On the 16th April we ran Cyberfort’s first virtual ‘CyberNatter’ event, where we provided an open forum for people to discuss a key topic and any other topics of interest that they might have (with Cybersecurity as a central theme of course).
During the session, Ian Mckay (Group Sales Director) explained to the attendees that the original idea behind these CyberNatters was to create a safe place for people to share experiences, thoughts, concerns and ideas about our digital universe and how we should protect it.
Ironically, we were forced to turn to our digital universe for this event, as has the rest of the world. But what were the main topics and themes of the day?
Working in a safe environment
We have always believed that working safely and securely doesn’t stop at the office door. Being aware of security and the importance of privacy (two different things) is half the battle! It’s important to recognise that ‘the office’ ceased to be a building we went to, a long time ago. We have carried our office with us in our pockets, in our laptop bags, on trains, on planes and of course at home.
Being cyber secure is important irrespective of your actual location.
But the current pandemic has forced many of us to pro-actively think about security, where previously (perhaps) it was simply in the background. Important yes. But always someone else’s concern.
Remote Working. Secure Working. Secure Systems
On opening up the conversations to the group, one of the first questions we had was related to the video conferencing tool, ‘Zoom’. Now… please note we are not going to go into the pros and cons of this tool here. However, what we did say, and will always say that there is no such thing as 100% secure. You need to do your own investigations into any app or software tool that you use.
Remembering that security and privacy are two different things; The question “Is X secure” may result in the answer of “Yes. If configured correctly”. But the question should always be followed with “But is X also respecting my privacy?”. The answer to that question might be very different indeed.
We would always suggest considering carefully the context of the conversation you’re having, irrespective of the platform you’re using. ALL platforms have some security and/or privacy issues, and it depends what you’re discussing as to the level of additional security you need to put in place.
The interesting thing is that this pandemic has forced us to use tools (software and hardware) that was never intended for business use. This is especially true of the home router. When we conduct security reviews of organisations, we ask questions about ‘segregation of networks’ and ‘patching of firewalls and routers’. But has anyone asked these questions about your home workers? Have they changed the password on their router from ‘Admin’? Are they using a VPN (Virtual Private Network) which encrypts traffic?
To again mention the ‘Z’ word; Zoom went from being a platform few had heard of, to a platform that (literately) every man, woman and child was using. Is Zoom your company system of choice? Did people rush to it because they weren’t getting advice from their organisations on what they SHOULD be using?
Andy Simpson-Pirie (Group CTO) explained that while there are great opportunities for us, working from home. We need to appreciate that the risk of becoming a victim of cybercrime has increased, due to the number of people now working from home. The ‘attack surface’ (as it is known) has increased dramatically, which basically means; “More devices + Less secure platforms = Increased risk of cyberattack”.
Andy went on to say that there are increased risks due to the nature of the tools being used; “These are consumer-grade systems and applications. They weren’t designed to take on the ‘heavy lifting’ that we’re now putting on them. There are inherent vulnerabilities in the products, which can be improved upon. We need to ensure the basics are in place, like ‘Multi-factor Authentication’, and centralised advice and guidance from a trusted source. Otherwise, breaches will occur.”
Data Protection in a Pandemic
This brought us neatly onto a topic surrounding Data Protection and an opportunity to dispel a few myths related to the Information Commissioners Office (ICO) and the General Data Protection Regulation (GDPR).
The ICO has provided much-needed advice about the sharing of data during a pandemic, and have been very clear that if the sharing of data is of ‘vital interest’ (ie. a matter of life-and-death), then rules will be relaxed.
The ICO has also stated that certain processes may be relaxed as this is a time of considerable strain on organisations. This could include (for example) the process of Subject Access Requests (SRA), where the requirement is to respond within a month. Given the current issues, this may not be possible. But an organisation should still respond to the Data Subject and explain why they cannot comply with the request in a timely manner.
However, this information has been taken by some quarters to believe that this means that during a pandemic, the ICO will go ‘light’ on them if they have a breach(!)
The ICO will still want to know; What happened? What did you do to prevent it happening? What did you do once it had happened?
If you do not have a compelling story to tell on all three counts; The ICO is not going to ‘go light; on you just because of the Pandemic.
Forget the ICO… for a second
Time was almost out for the Natter, but the question of the ICO going light on people brought us neatly on to the people who never go light on anyone; The Cybercriminal.
Even if the ICO was to take a more lenient view on an organisation because of the Pandemic (they aren’t, but let’s pretend). Cybercriminals are increasing their operations to take advantage of this pandemic, and it is having dramatic effect. They trade on fear, uncertainty and doubt, and they don’t care who you are.
They will send out millions of emails, with infected links to your organisations, your families, your businesses, our NHS(!) selling everything from fake PPE through to fake COVID19 cures. They are sending emails purporting to be from the Government offering business, tax relief.
They don’t care who you are, what you do, or what your circumstances are.
Action Fraud have reported an increase of reported cybercrime in excess of 500%. We believe this is the tip of the iceberg because this is ‘reported’ cases. For every 1 case, we believe you should multiply the number by 10.
We would like to thank those who attended and contributed to the CyberNatter. The discussions we had were enlightening and interesting in equal measure, and we’re looking forward to more of the same at the next one.
If you have any views on the above, why not join the next Cybernatter? There is always a theme, and key topics. But we are there to hear from YOU.
What’s on your mind? Drop us a line and tell us, and we’ll make sure we discuss it on the day. Contact us >
In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >