Webinar: How to implement a successful cyber security management programme

Tracy Seward  00:04

Welcome, everybody to the Praxis42 webinar. Thanks for joining us today and we’re going to be looking at how to implement a successful cybersecurity management programme. I’m Tracy Seward from Praxis42 and today I’m joined by Daryl Flack, co-founder and CIO of block fish. So Daryl is a vastly experienced cyber technology and business leader who’s been successfully delivering secure products, services and business transformations globally for over 20 years. He’s a published author and keynote speaker and Daryl currently provides expert consultancy and support services to a number of organisations, including the UK Government, where he’s cleared to the highest levels, and he is certified by the National Cybersecurity centre, and is a fellow at the Chartered Institute for Information Security. We’re also joined by Mike Stevens, our CEO at Praxis42, who is a chartered safety practitioner, and Mike’s one of the founding directors of Praxis42 and has worked in health, safety and compliance for over 35 years. His previous roles include being part of the Occupational Health Safety and fire department at MIT, Mercury communications, and Cable and Wireless and before that, a consultant at prosper. So now on to some housekeeping just before we start the webinar, your mic will be muted, but there are buttons at the top of your screen, where you can learn about today’s speakers and ask questions, which will be addressed in the q&a session at the end of the webinar. We’ll also have some downloads related to the event and you’ll be able to share the event on social media. We’ve already had a couple of questions come in for the q&a. But if you do want to send a question during the webinar, we’ll do our best to get to it and any that we don’t have time to answer today will be answered and put on our resources pages after today’s session. And a recorded version of today’s webinar will be available after the event and a link will be sent to everyone who signed up. So without further ado, I’d like to hand it over to Mike.

Mike Stevens 02:08

Morning, everyone. And great to see so many of you logging in and does take some time out to see what we’re going to cover about cybersecurity and implementing a successful programme. And my part in this is to work with with Darryl, which we’re really pleased this being able to join us and has worked in partnership with us over a long period of time, and has been a great expert and counsel for us to ensure that we do the right thing in terms of cybersecurity. The background for me is that over over the period of time that I’ve been in the business as I’ve seen more and more the importance of cybersecurity as part of the way that we manage our business. That’s from a supply chain perspective, because obviously, we’re a software as a service, and a technology lead risk management business. So our clients are looking to us to understand how secure we are and how we go about and how we be like how we go about cyber security and how we behave. And also from an internal perspective about how do we protect what we do as a business. And what I’ve learned is that there are some very, there’s a lot of similarities with what we do in health and safety and in our management system, which relates to cybersecurity. So there’s a key takeaway is that there are some similarities. And and it’s about then understanding the content and some of the issues that arise, which is what Darrell is going to help us with today. From our own business experience is that we have been subject to attacks. And I’m sure some of you, or maybe all of you that are on the call, and the webinar have probably experienced as well. So at the lowest level, we’ve had phishing, where people have asked us to click on links, and we’ve managed to see those as being things which are dangerous. There’s other issues we’ve had with people trying to disguise themselves as being individuals within the business and get us to do certain things by the urgency of an email something which looks authentic. And we had one significant episode where somebody managed to get into our office 365 licence. And what happened prior to that was that they targeted us by looking at our digital footprint, and could see that there was the managing director, there was a finance team. And they were able to communicate by accessing through what we believed to be a click where they were sitting watching what was going on in somebody’s email account. And as a result of that, they managed to try and convince one of our clients that we actually wants to change our bank details. For a payment to be made, which was a significant amount of money, which was one of the monthly invoices that gets paid regularly which they’d seen. And fortunately, the client queried that, and rang our finance team and said, Do you really want to change your bank details. And it was only at that point that we’d have known. And it was only at that point that we knew that something had been going on before that we didn’t know what had been going on. So it’s almost like the health and safety message is that it isn’t until something goes wrong. Sometimes we fool ourselves that everything’s okay. But you have to be diligent, you have to be looking at what’s going on. You have to be making sure that your teams are understanding of what those issues that might arise. And making sure that training and awareness and making sure that you don’t leave the subjects of cybersecurity alone, it needs to be managed. So that’s the context in which we’ve put this webinar on. And as I said, we’ve got Darryl here, who’s going to take us through some slides, which I think you’ll find very interesting. And we’ll get some questions on the way. So thanks, again for logging on. And joining us on the webinar. And I’ll hand over to Darryl now.

Daryl Flack 06:15

Thanks, Mike. And morning, everyone. Welcome to the session. So hopefully, the slides are all sharing in front of you now. And I’ll be going through a number of different aspects this morning, where we’ll be talking around the existing threat landscape. So some of the things that are going on in the wider geopolitical world and how that’s impacting cybersecurity, why you would be a target both as an individual and from an organisational perspective, some of the key cyber themes that we’re seeing during 2022. And then a little sort of spoiler there is that I’m going to dive into the anatomy of a ransomware attack, because that’s obviously one of the key cyber threats that around this year. I’ll touch on a little bit around securing your personal and your family data and why that’s important, and how that applies to corporate security. And then the I’ll go through sort of 10 key steps really on building a cybersecurity programme, what’s important within that and the kind of key aspects that you’ll you’ll need to take into consideration. So the current threat landscape, so everyone will be aware of the things that are going on in sort of Russia and Ukraine at the moment. And in February, the National Cybersecurity Centre, which is the technical authority for the UK cybersecurity centre, a advisory advising organisations to effectively bolster their online defences to ensure their incident response plans are in place, now NCSC as a part of GCHQ. And the key risk as they’re seeing it at the moment is not necessarily directly targeting UK organisations. But it’s more around the collateral damage that can be caused by incidents that are occurring between sort of Russia and Ukraine. And some of you may remember, a couple of years ago, there was the notpetya attack, which was on a Ukrainian tax accountancy company, and how that spill over into sort of wider organisations and caused some quite big international compromises. And so with those kinds of attacks, and with the current things that we’re seeing taking place in Ukraine, at the moment, we’re seeing a huge uptick in things like ransomware and wipe away. And so with ransomware, and wipe aware, that’s a common activity that will take place to not just exfiltrate or try to exfiltrate data, but also to delete it. And I’ll come on to a little bit about that in a bit more detail on the following slide. As Mike touched on phishing and email modification fraud, how we how we are seeing the uptick in phishing compromises how we’re seeing people doing incentivization, to try to get people to click on two different links. And also, Mike touched on it as well there, the third party service provider attacks, supply chain attacks at the moment, are sort of top of the list of compromises that we’re seeing. And I’ll cover that a little bit more detail in one of the following slides. So why would you be a target or ultimately, any organisation has something of value to somebody, and whether that’s storing large amounts of personal data, whether that’s for targeting youth onward, sort of distribution of those, that data, I think, the supply chains as we’ve touched on, using you as a jumping off point to attack a client, or often using a partner in your supply chain to attack you. We’re seeing a huge uptick in attacks on managed service providers. Because if you can imagine, many organisations are using those managed service providers and if you tap that one managed service provider you then get potentially access to all of their customers. And so going back to not Petya, as you could tell one organisation was in something like 80% of Ukraine’s organisations. And so being able to attack those shared resource providers, those managed service providers gives them the access. And it’s also not just those, it could be any professional services organisation, any SAS organisation that organisations use. And then obviously, there’s the direct extortion, being able to defraud organisations trying to gain financial incentive from attacking that organisation directly. And I think if we look at the landscape, more generally, UK Data breaches are a bit costlier than they are in the UK. So I think the average cost for UK data breach has jumped by about 8.1% In the last year alone, which places us sort of fourth globally now ahead of companies like France, Japan, and Germany. And part of the attacks that we’re seeing, the majority of them are often relying on, or placing their success or relying on human interaction, as we’ve touched on with things like phishing, and that human interaction is what enables them to get a foothold within a different company. And so some of the costliest attack vectors that we see, and by attack vectors, I mean, how protagonist might try to gain entry to an organisation was through phishing. And I think that was around sort of 4.4 million pounds this year, and business email compromised again, that’s around the sort of 4.4 million pounds as well. And you can see both of them are around social engineering, doing open source intelligence and organisations trying to find a way in to trick people into clicking on links or to, to sharing their information. And it’s not just the cost of those attacks, I think the average cost of dealing with ransomware was around four point million 4.1 million as well. And that’s excluding the cost of the demands. And so some organisations obviously paying those ransoms. And I’ll come on to why that’s a bad idea in a few moments time. And one of the reasons that attackers gain entry and one of the reasons they are successful, causing these deeply disruptive attacks is because of the amount of dwell time they have within the system. And by dwell time, what we mean there is how long they can stay in the system going undetected. And so the increase in dwell time within organisations gives a gives an attacker an ability to understand the lay of the land and be able to understand exactly where all of the pots of really good information are, so that they can plan their attack from hidden within the background. And so some of that will dwell time can last for around sort of 237 days. And if you can imagine someone being within your system for two thirds of a year, being able to scan it, understand it and identify those key aspects of inflammation, those key targets and individuals to to go after, then that can be a hugely valuable amount of time. And then that on top of it can often take up to like 89 days to contain if there’s been a ransomware attack on average. And so as you can see that the amount of ability that organisations have to detect and to stop, these types of attacks are critical. Of course, there’ll always be technical controls that will help prevent it, but ultimately, at the end of the line is always going to be a human. And the human being is the last line of defence. And one of the most overused and incorrect sayings is that humans are sort of the weakest link in security, that’s not the case that they’re absolutely, absolutely your strongest, and they’re your last line. And that’s where a huge amount of investment should be spent on making sure that your employees and your staff can understand those threats, identify them, and alert you. And even if they do make mistakes, the key thing really, is to help them to identify and alert the right people that they’ve made a mistake without any fear of repercussions. And some of the things that we see and some of the reasons for those long dwell times are because in some organisations, there is a fear factor to reporting that you may have done something wrong. And so people don’t report the reasons why they’ve clicked on something. And that enables the attacker to stay hidden for longer causing more disruption. So I’ll touch on that a little bit more detail in a moment. So the key threats in 2022. So I touched on ransomware. And I’m sure it’s something that you’re all probably aware of. But ransomware is a type of malware that effectively takes over your machine and it prevents you from being able to carry out an activity and you might see a screen like this that appears where you it gives you indicators on how you need to pay the ransom and it will give you the in fact lots of them are very very much like Amazon marketplaces now where they will give you help guides they will give you

Daryl Flack 14:58

how tos on how to set up Bitcoin accounts, they will show you how much it costs now for the ransom, they will show you how much it will cost if you wait until the end. And this the threat is continuing to evolve. And so were previously in years gone by it was just a, here’s a ransom, pay the ransom, and we may give you your keys to unlock your devices. Actually, I touched on it earlier, the wiper were now that we’re seeing a lot more of where they’re threatening to not just lock your data, but also to delete your data. And when they start deleting and sharing, so when there are aspects of hack and leak, where they will leak a subset of information, so to the public to show that you have been compromised. So you not only get the reputational damage of being compromised, you also get the reputational damage of your data or extracts of it being leaked to the wider public. And we’re also seeing triple aspects to this now, where, as well as threatening to hacky and leak it, they’re also at the same time carrying out a distributed denial of service attack, this is where they’ll have a an army of Botnets attacking your your wider system. And so bringing your public facing systems down, as well as damaging your internal systems. So this is a key threat that we’re seeing sort of emulate throughout sort of 2022. And it’s now that sort of one of the number one threats that NCSC guard organisations to be alert to. So how do we prevent it? Well, prevention is key. And going back to sort of humans being the last line of defence, as we’ve seen some of the greatest entry points is through getting in through human interaction. So being aware of the websites, you’re going to the links that you’re clicking in how you’re responding to emails, a response in responding to web chat messages, or SMS is be sceptical about all of those aspects. If it doesn’t feel right, if someone’s asking you to do something slightly out of the ordinary, then it’s worth challenging, it’s worth raising it to the higher level as Mike touched on in his example, it’s someone being alert, someone thinking that that was an out of the ordinary action that helps to alert them to a potential incident. When you go into websites, ensuring that the links you go to to go to those websites are trusted. If you’re clicking on links within emails to go to those websites, often they can be fraudulent links, and they can be spoofed. So always go to the Native website where you know that the web link or or you’re doing a correct search through Google, different organisations will have different policies on things like USB devices. So how those get plugged in how you plug your mobile phones in ensuring that those devices that are plugged in are following the policies that you have. And not plugging things in from external sources, we still see lots of attacks where people do what we call USB drops, where they’ll go to car parks, they’ll go into offices, they’ll leave USB sticks laying around for someone to be inquisitive, and try to plug it in to see what’s on it. And as I’ve touched on reporting any of that suspicious activity to your IT team to allow them to investigate. When you’re looking at this type of activity, often you may not even know something is wrong. But if your machine starts to slow down, if you’re starting to see the mouse move, how it shouldn’t, if your applications aren’t responding as they should, that could be a sign that there’s malware on that you might have things like mine miners, crypto miners installed, trying to use up your resources.

Mike Stevens 18:38

Good parallel to what goes on within compliance across the board where a culture of wanting to either blow the whistle or to flag something up or to accept that something was a new Miss? Or how do you go back to having that as a part of a programme is about management taking control that is about training.

Daryl Flack 19:00

It’s absolutely critical, actually. And when I get to the final slide on the 10, slip steps, I’ll go into that in a little bit more detail, if that’s okay, but if I don’t cover it fully, as you would expect, please sort of let me know, sort of towards the end, and I’ll, I’ll make sure I cover it in even more detail if that’s okay.

Mike Stevens 19:16

Great. Thanks.

Daryl Flack 19:20

And so when we’re talking about the anatomy of ransomware attack, because it’s one of the critical ones at the moment, as we’ve touched on that an attacker will try to gain a foothold in the organisation through whatever ability necessary, whether that’s through people plugging things into their devices or clicking on links, but the majority is gained through that initial exploitation of a phishing attack. But then once they’re inside, this is where that the critical work starts taking place. They’ll do all sorts of things to try to avoid detection. They will try to disable your antivirus software and your anti malware software. They will look to distribute tools around to the environment, so enable them to what we call command or control type tools, where they take control of your machine where you may not even know it. And then they will look to move laterally within your organisation moving from network to network. And within that there’ll be trying to enumerate all of the different services that you have all of the different file systems you have. And from that, they will start to build that picture. And this is all about that dwell time that I touched on. And then once they’ve decided what’s the value to them, once they understand what they want to be looking at, and what they want to go after, that’s when they’ll start to take disruptive action.

So they will look to exfiltrate some data where they can potentially do that hack and leak that I touched on, they will look to destroy your existing backups, because ultimately, the backups will give you the ability to defend against ransomware. So if you only have online backups, and they’re available, then deleting those will make you completely at their mercy, mercy. And then they’ll ultimately encrypt your data, which is how they will use that to extort you. And part of that extortion. As we saw in one of the previous slides, where you had the sort of ticking time to go down, is to try to get you to pay this money. And the downsides of paying the ransom are that you are sort of fueling this type of activity. There’s huge stats that I think is something like 80% of those that get attacked by ransomware. And you pay the ransom or re attacked within 12 months, because you are letting that organisation know that you are available and willing to pay those ransoms. And whilst it’s also not illegal to pay ransoms in certain scenarios, some of these organisations are affiliated to terrorist groups. And so by paying the ransoms, you are effectively paying ransoms to sanction organisations which come does come with criminal liabilities itself. So defence is always better than the cure. And on the 10 step process, I’ll touch onto that a little bit more of some of the things you can do to prevent it. So the next slide is around securing your personal data. And you may wonder why that’s why that’s relevant. And the key thing really, is that how you behave at home will naturally align to how you behave in your in your corporate world. And if you have good cyber behaviours at home, you will have good behaviours in the corporate world. And the things you’re trying to achieve are exactly the same. There’s no distinction really, between the two, you have things at home that you want to protect, you’ll have your bank details, you’ll have photographs of your children, you’ll have access to your social media accounts, and you don’t want those to be compromised, and you don’t want to be defrauded out of your personal finances. And that’s exactly the same in the corporate world. And with the move during COVID to hybrid working, that has meant staff are no longer necessarily working from the office, there’s more homework, and there’s more hybrid working, there’s more use of different devices and bring your own device. And so how can you look at your family life? And how can those things translate into your work balance. And so using a password manager, so some organisations mandate this from a corporate point of view, but you should absolutely have it in your personal life. If you’re anything like me, I have probably around 400 passwords at the moment. And nobody can keep track of all of those passwords. So using a recognised Password Manager, to be able to manage those passwords, secure them, encrypt them. And it also means you don’t have to remember them. Every site will prompt you for your password, the password managers will help you sort of deliver your sort of passwords and remember them for you. So you don’t even have to know what your passwords are on site. So you’re not even the compromise method anymore. It’s all managed by the software. And a lot of them come with some some good tools as well to help you synchronise passwords across different devices. They help you to identify and spot fake websites. And they let you know if you’re using passwords that have been compromised. Or if you’re reusing the same password, then also notify you if your passwords part of that known data breach. And they often work across different platforms, whether it’s Android, Windows, Apple, that sort of thing. multi factor authentication. So again, very similar to the corporate world, absolutely critical in helping you to protect yourself from cyber attack, should a password be compromised.

This is the reason why it will help to prevent an attacker trying to gain access. Now, most of the big social media sites now enable it. Most of the big email platforms enable it but two factor authentication, as I’m sure you’re aware of is another mechanism for you to authenticate. So you might type in your password and then it will ask you to submit a code which could come through an app on your phone or it might be emailed to you or it might even come through an SMS and so again and NCSC recommendation is that you take the time to set up two step verification on all of the important accounts that you have. However, it’s not a panacea. With some of the phishing attacks that we’ve seen. attackers will provide a very authentic looking website that could be one of your social media platforms or your email sites. And as you are typing in to that fate site, where you would normally get your students a two step verification, they could be doing that live on your site in the background, so there’ll be acting as a man in the middle. And so when you submit your two factor authentication, they are capturing that and putting that in. So whilst it is a really good step to prevent attackers trying to gain access, it’s still not a panacea. And it still doesn’t prevent the need for individuals to be aware of sort of phishing attacks and impersonation type attacks. So installing the latest software and app updates, as you would expect, there’s Automatic Updates applied to everything now, and you should be switching them on. There are vulnerabilities found all the time. And if you look at the big sites who do it very well, like Microsoft, they’ll have their Patch Tuesday, and then some days there’ll be 90 100 Odd patches that they release. And so having your device as up to date, and available as quickly as possible is one of the key things. And it’s also one of the key things in cyber essentials, which is a an NCSC compliance type regime, where it can stop eight out of 10 type of attacks if your software is up to date, because most vulnerabilities are relying on the fact that people don’t apply updates quickly. So if you’ve got automatic updates on the applications and turn them on, they will help sort of stop some of the key key attacks. backing up your data, we touched on it with ransomware.

Ransomware isn’t just for corporates, it’s also for individuals. So having your things that you really care about backed up is really important. And there are some of the the big free ones out there that enable you to do that. So Apple, iCloud, Google Drive Microsoft. But you can do things on your own, you can buy sort of network attached storage at home, you can use sort of USB sticks, that sort of thing. But obviously, if you’re going to have that sort of storage, it’s going to be available, make sure that it’s encrypted as well. It’s got all of your sort of data that you care about. So it’s well worth considering that. And then as the basic controls, if you’re buying a Windows device, it has BitLocker on for encryption, if you’ve got a Apple device it has five on and these are the sorts of things that we see in corporations as well that we need to have sort of different types of encryptions on on your desktops, malware programmes, you don’t need to be spending large amounts of money on these things. Most of the good products come with sort of free products already. So if you’ve got them, enabled them personal firewalls, again, they will come. If you’re using Windows, or if you’re using Mac, they will come with good, inbuilt firewalls. If you’re on Linux platforms, again, they often have those as well.

Daryl Flack 28:00

So the key aspect, really, how do you take all of this understanding and knowledge as individuals? And if you’re looking to create a cyber programme, what are the key things you need to look at? So risk management, so making risk based decisions is absolutely crucial. We don’t all have huge bottomless pits of cash to be able to spend on this. So part of risk management is about informing those decisions, or striking the right balance between the threats that you face that person to you, and how you can capture that low hanging fruit and mitigate them the most. So risk management in cybersecurity. So it helps security domains to ensure that the technology, the systems and the information that you’re protecting, you’re protecting it in the most appropriate way in the most pertinent way for you, and it’s based around your risk appetite, some organisations will have a much hungrier risk appetite and be more willing to take risks. Others will be in compliance type environments and regulatory environments where they have to meet certain regimes. So number two, engagement and training. So this probably goes on to your your point, Mike, that you touched on earlier, encouraging senior leaders to lead by example, having the board by boardroom buy in is absolutely crucial. They need to be leading by example. And they need to be a fundamental part of any of that engagement as individuals, and if you’re running cybersecurity programmes, it’s got to be little and often small bite sized nuggets of training, that the days of doing sort of an hour or two hours of elearning at one point of the year, it’s like taking sort of one lemsip and hoping that it will sort of survive you for the year. You need constantly reinforcement, but not at the detriment of people’s day. You can’t create programmes that just take too long. It’s got to be small and bite size. You got to build effective dialogue within your staff and within your support. You got to have champions and you got to help them you’ve also got recognised that people learn in different ways and at different speeds. So you’ve got to be able to have content that caters towards that and how help people learn in those different ways. Having themed campaigns at different points in the year, we’re in October, which is Cybersecurity Awareness Month. So things like this webinar that can focus on specific aspects that may be of interest. And you need to tailor those campaigns to address the needs. The third point is around asset management, you can’t protect what you don’t know. So integrating asset management into your organisation is absolutely key understanding your critical services, your functions, identifying all the associated data and technology dependencies you have, how you prioritise them, you need to improve and validate that knowledge all of the time, because new assets are, are being applied and new assets are being removed and deleted. So only keep what you need. And if you are removing assets, making sure it’s done in a secure way. So number four is around architecture and configuration. So this is more around designing your systems. And if you are designing software and platforms. So understanding what you’re building, and why you’re building it, making the system easy to maintain, and easy to update. Having huge amounts of branch codes everywhere can be incredibly challenging. Make your compromises. You’ve got to make compromises on good things. We’re all going to be balancing what user centric requirements are what the security needs are. But the compromises shouldn’t be on the security side. That doesn’t mean that security Trumps user centred design, it just means that it needs to be built in a secure by design from the beginning. The whole idea really is that you’re trying to make compromises and you’re trying to make disruption as difficult as possible for any would be attacker. So reducing the impact of those compromises. Make it easy to detect and investigate compromises when you are building your solutions and your services and your safety, develop and manage those systems. So having good alerting functionality is is a key part of that. Vulnerability Management sort of leads on from that aspects really. So keeping your systems up to date, again, going back to what I touched on what you can do personally. So developing vulnerability management processes and disclosure policies. As the DCMS created some Department for Culture, Media, and sport, they created the 14 steps that you should take in terms of security by design. And they’re about to mandate sort of three key aspects around not baking in passwords around giving sort of support to your products and telling your your potential customers how long you support them for and also having a vulnerability disclosure programme. So having that vulnerability disclosure programme is going to be critical. And that’s how you’re going to manage your sort of legacy equipment as well, whether you need to segment that off from your core network. So identity and access management. So this is a core staple of any good organisation being able to control what data can access and who can access that data. And when developing appropriate identity and access management policies and processes. Considering multi factor authentication against all of your accounts. Again, you can see where it aligns to what we said on the personal side of things, and employing security monitoring and detection to alert to for a non anomalous behaviour and malicious behaviour. Number seven, data security. So you got to protect your data where it’s vulnerable you got but also are protected according to the risks, you shouldn’t be spending more on the detection and protection of data than the data is actually worth. And not all data is worth a huge amount. Personal data is obviously very important. Privileged data is very important. Commercial data is important. Intellectual property is important. But there’s other aspects where it isn’t quite supported. So you should tailor how you protect it. And where you protect it, you need to back it up, you need to make sure that you have online backups, but you also have offline backups. Follow the NCSC sort of best practice around looking after your backups. And when you’re getting rid of data security sanitising any storage media, it’s on making sure it’s certified when you get rid of old equipment, that it’s been securely destroyed. And it’s been protected in in a way that you’re comfortable with logging and monitoring. So you got to understand what your objectives are around logging and monitoring. I see too many organisations that just get buried in logging data. They have great systems, but they are just in alert hell. And so you’ve got to understand the logs that you need, the information that you want to protect, and you want to be alerted on and you’ve got to have the playbooks for how you work with that. You got to keep your logs generated to useful insights. It should be around the anomalous events that you care about the things that are going to be challenging for you. And as part of that you need to develop your sort of incident response plan, which sort of comes on to number nine, which is around incident management. So, instant preparedness is absolutely crucial preparing your response plans and your capability and practising them. It’s no good having a 200 page response plan. And because when something bad happens, no one’s going to be able to read that 200 page response plan in the time, you need small concise playbooks that are worked out for everybody on the boardroom to everybody on the floor, everyone needs to know what their part is to play in the event of an incident. And the best way to do that is through exercising and desktop exercising, you’ve got to have your communication plans, actively ready, knowing what you’re going to say to shareholders, how you’re going to deal with the press, how you’re going to deal with regulatory authorities if you need to, you got to incorporate lessons learned from all of those different exercises and, and have support plans to support you. Often with big incidents, you may have an amazing internal team. But if the incidents going on for two weeks, that team isn’t going to be able to sustain it, they’re going to get fatigued. So having good support backup, having good retainer plans in place, having specialists with forensic capability and, and deeper incident response capability to help you on hand at the touch of a button or at the click of a phone call is going to be very important if an incident starts to become protracted. And is that number 10. But equally, it could be at number one, supply chain security. So understanding your supply chain, mapping it out understanding where there might be potential weaknesses, embedding security within your contracting processes. So when you’re procuring organisations, understanding what their cybersecurity posture is, what their resilience is, and helping support them to get them to the level that you need to be comfortable that they are an active and supportive member of your supply chain. So I’m aware that that’s quite a sort of talk through and quite a large amount of information. But hopefully, it’s brought together a number of key aspects, but I’d be happy to hear any questions you may have. And equally Mike, if I didn’t answer your question appropriately, please feel free to sort of come back and let me know. And I’ll try to add any more detail to it to get you to that point.

Mike Stevens 37:03

That’s incredibly in depth for Darryl and there’s lots of to take away and sure that the audience is attending. And so written down some notes, I’ve definitely taken on the personal aspects of that. And I like that approach. It takes me back to when I was running the international loss control Institute’s five steps to five star safety rating. Job, one of the 20 elements was about home safety. And the same thing applies here. Because how do you have those sorts of behaviours? Suddenly, when you come into work? It’s something that you do by instinct and do by being something you practice every day. Yeah, so I think that’s great. And the other part about it is the, it’s leading it from the top. So I’m not necessarily Chief Technology Officer. But what I do do is I focus on this and everybody knows that in in our business. And I think that’s the way to look at it, you know, where do you start when you train people, you train at the top, and then you can cascade it, or you focus on profiling, the type of training that you need based on your on your plan.

Daryl Flack 38:16

And I think that’s one of the key areas where we see the most value, we often do cyber exercises with boardrooms. And I think going through that initial exercise where you have everybody playing their part, you’ve got the CEO playing their part, the Chief Operating Officer, the CFO, the CTO. And when you run through a scenario that they’ve not seen, but as pertinent to their organisation, and you put them in positions of this has just happened. What would you do at this point? How would you manage it, it starts to focus the mind of how it could really impact the organisation. And that’s when we then see the sort of outflow of okay, we now need to take this seriously, because people feel uncomfortable. And it’s not just the corporate impact. It’s the personal impacts. cyber breaches have real deep personal impacts and individuals, they’re incredibly stressful times and can cause really negative long term sort of impacts, whether that’s anything from people sort of losing their jobs to health concerns around the impact it’s had on them. We’ve worked with organisations that have ultimately ceased trading because of a cyber attack, and the personal ramifications that has on everyone is huge. So once you start putting individuals into a position where they understand how that can be, it helps to focus people’s minds and recognise that this isn’t a tick box exercise. This is for the good of the company and for the good of its staff and how can we make sure that we are you can never be immune to cyber attack, but it’s how you respond and how you recover and how quickly you recover to those types of attacks.

Mike Stevens 39:52

I think at an emotional level as well, it’s, you know, my reflections on what happened was that it was emotional. It was Like, you know, it was a crime, it’s the same as somebody breaking into your car or damaging, you know, property or getting into your house. So that has that impact, like you say it’s very demotivating. And the interesting part of your presentation about the costs, and where those costs would they come from?

Daryl Flack 40:19

So, yeah, so every year, there’s different numbers that come out. So IBM, released a good report every year. And also DCMS and the Cabinet Office report different reports for UK interests. And so the different numbers that come out are based across, you’ve obviously got international ones of where the UK sits, compared to say, the US the US, the cost of their breaches is far in excess, probably double of what it is in the UK. But you could say that that’s because they’re a much larger organisation. And so a much larger country, and they are more heavily attacks. So the average is then sort of increased. But I think in the UK, we sit above as I touched on sort of the EU, and that’s despite us having some pretty good cybersecurity controls and organisations like the NCSC in there, it’s because we’re a high target, we’re a g7 country, we have lots of intellectual property that is incredibly valuable for people to target. And because we were a g7 country, it’s deemed that we will pay some of those ransoms. Now, the fact is that actually, UK sort of public sector don’t get hit anywhere near as much as the American public sector does, because they have paid lots of ransoms. And the UK doesn’t pay those ransoms. So you can see that metric whereby we’re touched on the 80% of organisations that pay a ransom suddenly get hit, funnily enough, within a year, because it’s a, it’s a happy hunting ground for the attackers. And it’s not necessarily the same attacker, although it can be once this data is on the dark web, and the information is leaked, it’s up for anybody who wants it, anyone can pay their $10, to get a credential, and to have an attack themselves and the tools as a touchstone as well. It’s like an amazon marketplace, you can go on, you can choose your tools, you can choose the credentials you want to attack, and then you can do it, or you can just pay someone else to do it. And then you split the profits. It’s an entire ecosystem of crime out there. That which is why when people say why would I be a target? Do you have any money flowing, flowing through your organisation? Do you have any data flowing through your organisation, any organisation that doesn’t have either of those things, is a very unusual type organisation. And so everyone is a target, and everyone has something of value. And so being prepared for that invite that type of eventuality is key. And it’s not. I don’t want it to sound all doom and gloom because it’s not, it’s there are lots of good, helpful places out there to get advice on things like the NCSC website. On European and ESA websites, there’s a whole host of good programmes and good free resources that are out there. And but ultimately, It’s an Arms Race, every time we try and do something to to help defend, they’ll always be a way around it. But that’s been that’s been fraud and deception throughout history. Everything from going back to Trojan horses and things like that in Troy and where that originally comes from. There’s always been people that want to trick you people that want to defraud you and people want to extort you, we’re just now in a digital age, and it’s coming through on a technology platform. But it’s still got all of those same personality aspects. So the whole aspect of Dr. Robert, chill Dini, who has the five influencing factors, how are we influenced, some of us are influenced by authority, we’re told we got to do something. So you’ll get phishing emails that tell you, you must do something in a certain timeframe. Some of us are influenced through reciprocity, someone does something for you. So you feel obliged to do something back. There’s time based criticalities. So there’s all those different influencing factors that are personal, human responses, that no matter how it’s changed through the ages, the digital protagonist now is using all of those same human aspects to get us to do things with our emotional and responsive brain rather than a longer term logical brain that says it’s not right. And what we have to do is, take our time, take a step back, look at things and say, Don’t quickly react with my emotional side. Because that’s what the email is wanting me to do, or that’s what the text is wants to be do. Does this feel right? Does it feel normal? Is it what I was expecting to happen? And then raise the alarm, contact it, get some help if you think it’s somewhat unusual?

Mike Stevens 44:49

Yeah, that’s great. And that’s what I try and say in the businesses that if it’s if you get it wrong, it’s not a problem. Because if there is an invoice to be paid, or there’s something that needs to be done, that can be done. In a different a different timeframe, or after having some consideration. So it’s setting that culture up, I think is the thing. Absolutely.

Daryl Flack 45:09

And I think that’s the biggest challenge we have in some of the larger organisations and some professional services organisations. changing the culture can be hard, and it takes time. But particularly in regulated environments where it’s very easy to write a policy and put all of the pressure on the individual and say, here’s a 50 page policy, read it, and scientists say you’ve, you’ve read it. And then if you do something wrong, well, you’ve got against the policy, and we’re going to blame you, that might take a compliance check box, but that’s not going to make you a secure organisation, that’s not going to help that individual. What you need is to provide a training programme to show people how to spot these things, support them exactly as you’ve just said, if people make mistakes, we all make mistakes. It’s not about punishing the person that makes the mistake, it’s about having the processes in place to help and support them, and protect your company and to recover from any challenges.

Mike Stevens 45:59

Right, we were timing wise. Tracy’s Tracy’s in charge here. So I think there are some questions. So thanks for the opportunity to testify. So my questions, and hopefully they were others that we’re wanting to do that. And maybe we’ve covered some of the things which had been asked already. So I’ll hand back to Tracy.

Tracy Seward  46:18

Yeah, we’ve got a couple of questions that have come through, I’d like to say, first of all, I need to get a password manager that’s slightly petrified that I’ve got the same password for 150 websites. But I’m going to change that. But yeah, I will move on to a couple of the questions that have come through. So I’m not sure if any of these have been covered yet. But I shall just read them out. And we’ll see. What should you do if you suspect or know that you’ve been hacked? And should you have a written procedure sort of covered, but

Daryl Flack 46:47

yeah, so there’s obviously two different ones there, for corporate seven and for personal. So from a corporate point of view, you should have some internal corporate policies and exactly what to do contacting, obviously, the IT team immediately, is the first port of call, they will understand what needs to take place, they will be able to contain the incident, the security team will obviously also help. There’s some wider aspects outside of that, depending on the type of attack it is, you might need to inform regulatory bodies. So if it’s, for example, a loss of personal data, then you might need to inform the Information Commissioner’s Office, you can contact NCSC. For support, you can also contact action fraud. Again, if it’s an attack of that nature, it’s a crime and it should be logged with action fraud. That’s the same from a personal point of view as well. If you get attacked, you can log it with action fraud, as you can imagine, they are absolutely inundated. But at least you’re doing the right things in in, in logging it in the right and appropriate ways. There were some personal things you should do. I mean, if you’re seeing it, you’re it’s a personal thing and your machine is doing things it shouldn’t disconnect it from sort of the internet for a start, run your antivirus and your anti malware scans to see what’s there. And to try and clean it. Making sure that your device is up to date would be sort of the key thing as well. So it’s very, it depends on the situation and the type of attack and what you’re seeing. But there’s some of the key aspects that you should do in terms of informing the authorities disconnecting, where you can run in scans, cleaning where you can, you may have to connect at some point to download the updates or to get the latest versions and all those sorts of things. But yeah, if you’re seeing things going wrong internally within the organisation, then absolutely contacts your security teams and your IT teams.

Tracy Seward  48:51

Thank you. Right. So on to the next question. We get asked to complete lengthy cybersecurity questionnaires by existing and potential customers does something like cyber essentials mean, we don’t have to complete them. There is a second part to this, but I’ll read that.

Daryl Flack 49:09

It doesn’t unfortunately, often I use cyber essentials or have you got ISO 27,001 are part of those questionnaires. And it’s something we’re seeing across the supply chain. As supply chain risks are becoming more prevalent. Everyone in the supply chain wants to make sure their supply chain is compliant. So you end up with security questionnaire, hell effectively. But there are tools out there that can help you with that. So there are different software platforms where you can effectively build all of your answers into that platform. And then when you get a questionnaire come in, you can effectively sort of complete it from the platform in an automated way. It still needs some sort of human interaction over the top but Yeah, unfortunately is a bit of a problem with being hit by these from every direction at the moment. It’s using software automation can help. But it’s not the complete answer. It’s just a challenge that everyone is living with right now, unfortunately.

Tracy Seward  50:08

Yeah, and the second part of that sort of touches on on the second part of that question, touches on on that, how important is it to have a process or method of checking cybersecurity in our own supply chains? It’s kind of been touched by

Daryl Flack 50:21

it’s, yeah, absolutely critical. Now, some people use as a questionnaire, as part of that some people will have contractual clauses with rights to audit, some people will want to see your certain certifications, or whether it’s cyber essentials, whether it’s 27,001, whatever it may be. So yeah, it could be everything from a verbal, yes, we’re someone you can trust, I wouldn’t recommend relying on that to a completed questionnaire to a completed questionnaire that’s contractually backed off to a completed questionnaire, it’s contractually backed off with rights of independent audit.

Tracy Seward  50:57

Plan. Thank you. Right. Last question for now that’s come through, should cyber training be specific to individuals in the organisation? In other words, should there be a training needs analysis to match the risk?

Daryl Flack 51:12

So it’s gonna depend on your budget? But in an ideal world? Absolutely, yes. So we call it human risk intelligence. Now, human intelligence, we’re all slightly different. We’ve all got different job roles. And we all have different levels of understanding. So what’s the point in making someone complete a 20? Page question on stuff that they already know. And they’ve already got the answers to. So the types of methods that we try and use is that you will have initial questionnaires or initial assessments, they have people do well on those, then there’s no point reinforcing or, or retesting them on those things. If you’ve got individuals that are incredibly technical, literate, who are developers, then you should be testing them around their job role, and how they are securely developing, rather than sort of other aspects. That’s not to say that we shouldn’t all get the usual training that we all need the good cyber hygiene. But absolutely, if you’re a chief financial officer, or you’re a finance manager, you should be getting training around how to protect yourself from not paying fraudulent invoices, those sorts of things. So it should be tailored, and it should be specific. And there are as practice or wherever, where you have sort of content that absolutely focus in those areas. And that is designed in exactly the way that I mentioned around being small, bite sized, little often tailored to the role tailored to the individual. So in an ideal world. Absolutely. Yes.

Tracy Seward  52:38

Thank you. Right. No more questions come through. I just like to say thanks, Darrell, for joining us today. Really interesting session. And And thanks, also, Mike, and thanks to everyone for joining us today. So yep, gone through the questions. Any other questions that you want to send through, close the webinar? Please submit them to info at practices 40 two.com. And we will make sure that all of those get answered. And those answers are put onto our resources pages, and a link to these and the recording of the webinar will go out to everyone that’s signed up. So thanks again.