play online gaming and yeah I got frustrated and annoyed because you'd be shocked for instance by the invisible character the invisible enemy and they've learned how to make themselves invisible so that they can walk around and get the high score that's all it is they want the high school they want to win whoever starts a game and doesn't want to win it that's the whole point of playing sometimes isn't it you want to be the best that you can be some people then have advantages whether or not they practice makes perfect their old expressions or they practice through cheating yes it does go two ways people get addicted to it and then they think I can't not lose and they may go down that pathway because they see it as an easier option rather than well we look at athletes don't we they get up at five in the morning and they train and they work hard play hard certainly the government has looked and in cyber things change overnight don't know and it's very very hard to manage out something that isn't even a problem yet because it's not being invented so some new zero day won't even be around until a week's time and then we all have to respond as well to that zero day and correct things quite quickly so the basics of positive ethical use computers is that one person benefit is another person's loss if we teach that it is taught in so many conventional things isn't it that if you want to pass an exam you have to study hard yes there's always been that where you can cheat and pass the exam but that's down to you as a human isn't it have you done it the right proper way so teaching people the basics and cyber is just another one of those bolt-on things that yes you might find a hole in someone's armour there are bug bounty programs there are disclosure programs whereby you can notify that company you may get rewarded or you may just think well I’m doing the right thing I’m doing the robin hood teachers professionals cyber security experts there's a whole host of people from a whole manner of organizations you can look at cyber choices for instance these are different campaigns where we're talking about talking to people and just getting them to consider and make the right cyber choice
00:46:12:10 - 00:46:31:11
that's brilliant I’m thinking about the example recently where you know they thought their kid was just gaming but actually they were hacking organizations what advice would you give to parents on how they can sort of help and support and watch out for what their children are doing online?
00:46:31:17 - 00:46:55:16
So there are some signs like anything when you may think things are going wrong there are some indications but certainly difficult conversations to have with kids when you don't know the subject matter yourself I would suggest start around the dinner table when you're having that conversation there are some checklists that you can download off some websites where you can encourage the right conversation if it's certainly an area where you don't really know it and have those conversations around the dinner table find out what their interests are find out what areas the internet they're going to find out what excites them because they're probably up in their room and you're thinking you know what they're safe up there aren't they they're not out they're not trying cigarettes they're not drinking they're not smashing up bus shelters they're up in their room they're safe it's a different sort of safe because they could be up to different things or they might be just enduring enjoying themselves and developing some of their skills but certainly it's an area where if you are unaware that you don't know what's going on and I think as most parents would like to know what their kids are doing like to know what their interests are because you can help if you can develop you can open up new doors and provide new opportunities and where they might not be going in that direction you can definitely steer them back into that direction
00:47:44:10 - 00:48:03:03
that's really helpful we'll uh include a link to some of those checklists in the show notes actually so it's been a really fascinating conversation Chris with your wealth of experience in this field and the different sort of things that you see so I’m sure there's going to be a lot of actions that people can take away from this chat today one of the things I always like to ask my guests here is what three things would they like to recommend to our audience?
00:48:10:17 - 00:48:36:00
yeah I guess I’ve selected movies this time Blade Runner I’ve always liked that movie it's ages ago I think back in the 80s wasn't it that film was produced and there was flying cars technology it was just a good film and when I look at some of the things that happened in that film they're starting to happen now War Games I guess some in cyber security and that film is quite impactive the good old game of tic-tac-toe you can't win it and it took a computer a long time to realize you just can't win it and then I don't know I like comedy humour some of the American Pie series that was just quite funny just to chill relax and laugh a lot
00:48:52:16 - 00:49:05:07
yeah which I guess you really need actually in cyber security because it is a very high pressure environment with lots of horrible stuff going on so being able to chill out relax is so important isn't?
00:49:05:14 - 00:49:06:12
it always look after number one
00:49:06:12 - 00:49:15:12
then is there one piece of advice you want people to remember from today's episode as they go off into their organizations?
00:49:15:23 - 00:49:25:14
Keep things simple, make sure everyone understands what it is that you're trying to communicate with them and double check with them. Understand that is what you want them to do.
00:49:26:01 - 00:49:28:15
So where can our listeneres find you online?
00:49:28:19 - 00:49:46:04
so you can jump onto the search engine and type in Cyber Resilience Centre for the south east or just type www.sccrc.co.uk
you can see products and services that we offer or there's a contact us page and then you can drop us a message and we can get in touch and help you out
00:49:46:08 - 00:49:50:16
Brilliant. Excellent. Well, thank you so much for your time. This has been really great talking to you.
00:49:50:19 - 00:49:51:18
No problem. Thank you.