Welcome to “Everybody’s Business”, 2-sec’s new Cyber Security blog series.
As vaccinations hopefully begin to pave the way out of lockdown later this year, we’ve taken inspiration from the Build Back Better movement and decided to ask a couple of industry thought leaders for their top Cyber tips on how to bounce back better and hopefully help us all transition to new, productive and secure working models.
After some considerable brain-wracking… we thought who better to start with than 2-sec CEO and Industry Award nominee Tim Holman? Tim was quick to reply to the question of what to look out for and improve with ‘Asset Management’. At first we thought he was just boasting about his net worth but once the Zoom-fueled laughter died down we realized he was actually talking a whole lot of sense. Long-term, enforced home-working has elevated the concept of network and endpoint security to almost unmanageable proportions.
Bring Your Own Device has rapidly become Use Your Own Device, and in more cases that you would think just Use Anyone’s Device. Whatever your domestic circumstance there’s a strong chance work will end up getting done on whatever device is available at the time. It’s often impossible to implement any kind of reasonable security measures if you’re trying to conduct your business in a flat or house share and, whilst I have no progeny that I’m currently aware of, even I can appreciate the dystopian nightmare facing parents and families these days.
“Know what you’ve got and where you’ve got it” is Tim’s bounce back better top tip. Get mapping and make it a regular part of your working week. Be nice about it too. There’s no point getting annoyed if someone’s come up with a workaround to get the job done. Better to know about it and find a way to secure it. Get the best advice about secure home-working.
The National Cyber Security Centre is a good place to start – NCSC.gov.uk. Follow them on Twitter for the latest content updates – @NCSC, share with your teams and ask them to share it with their households. Security is everybody’s business after all. Wherever you are.
Home working: preparing your organisation and staff – NCSC.GOV.UK
Video conferencing services: security guidance for… – NCSC.GOV.UK
Once we’d finished with Tim we turned our attention to Professor Danny Dresner, Cyber Security guru at the University of Manchester and Board member at the IASME Consortium. 2-sec are proud to be an IASME Certification Body, licensed to deliver Cyber Essentials and other Governance assessments.
Prof Dresner’s bounce back better top tip was apparently inspired by looking at a Terry's Chocolate Orange. I suspect that might just have been a transparent attempt at cadging free chocolate but nevertheless, his logic around it rings true. Danny has vowed to champion segmentation as we develop new working practices and environments this year and beyond. He has shed a tear so often over how quickly a system is compromised entirely as malware and other nefarious tools pass through the network like fruit through a juicer.
‘It doesn't have to be a sudden redesign of the whole architecture,' he says. ‘So much can be achieved with VLAN segmentation rather than plugging in that shiny IoT device with a simple password and no multi factor authentication to your precious assets on the network. There's a sort of Cyber Essentials philosophy that can be applied to everything which makes marginal differences in the face of Cyber attack and costs little to set up in advance.'
He added ‘Cyber Essentials has answered the long-asked question, ‘Where do I start securing our technology online?.’ The challenge with information technology is that sooner or later you’re going to have to get at least a teensy bit technical to answer that.'
The National Cyber Security Centre – with its Cyber Essentials partner IASME – is constantly improving the Cyber Essentials Scheme . The scheme revolves around a certification where companies of any size – especially SMEs – can benchmark themselves to make sure that they are protected against 80% of the low level, Internet born attacks that everyone is threatened by.
To work out what you need to do to protect yourself online and what you need to do to be certified to Cyber Essentials – a degree of confidence for you, customers, and your supply chain – IASME (https://iasme.co.uk/) is launching an online tool. This will support you to carry out a pre-Cyber Essentials review. The tool is accessible and educational and creates an action list for you to follow to bring you up to Cyber Essentials levels of online safety. Shameless plug aside, Danny’s advice is worth taking. And sharing ‘A bit of supply chain security never did anybody any harm. Security is everybody’s business after all…'
It wouldn’t be fair to get me to write this and not include a bounce back better tip of my own so here goes. Last week I was asked to comment on a news item “Malware reported on Government-issued laptops used by children home-schooling”. Some teachers in Bradford found a well-known Russian worm on some devices intended for children of deprived families to help them stay in some kind of education.
The numbers of families living in poverty are well documented and lockdown exclusion from education in socially deprived or excluded communities is a real and contemporary concern. So I gave some pragmatic advice designed to help concerned teachers and parents.
A not so helpful Tweet, from Kate Green, the Shadow Education Secretary, went on to say “Gavin Williamson [Our Secretary of State for Education] must decide if he is going to put in place a credible plan for children to learn at home, or if he will just tell the Russian server to go away and shut up.”
My bounce back better top tip is to be a Cyber Pragmatist. Whether it’s media commentary, blogging, report writing or any other marketing and comms I think it is our responsibility to educate and inform, not issue irresponsible and ill-informed sound-bites just to ‘get our name in the paper’. There’s enough Fear, Uncertainty and Doubt surrounding Cyber threats without those in positions of responsibility and influence fuelling the FUD fire. Security is everybody’s business, that includes all of the people who read what we write and listen to what we say.
If you have any bounce back better top tips you’d like us to feature or if you’d just like to have your say follow us on Twitter and slide into my DMs……..
@everybody’sbusiness – Brian Higgins is a Security specialist, media commentator, presenter, writer, and researcher. He is an Inclusion and Diversity advocate and an Expert Fellow of the Security, Privacy, Identity and Trust Engagement NetworkPlus.