Thanks for everyone joining us over your lunch breaks, it’s brilliant to see we’ve got about 100 people signed up for the webinar today, really nice mix of existing clients, hopefully some new ones as well. If you’ve got any questions throughout this webinar, please just pop them in the Q&A at the bottom of the screen we’ll pick them up later on as well right at the end we’re going to have a Q&A and we’ll answer all your questions then.
So, for those of you that don’t know who I am, my name is Michael Johnson, I head up the Business Technology Advisor team here at Netstar. I’m also part of the leadership team and been with Netstar for about eight years now. So, my team’s role as part of our service is basically to help our clients get the most from their technology. So, we work closely with them to understand what their business goals are and really help them to create strategic plans across their technology environment, which inevitably includes a lot around cyber security, really helping the clients identify what risks there are to their business, understand what solutions are available for them and then help them make an informed decisions on how to address these.
We’ve also got Lee Johnson joining me on this webinar. Just to confirm not a relation in any way at all, he just happens to have been blessed with a great surname as well. Lee is the Chief Technology Officer and Head of Cyber Security within the Air IT group which Netstar recently became a part of last year. As a result we and our clients have got to benefit from the increased expertise available especially around cyber security. So Lee’s been working within the industry for over 15 years now and as a result I’m going to stop talking for a while and hand over to him.
No problem at all, thank you very much Michael. So yeah, I think first of all I’d just like to thank you all for giving us the opportunity to present to you all today and for taking the time out of your days. So, I think what we’ll do we’ll start off and I’ll give you a um, I’ll give you a bit of a brief sort of introduction about myself and then we’ll move forward onto some of the content.
So my name is Lee Johnson and I’m the Chief Technology Officer here at Air IT and also Head of our specialist Information and Cyber Security division called Air Sec. Um and as Michael mentioned I’ve worked in it for over 15 years with 10 of those in the MSP and the security sector and one of my key passions is really helping businesses to achieve their goals and ultimately transforming their business through the use of technology and also through Air IT in the East Midlands chamber. I’m the resident consultant for cyber security Office 365 and cloud computing for the European union digital growth program and this is where I provide seminars and workshops to business owners to show them how they can be using technology smarter within their businesses.
So in terms of what we’re going to discuss today, I mean first of all I’ll give you some background to the current state of cyber security or the threat landscape as we also call it and what this is. Some useful context to give you some background on what types of attacks we’re seeing have the most success and unfortunately it is still largely the most unsophisticated and the non-targeted attacks that are having the most success. But fortunately the vast majority of these attacks can actually largely be prevented by implementing some simple but effective security controls within the business and we’ll dig into those areas a little bit more later on and after that we’ll discuss why the threat is heightened by the current situation we find ourselves in as a result of Covid 19 and how the way in which many organizations have been forced to operate has meant that many businesses that haven’t invested in the correct time that haven’t invested in the correct technology to sufficiently support the remote working have unintentionally brought significant risks to the organizations in some cases.
So what we’ll do is we’ll also discuss some of the reasons as to how and why that’s happening and then thirdly we’ll discuss what the potential risks are to our organizations and more importantly what the potential impacts could be as a result. And then once we’ve been through the risks, we’ll then talk about what steps we can take within our organizations to basically ensure that we’re geared up to be as protected as we possibly can be against these most common types of threat that we’re going to talk about today.
So, I think it would be useful to start off with some background on that threat landscape that we spoke about. Now cyber-attacks are on the rise year on year and unfortunately it doesn’t show any signs of slowing down. And to try and combat this the UK government have actually invested over £1.9 billion into cyber security until the end of 2021. And they’re doing this through something called the National Cyber Security Centre. Now one of the things that’s important to note is that SMEs are often the primary target for quite a few reasons but primarily it’s due to often the lack of investment and systems to sufficiently protect the organization especially when tasked with an entire workforce operating remotely and there’s also many reasons for the rising attacks. But to cover some of the most common factors that face us today, I mean first of all we’ve got that unplanned shift to remote working which has resulted in you know increased access to corporate resources from sometimes unknown and unprotected devices and networks and many organizations are now utilizing their systems in ways that may not have originally been planned in the original security architecture or design of their systems and this can present us with business as businesses with you know sort of a significant security risk that we’ll cover in some more detail later on in the presentation.
Now many surveys alongside, again we mentioned the UK National Cyber Security Centre, their own incident data actually suggests that almost all of these criminal attacks are conducted using commonly available tools and techniques that unfortunately don’t need a lot of technical knowledge to actually be effective. And these include things like phishing impersonation attacks and many more and what we’ll try and do today as well is during the presentation we’ll try and break down some of these attack types and try and explain what they actually mean and give you some context in terms of real life events and experience that we’ve had now these attacks these sort of low-level attacks that we talk about often take advantage of poorly implemented security controls or businesses that haven’t invested ahead of time in the right technology. For example, even things like inefficient password policies, known software books and flaws that aren’t patched. And to this day one of the most common findings that we see post breach is often related to unpatched software now an example of this would be the 2017 WannaCry attack that took down the NHS and many other organizations. But the patch that to actually protect against this attack was available two months prior to the event and this is another reason why frameworks like Cyber Essentials, for example, are so critical as these security packages are required to be installed within 14 days of release.
We were just talking about the example with the 2017 WannaCry attack and you know the importance of making sure that we’re installing these patches ahead of time and the other message that the attackers are using within the report and in this data are by exploiting normal human traits like trust in order to gain unauthorized access to our networks or business systems. Now the outcome of these attacks vary but often the results the compromise of the business email systems or actually in some cases the delivery of malware through to the end points. And what we are seeing is that we are seeing more attempts on our digital lives and our businesses but we are also seeing importantly more success and you know to use a sort of like analogy criminals are often actually coming through the front door with the key and the key being the password in in this scenario and this is still often a result of the simplest but most successful cyber-attacks such as phishing and then obviously the subsequent credentials that that can then appear on the on you know they can then appear for sale on the dark web which we’ll cover in a little bit more detail just now.
So we spoke about phishing now phishing is the attempt usually to obtain sensitive information such as usernames, passwords, credit card details and it’s usually you know most commonly delivered via email and this will then often redirect the victim to a fictitious web page that looks almost identical to the real thing and therefore users can end up giving away their credentials and sort of being the opportunist that cyber criminals often are they will commonly use current trends or themes to try and they will do anything basically to try and increase their chance of the recipient opening and ultimately falling for the attack. And one of the examples in terms of the trends that we’re seeing at the moment are phishing attacks related to Covid19 and I’ve just included a screenshot of an email example that we saw that was sent by attackers and this was designed to make users want to click and find out more and as you can see you know it’s simple but it’s extremely effective and if you think like a similar theme if we go back to a period last year sort of September/October time where Covid was getting a slightly better people were starting to think about bringing a phased return to work email. There’s going to be a lot of people that are going to want to open that email to find out more about how much longer they’re going to be working from home what do they need to do with their child care and the key message here is that the criminals will often use these situations to their advantage and the stats show that it’s you know it really is highly effective.
So to take you on the journey of sort of a common cyber-attack, what we find is that once the cyber criminals have obtained the user’s credentials via various methods like phishing, for example, once they’ve carried out their own illicit acts they’ll then often sell that data and those credentials on the dark web. For anyone who doesn’t know the dark web is basically like an underground marketplace where malicious organizations can sell sensitive information like usernames passwords for a fee, typically you would find that high profile targets could be worth more, for example a CFO or CEO just like for an example. You’ll probably often see in the news that, you see this sort of like significant breaches of sensitive data from EasyJet and many other organizations and the fact is that data was often obtained will then often appear on the dark web for sale within the coming days and weeks.
And in situations like that if organizations haven’t taken adequate and diligent steps to try and prevent such happenings the governing body for data protection which is the ICO in the UK they often can give out substantial and hefty fines. And there’s been many examples of this as well including British Airways and again such an unsophisticated method in terms of dark web can result in unlimited rewards for the attackers including access to all of your emails, your corporate intellectual property, client data and many more and this is a perfect example of what I mentioned before about coming through the front door with the key and it’s just another example of why it’s difficult for organizations to detect and ultimately prevent such attacks. If they’re only using single factor authentication and legacy methods such as passwords to log into their corporate data as the criminals are going to be logging into our systems correctly. The first time without a single wrong attempt if they’ve got these passwords and that’s why it’s so difficult now without these methods in place to actually be sort of protected and users will often also commonly use either the same password or a variation of the same password across multiple systems, line of business applications both in their personal and their work lives. And this area of the dark web is actually one of the fastest growing industries in the world
So mobile working and remote system access does offer great business benefits as we all know but it also does expose new risks that do need to be thought about and do need to be managed so I mean as organizations we really should establish risk-based policies and procedures that actually think about things like mobile workings particularly now remote access to systems that are applicable to all users service providers and some of the challenges that we need sort of questions that we need to think about. For example, number one how are we going to access corporate resources when we’re not in the office, what devices are we actually going to be using to access that data? Because it’s often it’s not as simple as just connecting a VPN from any device because if we do this from an unknown and personal device without the correct controls and systems in place in effect we can be allowing machines of unknown statuses onto our corporate networks which, in normal use, would just never be allowed because of the significant security risk.
And then we need to ask about how we’re going to protect the security of that data that we are accessing remotely how are we going to control that data once we’re back in the office or if anything happens to those devices and if we think if employees have been accessing data from personal devices without these systems in place there isn’t any way for us to control revoke or monitor access to that data once it’s been downloaded to those devices without the controls in place. And we could also now have a challenge of, for example, like an employee that suffered the loss or theft of a personal device that now contains corporate data without the ability to remove or track access to now who has access to this data or if we’ve got a disgruntled member of staff who’s been using personal equipment to access the data and then finally we also have the loss of employee internet security systems when they’re working from home. If we don’t have these technologies in place and you know ultimately the thing that we’re trying to do here is to try and prevent employees unknowingly connecting unknown devices to our corporate resources and bringing that risk to the organization
So if we talk about some of the risks and some of the impact actually to our businesses I mean let’s be black and white you know it looks basically our organization’s intellectual property private data and you know information of our client is ultimately at risk of being stolen, data falling into unknown hands and you know with no control to remove or actually get rid of that data and obviously this can result in significant security breach with potentially unlimited consequences depending on the data on that device. And we touched before on malware such as ransomware spreading into the corporate network which again can result in significant downtime and in some cases data loss to the organization. We can also suffer things like theft of credentials with the likely subsequent selling of that data on the dark web and then we’ve obviously got the fines from the data breaches from the ICO and things that we’ve that we sort of spoke about earlier on with this. But the bottom line is that we’ve got sensitive data that’s useful to these cyber criminals in so many different ways and it’s really important that we take these preventative steps to make sure that we’re ultimately protecting our organizations.
So we spoke a lot about unmanaged devices connecting to our network so to put this into perspective I just want to show you a short clip of the now famous attack that affected the NHS you know some years ago now but it brings some great insight and you can see here you can just you can actually watch the infection spread throughout the world through unprotected devices. The reason I like to show this video is it really gives some great insight and context to just how a form of malware can spread exponentially over a very short period time to unpatched and unprotected device. And you know with users using their unknown and personal computers to access these corporate resources without the right controls in place, we could be allowing devices that aren’t up to date they haven’t got these latest security patches installed. And this this sort of infographic in this video here it really just gives us some context and shows us just how fast that an infection like this can spread. And although this threat is still relevant when we’re working normally, organizations are at a significantly higher risk during this period and whilst we’re working in this way.
Now social engineering and impersonation, this is where the attackers will target the employees directly and not necessarily the IT systems and they do this with attacks such as CEO fraud or impersonation. Now social engineering is where attackers attempt to basically trick users to try and do the wrong things, such as disclosing information or clicking a malicious link. And phishing can be like for example, conducted via text message, social media, or by telephone. But these days most people do tend to use the word phishing to describe attacks that arrive by email.
Now email is an ideal delivery method for phishing attacks and impersonation attacks as it can reach users directly. It also hides among the huge amount of normal and sort of benign emails that users you know like a busy user would sort of receive in a day. What we also see is that in often targeted campaigns an attacker may use information about your employees or the company to make their messages even more persuasive and realistic and this is actually referred to as a method called spear phishing and it’s really a type of confidence trick for the purpose of information gathering, fraud, or system access and it’s often one of many steps in a more complex cyber security and fraud scheme.
One of the challenges that we have is employees don’t often see themselves as part of the organization’s information and cyber security efforts. So, an example of email impersonation is where an attacker or cyber criminal forges an email so that it looks like it’s been sent by somebody else and this is either done so the entire name and email address of the sender is forged or in more straightforward cases just the name of the sender is set to someone that they know works within that business now the typical intention of the attacker is to try and trick their victims into making money transfers, paying fake invoices to defraud your business, or actually in some cases trying to get you to send back sensitive data related to your business or your clients. And unfortunately what will often happen is that they will coerce you into clicking on hyperlinks or sending data over to actually steal user credentials or actually to facilitate fraud and actually carry out business email compromise.
I just wanted to show you a screenshot here that we’ve got and although not fool proof especially with the sophistication of these sort of like modern threat actors and cyber criminals there are still some you know there are often some characteristics that are common amongst these types of attack. For example we’ll often see number one we’ll see urgency these attackers will often want to get in and out as quickly as possible to try and evade detection and carry out what they intend to do usually financially related. And what you normally notice is they will often say that they need a payment now they need this done today and the grammar or sentences are often badly structured or contain you know sort of poor structure. And although it’s a lot better than it was many years ago it is still one of the attackers common flaws that we can look out for. But it’s also important to note as well that you shouldn’t be fooled by personalization because information especially now, such as names, positions, even subordinates, and teams company events – they’re often available online through Linkedin, company blogs, and more. So they’ll often try and bring this in as part of an attack to try and coerce us into them being more successful too so what can we do.
I think it’s important that you know we’ve highlighted some of these risks and the potential impact but you know what can we do in our organizations and the most important aspect obviously is to be prepared to ensure that we’ve got the answers and the technical solutions in place before the event. But we do know that this isn’t going to be the situation that all organizations find themselves currently in so what we’d like to do is just go through some of the steps that we can take to ensure that we are as, ultimately, we’re as secure as possible during this period of working from home but also in terms of moving forward as well in this new way of working. So, for example, VPN technology can be a great way to ensure that the data between our devices and the internet and corporate resources are encrypted which can often prevent malicious third parties on the same network from being able to you know sniff network traffic obtain sensitive information from our day-to-day working activities. But again it’s important that this is only carried out from corporately managed devices that we have control over.
We can also deploy cloud-based device-level security technologies to help prevent security blind spots and this also helps with ensuring we can also ensure employee productivity monitoring in terms of security enabling us to not only ensure that we have adequate protection, but we can actually enforce and report on internet usage and sort of web traffic as well. One of the things that we do have is that technologies such as this a different layer, and this is often one of the things that we talk about with cyber security, is that it’s all about having different layers of protection and these types of protections we’re talking here is works at the DNS layer which is sits on a different layer to your traditional antivirus which typically will only protect you once you’ve already visited the malicious web page. Whereas this web type of security can actually try and actually prevent malware ransomware and even phishing attacks from fraudulent websites before your employees are actually able to visit the web page. And this uses a global network of threat intelligence that processes billions of web requests per day so it really is a great way to ensure that we can analyse and learn internet activity to determine where these attacks are being staged and ultimately block the requests to these unknown and unwanted malicious destinations before the connections actually established. And this enables us to protect roaming users and devices regardless of their location and also without the need to be connected to an office network or VPN. And like we touched on it finally also enables us to report and track employee productivity with web activity and filtering capabilities, again improving the efficiency and the reporting of the employee productivity and security whilst they’re working remotely.
So moving on to what else we can do? And this is a really key piece of advice I’d like you to take away from today’s presentation, I mean one of the single most powerful actions you can implement to improve your protection is by implementing MFA. So, MFA is multi-factor authentication, and it is one of the most effective methods for some of the most common types of cyber threat. And it’s often you know it can often be a little to no cost implementation now for those of you who aren’t aware of what MFA is it’s an authentication control that’s broken down into often you know most commonly two separate areas. First of all it’s usually something you know, for example a password. And then secondly, it’s something that you have which is usually a six-digit code that’s received either on a mobile application SMS or a hardware token in some cases. And basically, if you only have one element of this authentication for example the password you basically can’t log into the systems and your access will be denied without that second factor of authentication.
Now following this it’s absolutely critical to ensure that our email platforms are fully secured we’ve spoke about how this is a primary area of attack and often the most common way that these cyber criminals are able to get into our organizations and we spoke earlier about impersonation now we can protect ourselves against these types of attacks using technologies such as impersonation protection and SPF technologies and we’ve actually had unfortunately many organizations that have contacted us that have been the victim of an impersonation attack that unfortunately and in some cases often ends up in significant sums of money being transferred to an illicit third party. Now to give you an example, one organization who contacted us late last year unfortunately had been the victim of cybercrime. What happened is they didn’t have multi-factor authentication on their email accounts and as a result the attacker was able to first of all take control of their corporate email account but what the attackers then did was actually quite clever, so what they then did once they were in the account is they would sit inside that email account and then create rules in the background for interest in or targeted keywords like payment, invoice, bank transfer, for example. And then once these keywords were triggered the attackers would then look over the email account in more detail and start to watch more closely and what they do is they wait for these conversations to mature and continue and then they pounced at just the right moment and what they did was when the email conversation was approaching the payment stage the attacker that basically in the meantime registered a domain name with one character different from what the actual domain name is of who they thought they were talking to and then basically created another rule that automatically forwards and deletes the emails from the genuine sender. And what happened then is that when these emails were coming in the attacker then copied the content from the genuine email changed the bank account details on the invoice and then re-sent the email to the recipient who then knew absolutely no different and for all they knew they were they’ve been emailing this person for the last few days everything was going as expected but unfortunately this member of staff then logged on to the bank and transferred £90,000 to the cybercriminal and it wasn’t until the supplier then actually chased that person later on that month. It wasn’t until that period that the attack was actually realized and by that time you know almost a month in time had passed £90,000 pound had already been transferred and that movie’s long gone and unfortunately couldn’t be recovered, and this is just one real world example of why having these types of technologies like impersonation protection is that is just so critical to have within our organizations.
And then we spoke about the dark web and the credential market earlier on in the presentation about how these cyber criminals are selling this data so what’s also really important is that you should be checking the dark web for the sale of yours and your company’s data and your credentials. Now this isn’t something that you would want to do manually, this is something that you would have carried out by ourselves and we’re actually offering all webinar delegates today a free one-time dark web assessment that will actually detail if any of your data is available for sale on the dark web including a snapshot of what that data looks like. For example, you know personal information, passwords credentials, and it’s really important to be aware if this data is being sold.
So what else can we do? We can implement mobile device management. What does this do? I mean we spoke about people using personal devices and perhaps using devices that haven’t been enrolled by corporate IT and what this enables us to do. Mobile device management technology enables us to be able to wipe data from the devices if they’re lost or stolen, it also enables us to be able to manage the applications on that device across the estate, including adding and removing the applications but also setting per application policies so you can say that you can only carry out certain actions within these applications. We can also push settings through to the mobile devices, for example the corporate wireless networks and more. And we can also enforce security passwords and policies for example to say that those phones must be encrypted they must have a passcode they must meet certain requirements and this also supports a BYOD culture because one of the key challenges that we that we have in technology here is ultimately to be able to get that balance of security and privacy so you as an employee, if you want to access that data on your corporate device, as a business owner you want your users to be able to access that data but you also need to be able to control the data on that device and sort of strike that balance between not having control over the entire device but actually being able to segregate and actually split that phone out into two different areas and we call this container technology. What we can in effect do is that we can split the phone into two areas, one of which contains the user’s personal data and their own information and what it does is it separates out so that the corporate data is then presented through this container and we get extra security controls over this containerized area of the phone where we can wipe, we can get rid of that data at the click of a button but what we can also do is we can implement restrictions between the personal and corporate area of the phone. For example, restricting the user being able to copy and paste, make sure that they can’t screenshot that area of the phone but what we can also do is we can then actually report on the compliance of this device based on a corporate policy that we put together.
So, for example, we might say that you can use this phone but it must be enrolled it must have a passcode enabled on the device, it must have you know if it’s a laptop or a PC it must have an antivirus piece of software on the machine you have to have USB access restricted, the device must be encrypted and there’s many more things that we can do here. But the key bits of information here it’s important to know that these types of technologies mean that we can have control over the data that we’ve got on these devices, we can use technologies like selective data wipe to make sure that we can wipe only the corporate data and not have access to that personal area of the phone and what we can also do is implement conditional access technologies and this is where we’re able to control access to our corporate resources through a set of conditions or policies that have to be met and then access to these systems is then either allowed or denied based on whether we’ve met the required criteria. For example, is the device managed and enrolled is it compliant is it running a supported version of firmware or software version are you attempting to access from a known location and then what we’ll do is we will then allow or deny based on that rule set and based on whether that device is meeting that criteria or not then also the fact that technology really is only one piece of the puzzle.
Our people always have the capability to be the strongest but also the weakest link in our security defences because even the best firewalls and technologies that exist can’t prevent an employee from falling off you know falling for a phishing email your company could spend millions on state-of-the-art security software using automation machine learning advanced threat intelligence but you know none of this matters if you don’t put your employees and your employees aren’t prepared or properly trained on how to spot and respond to common attacks and it’s often easier for hackers to spend five minutes creating a convincing spearfishing email that appears to be from your boss and to spend months researching zero-day vulnerabilities and like most criminals hackers are looking for the biggest score that requires the least amount of effort and unfortunately the vast majority of employees are actually aware of the risks of suspicious links in emails but they end up clicking on them anyway but even worse only a very small percentage of people actually admit to clicking on the suspicious link and this is often through fear being penalized or even sacked in some cases and we feel that this is often part of the issue in our opinion organizations should be trying to implement a cyber security culture within the business welcoming staff to report if they’ve noticed something that doesn’t seem quite right or if they’ve clicked a link that they think may now be malicious or even worse have they suffered a phishing email and actually provided their personal details and or username and password into a successful phishing attack and organizations are always better to be aware so that we can respond in the right manner to give us a better chance of mitigating this threat. And security awareness training is an ongoing sort of education process that we should put within our businesses that helps to educate employees about cyber security best practices and also any regulatory or compliance frameworks that they might fall under and you know it is really important to note that a comprehensive security awareness program for employees will really help them to prepare help them to prepare them to sort of avoid these cyber-attacks and understand what to do in the event of a real life attack.
So this brings me to the end of my part of the presentation and I’m now going to hand back over to Michael who’s actually going to discuss how we can apply some of these topics that we’ve spoke about today to your own business.
So I’d like to thank this opportunity for your time and I’ll hand back over to Michael.
Thanks so much I appreciate it. So, I understand what Lee’s gone through is a lot to think about. Lots of different areas of approaches, lots of areas of risk, lots of ways to address them so you’re probably thinking where do you start and how?
So, I think the most important thing that Lee touched on is this layered approach different services for different risks within the business. Unfortunately, one vendor does not do it all, those that claim that they can do these tend to be really good at one thing but not so great at the other areas, so why invest in something that isn’t going to be the best to address your specific risk. Because with security it’s a bit of a false economy. But also as a result having multiple vendors is not only difficult to manage from an administration an ongoing maintenance perspective, but it’s also to understand if you’re using the right vendor or not so that’s kind of where we come in.
So, we’ve always provided our clients with the right solution for the right area of risk so we go to the market, we do the research on your behalf, make sure that you’re investing in the best service to address that specific risk and that way you only have to deal with us. We manage the vendor relationships, the licensing, the ongoing maintenance all on your behalf, so it gives you that reassurance, that peace of mind. So although we’ve always done that with clients we’re actually now making this a lot easier and we’re actually introducing some simple security packages for our clients to choose from and these are basically aligned to best security practices that we see within the market.
So our security packages, they’ve been designed to try and make it as simple as possible. They focus on three key areas of risk that include multiple services in them, certain policies and certain controls all to basically help enforce the best security practice and then we manage it all on your behalf so the areas that these cover are the device itself, the email system and then the employee as well.
So I’m going to give you an overview and some examples of what these packages cover and the reasons behind them so the device itself we’ve spoken about that this is where a lot of your data is stored be that in emails or files or anything synced to the device but it’s also how your employees connect into business systems and networks so, therefore, it represents a major area of risk that we need to make sure managed effectively. It’s important that you have security services like antivirus on the device but also things that protect you that device outside of a secure office network. Because we’ve seen the increase in people having to work remotely, so by doing things like filtering internet traffic to protect against like crypto locker or WannaCry as Lee explained or making sure that your devices are encrypted at all times. So should one be stolen or lost you can confidently not have a data breach it’s not going to be a GDPR issue and you don’t have to raise that to the ICO. Obviously mobile devices commonly used for business applications in email so it’s important we don’t forget about those making sure we’ve got pins in place if you have work emails on that device also USB ports, very simple area that are often mismanaged and they represent three potential risks so bringing viruses into the network, having data stolen by employees but usually the most likely is putting data on an external USB device losing that and it not being encrypted. That is a data breach and it is a GDPR breach there as well so we need to manage these but it’s important that we don’t restrict the productivity of individuals because there are people that are going to need to use these things of course it’s all well and good having these services in place, but they need to be enforced across all your devices, they need to be alerted on if they don’t check in or tampered with and for many it’s important to be able to report and prove that these things are in place and you are secure, especially for those with compliance or client contractual requirements as well.
So going on to the email, Lee spoke about the fact that email is fast becoming the biggest area of attack, mainly just because it’s so simple for hackers to do targeted attacks but also just indiscriminate spray and prey attacks so email also represents where a large amount of your data is stored but also where your client contact information is and therefore if you have a breach of email it becomes a reputational risk for the company as well. So within these packages you know what we want to look at is making sure you’ve got a robust email security that blocks things like spam and other viral attacks coming via email but also some very simple controls that we can put in place to prevent things like people impersonating you or your employees emails as Lee described or even intercepting and altering emails in transit so once you’ve sent them. And these are just controls that we can put in place and make sure these things and that risk is just limited.
Also backing up areas uh backing up emails is a big area that’s often misunderstood so you’d think right my emails are in Microsoft 365, that’s the cloud therefore it’s backed up right? It’s not the case unfortunately so malware can still get access to your Microsoft environment and it can encrypt what’s there potentially holding you for ransom for that but according to Microsoft’s terms and conditions their service is still making that data available therefore it’s none of their business really even if your data is encrypted you can’t use it but Microsoft’s still making it available for you so what you need is a backup outside of the provider’s environment so you can recover emails from or even recover an entire environment quickly if needed. And strangely Microsoft actually recommend that you have a third party backup in place within their terms and conditions as well and the example that leave gave about forwarding rules being created so even if someone still doesn’t have access to your email account they can still receive emails that are being sent into it. So one of the things within this bundle is we’re going to review those rules with you, make sure that those any forwarding rules or any admin access is reviewed and prevent that kind of situation occurring in the first place.
Just moving on to the employee bundle, so yeah as Lee unfortunately said the sad truth is that your employees are often the weakest security link within the organization, so hackers do specifically targeted attacks to trick people into providing information and these are getting smarter and harder and harder to identify. Also your employees are always going to take the easiest route even if that is a security risk you have to create this security culture within your organization but you need to make it easy for your employees we don’t want to create a negative view of security or impede their productivity by putting difficult measures in place. So as we spoke about one of the most important thing is educating your employees, make them aware and able to spot risks um to help keep them protected and keep them help them protect your business then we can test this knowledge with fake phishing emails we can send out and that gives you the ability to actually see how effective that’s being and if any areas you need to improve on and add more education on password management such an important one so people use the same password all over these are often very basic so help your employees by giving them a secure area to store those passwords so they can be complex because they don’t need to remember them. But then also have the ability for you to review and make sure that those passwords that your employees are using are actually strong and if they’re not strong or complex you can do something about it. Lee’s already spoken about benefits of two-factor authentication which is within this this package as well but the real thing I think within two-factor authentication is to make it easy for employees but we don’t really want six or eight-digit codes that change every 30 seconds and people constantly having to authenticate the entire time that just makes people not want to do this it’s a negative environment around security so what we recommend we use an application that it’s just a simple click of yes or no when logging in and we can manage it to reduce the amount of times you actually need to authenticate but still make sure that we’re managing the risks appropriately.
So all of that is um going to be included within those are packages as well. Once again I know a lot of information to take in, but don’t worry if there’s anything you’re unsure of, any areas you want to discuss and bounce some ideas off someone, we’re here to help please come to me reach out we’re more than happy to just chat with anyone if you’re an existing client we’re going to be in touch with your Business Technology Advisor anyway and we’re going to be explaining about the security packages and seeing if we can identify where they can help your business as well.
I know Lee mentioned this but please don’t forget if you don’t already have this service please get in touch to come to get your free dark web scan and the consultation you can have after that it’s a really good way to identify if there are login credentials that are stolen and out there. It’s good capture to make sure that any credentials don’t get breached but it’s a really good kick off point to sort of start that security conversation within your organization.
So we’re going to um do some Q&A now. So I know we’ve covered a lot um we’ve got actually a fair amount of time to cover off some questions so feel free to fire everything in. there. Mit have we had any while we’ve been chatting away?
Hi MJ, yeah we’ve had 17 questions so I’m not sure how we’re going to fit them into your 10 minutes you have here but we’ll start in kind of order that they came in so the first question is:
“How does one enforce cyber training in their organization?”
“I’ll take that one. So I think traditionally people have sort of got someone to come in and stand in front of everyone like a classroom and just dictate about cyber security – it’s just not effective. The best thing to do is the security service like we provide is online interactive training, which is quite fun um you know small snippets so maybe only like a two three minute one every couple of weeks and have that ongoing need that constant reinforcement because security changes and the threats change so quickly, it needs to be ongoing we can’t be talking about something every six months and as I said test the awareness and the education within your client base, within your employee base if it’s no good you’re just blindly educating people and hoping it sticks. If we do phishing email tests we can actually see are people learning from this, if not who needs extra support or what areas within the business do we need to actually improve. So that’s generally the way that I’d recommend we go about that.
Next question is:
“Why do we have to have quite a few different services to be protected. Our current IT provider uses Sophos for most things.”
I mean I think it’s really important and, I think we sort of touched on this during the presentation is that with cyber security it’s really important that we have multiple layers of security within our businesses to make sure that we’re going to be protected. Because one thing that we can’t know is that we can’t know what type of attack we’re going to have within our business and one technology or one approach isn’t necessarily going to pick up all these different types of attacks so this is why we have all these different layers right from the the very basics like passwords firewalls and antivirus, which we would classes sort of like we actually call it sort of like legacy protection but that’s obviously one layer. But then moving forward beyond that number one like Michael touched on our employees making sure that we’re actually training our staff to know what to look out for, but then beyond that having like DNS layer security making sure that we are securing our email platforms, making sure that we are protected against things like impersonation which can be the you know the really the largest type of threat and often you know the most sort of significant in terms of monetary and financial loss to our organizations. But then also to have these have these multiple layers of technologies in place to make sure that we’re going to be as protected as possible.
And I think, you know, we wish there was one provider that did all of these well that would be brilliant because from our perspective it’s a lot less to manage but unfortunately that just simply isn’t the case. There’s different providers that do different things very well and the big thing that we’re looking for because we support your environment is we don’t want to recommend anything that is going to increase your risk or is going to lead to further problems because you’re going to raise those problems with us. We don’t want you to have any issues so we’re going out there to pick the right ones for you and as I said you invest in a hopefully one size fits all and it’s a false investment essentially.
Okay thanks guys.
“How do we improve our current cyber security without causing lots of change?”
“I’ll take this one if you don’t mind Lee. So, I think change management or your company’s propensity to change is a really important thing to factor in right at the beginning. The good thing about a lot of the controls and services that are part of these packages is they’re done in the background. A lot of them employees won’t even be aware of and these are if it’s done well these is centralized management you set rules, you set services right at the top, they’re automatically deployed across everyone.
But there are going to be some things that impact employees like, you know emails going into quarantines if people aren’t sure if they’re a risk or not so it’s important that there’s guides readily available for people and that we train a key member of staff who knows about this service and that they can be sort of a point of contact for any reference. But it’s a really important thin to bear in mind and during the roll out of these services it’s something that you should be speaking with a project manager or someone about.
Thanks guys, next question.
“What should we do if our credentials are found on the dark web? What would we recommend today?”
I’ll take this one guys. So, I think in in terms of this the most important thing to be aware of is that is this data actually available on the dark web. Because the biggest risk is actually in not knowing because what once this data is on the dark web you don’t necessarily know there isn’t any way of getting this data off once it’s been on there but it’s all about knowing how to respond in the right way because if we know that that data is available on the dark web what we can do is we can take remedial steps to basically render that data useless.
So, for example if our usernames and passwords have been breached and they’ve been sold on the dark web, what we can do is that we can look and we can take the right steps to make sure that that data is no longer useful or worthwhile or you know ultimately isn’t a risk to our businesses and our personal lives anymore because we can render that data useless and obviously it is exactly the same depending on you know like whatever kind of data it is that appears on the dark web. We’ve got different rules and different advice that we would give you and this is why it’s important to have this as an ongoing service so that as and when that data does appear; number one we’re made aware, we can reach out to you we can contact you and we can ultimately work with you to make sure that we are carrying out the required remediation to mitigate that risk to your business.”
We’ve had another question that basically is asking…
“How do we know what level of package is right for us?”
I’m assuming this relates to the security packages you were talking about before.
So, the way that you all know is because we will consult you on that. This is a brand new offering that we’re trying to do just because we’ve had so much feedback from people wanting something like this to make it simpler and what we’ll be doing is going through answering us certain statements and questions about what you think is important, what you think your sort of security posture should be and this it’s up to us to sort of guide you and make you aware of these threats but we’re not going to enforce anything on you it’s very much every company’s employee in security posture is very different.
Hopefully we’ve tailored these packages so they can respond to everyone’s sort of view and they’re very easy to consume but honestly the way that we’re going to do it is just by sitting down by running through these and having a conversation about the risks that these are there to prevent and then you make an informed decision.
Okay and I think we’ll take one final question, it’s a bit of a big one.
“What’s the biggest risk to UK based businesses at the moment and what’s the best way to avoid this?”
I think the biggest risk right now is, obviously we spoke before about organizations being catapulted into this home and remote working last March and we have found that you know many organizations are now using these systems in ways that they might not have been you know really like originally architected in terms of being used in this way and people are using personal devices, we’ve got devices out there that aren’t protected.
But following on from that as well is we’ve still got the biggest single threat that we see to organizations is business email compromise and impersonation through things like CEO fraud that we spoke about with organizations transferring large sums of money and what’s really important to note is that there’s never going to be a 100% but implementing these types of controls that we’ve spoke about, being able to make sure that these personal devices must meet a certain amount of criteria, making sure they have got antivirus they’ve got these extra technologies in place. But also our users are trained making sure that we’ve got a good staff user awareness training program within our organizations but then also to make sure that we’ve got that email security in place that still is the biggest risk to organizations is business email compromise and attacks coming through you know social engineering phishing and email so that still remains the number one risk to this day.
Great thanks Lee, really appreciate that.
So I think that that concludes our session today. Once again would like to thank everybody for attending today and a big thank you to Michael and Lee for putting on such a good presentation today.
Like Michael said if everyone does have any questions at all, we’re more than happy to help whether you’re a client at the moment or you’re not, we’re always willing to help. Just reach out to us yeah thank you very much for your time everybody.