A one-day event held yesterday held at Innovation Birmingham on the Aston Uni campus to help businesses get to grips with cybersecurity. It was organised by Metsi Technologies, and supported by the National Police Chiefs' Council and Regional Organised Crime Unit (ROCU) in the West Midlands. The Twitter account and hashtag was @cybersec_uk but the backchannel was pretty quiet. Here are my notes.
The increasing threat of cybercrime runs across a range of levels from nation-state threats to ransomware to IP theft. There were various police chiefs in attendance and the main message seemed to be that cybercrime is massively unreported to police – with the result that sufficient budget isn't being assigned.
Ashley Bertie, Assistant Police and Crime Commissioner for the West Midlands, sent out a plea to find out what your local police force is doing and engage with their agenda. One available resource that has just launched is the Digital PCSO (Sean Long in the West Midlands) who can go into business organisations, schools and the community and advise on security basics.
John Davies of Pervade Software then introduced the National Cyber Security Strategy, consisting of three main acronyms:
- NCSC – the National Cyber Security Centre (at GCHQ) – pushes out national strategy.
- CiSP – Cyber Security Information Sharing Partnership – a place to both get free advice and also report hacks.
- CES – Cyber Essentials Scheme – certification scheme to show that a business has addressed basic cybersecurity.
Main cybersecurity threats for SMEs
Louis Augarde, lead pen tester for Omni Cyber Security, introduced these as:
- Ransomware – disruption for financial gain
- Credentials-based attacks – to gain an entry point
- Breaches based on known vulnerabilities – often used as a first step to identify weak systems that can be exploited further
- Phishing emails – to gain credentials and access
- DDOS – freezes your system temporarily but can also be a smokescreen for more serious attacks
He also introduced me to the idea of baiting, a social engineering tactic to get hold of your personal info by leaving out a USB for people to pick up. Never plug an unknown USB found on the train into your computer!
Cybersecurity help for Birmingham SMEs
If there's one thing for businesses to do now it is the Cyber Essentials Scheme, said John Davies. Participants address 68 questions on their cybersecurity systems around firewalls, patches, configuration, malware, user accounts and so on. The scheme costs £300 and provides an annual certificate.
The CES process is designed to prevent the vast majority of cyber attacks but also offers a badge to show that a business has made an effort to keep the supply chain more secure.
Other options mentioned include the 80-question IASME governance standard, costing £400, which also looks at data assets, risk assessments, people, policies and disaster recovery. Both CES and IASME were said to be a good foundation in securing businesses and a more achievable alternative to 500+-question ISO27001 international standard.
There is also the newly launched West Midlands Cyber Security Cluster, the 19th in the UK, and people, businesses and organisations can tap into this to get help and advice in tackling cybersec issues. The website looks as if it has teething problems right now so check back later.
Other links mentioned on the day were:
- GetSafeOnline – free advice site
- CyberAware – government site
- Action Fraud – fraud and cyber crime reporting centre
- 10 Steps to Cyber Security – NCSC site
Takeaway quotes and stats
95% of all successful attacks are the result of well-known and entirely preventable vulnerabilities (various reports from 2011)
"Don't buy the whole onion – security is best built in translucent layers" – Brian Chappell, Beyond Trust, introducing five main layers for organisations wanting simpler security (focus on the high risks, tackle lateral movements of hackers into your system, exercise privilege control, one standard user account for all, configuration management).
The first reported cybercrime was in 1820 – it was the sabotage of some newly invented tech – the Jacquard loom – that automated the weaving process. DCI Rob Harris suggested this was where the term 'patch' came from but I'm not convinced that is true.
"Why do they do it? I've sat opposite many cyber criminals in my job, some as young as 16, and their answer to this is 'because they deserve it'." – National Police Chiefs Council on cyber crime motivation.
"80% of people [in cybersecurity roles] have an IT or security background and they tend to talk in absolutes. You have to find people who can listen and communicate." – John Scott, Bank of England
GDPR for businesses
Jane Burns of Anthony Collins Solicitors made a valiant attempt at an overview of this super-complicated incoming regulation from May 2018.
The EU GDPR, also being adopted in the UK despite Brexit, offers a whole different world of pain so I'm not going to get into it here but, basically, if you're not already aware, businesses are going to have to get a whole lot better and more transparent in how they process their data, or they risk big fines, and even worse for some, being cut off from accessing their data for a period of time.
This photo may be useful…
What does the Bank of England do?
What does the most secure place in England do to prevent cybercrime?
John Scott, Head of Information Security Education at the Bank of England, gave a great presentation on one of the biggest problems facing companies – that of lack of user engagement in an organisation's cybersecurity practices. He said compliance and awareness aren't enough; it's building a culture of mature security that is required to stay safe.
I enjoyed this talk so much I'm going to blog it separately.
Next event: a London CryptoParty on 11 September, a mix of cocktails and practical workshops…