Foresight Matters

Cyber Security: Employees are your greatest threat, and your best defence.

David Cloake Season 1 Episode 2

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 27:59

Cyber attacks on businesses are skyrocketing. Some of the UK's biggest businesses have suffered crippling incidents, costing them hundreds of millions of pounds. But smaller companies are far from immune either. The WEF's latest Global Cybersecurity Outlook Report shows a 48% increase in cybercrime year on year. 

So, how do you identify the biggest cyber risks in your business? What can you do to protect your company? And what role do your employees play in protecting your business or potentially exposing it to bad actors? David Cloake is joined by leading IT resilience specialist David Sheehan to unpack how cyberattacks are orchestrated, and what steps are actually effective in protecting your business from this rapidly evolving threat. 

The two Davids even got together to create a free tool to help you assess your company's cyber security risk profile. Details in the episode!

SPEAKER_04

Hello and welcome to Foresight Matters. I'm David Cloak, Managing Director of Foresight Solutions. Now, on this edition, we're going to be talking all things cyber. Cyber attacks, cyber resilience, response, recovery, and security. But before we start, let's just ask you a few questions. Are your systems, or indeed your organization, resilient against cyber attacks? How do you know? Are you confident? Is the business ready? Have you stress tested your systems, your people, your responses? Or have you perhaps just bought some software and kind of hope for the best? Well, over the last few years we've seen devastating cyber attacks on some of the UK's best known and most established organizations. Jaguar Land Rover, Co-op, MS. The list goes on. Hundreds of millions of pounds have been lost, chunks of market share over the issue, and of course, reputation as well. But other organizations such as the British Library and NHS have also been attacked, where yes, reputation is a factor, but also key data and data protection are also key issues. But it's not just the large organizations. In June 2023, Knights of Old, a 158-year-old haulage and logistics company that had survived two world wars, experienced a devastating cyber attack that forced it to close its doors forever, losing tens of millions of pounds and costing 700 people their jobs. There seems to be a bit of a trend here, an exponential rise in the number of SMEs who are being targeted too. Now on today's Fortnite Matters, we'll be talking to our lead IT resilience associate about all things cyber attack, security, resilience, and response, but also preparedness. We're gonna delve deeper into the challenge of cybersecurity and challenge you and ask you about your business. Is it fit to deal with this evolving threat? We'll offer you some insight on the human side and the technical side of cyber attacks, and also look at what a typical type of response would look like, not just on the technical side, but on the wider business continuity side. And on this edition, we're giving something away as well, which we very much hope will help you. An IT resilient quick assessment check sheet, totally free of charge. Listen to the end of the podcast, we'll give you details of how that can be sent to you. So let's get going on all things cyber here on Foresight Matters.

SPEAKER_01

All our systems are down.

SPEAKER_05

The blast has destroyed almost the whole city block. Emergency services are working tirelessly to recover survivors.

SPEAKER_02

In an unpredictable world, Foresight Matters.

SPEAKER_04

Delighted to welcome to Foresight Matters, our lead IT resilience specialists and associates. It's David Sheehan. Hello. Hi there, David. How are you doing? Yeah, good, thank you. Thanks for coming on board.

SPEAKER_00

It's really good to be here.

SPEAKER_04

Before we get into the subject of IT security, IT resilience in particular. Um, tell us a bit about yourself and your professional background.

SPEAKER_00

Well, I've been working in IT for over 25 years now, mainly coming from a service and support background of first, working from first line, but then working through all areas of IT operations, through the ITL structure, working with supplier, service governance, risk, etc. Um, I've worked in a number of different uh sectors, so through finance, insurance, through not-for-profit sectors, so uh quite a wide variety of experience over the years.

SPEAKER_04

And for a man with not much grey hair, you've you've done quite a lot actually. Unlike me, where everything sort of uh facially as well as on the bons is uh are getting a bit grey. IT resilience security is really high profile stuff at the moment, isn't it?

SPEAKER_00

Oh yes, yes. Uh I mean uh if you look at the major incidents that have happened over the last few years, it's it's really a who's who of uh who's actually had shortcomings in their IT risk assurance profile. That's where I really have to focus and have done over uh over the last ten years.

SPEAKER_04

Let's start with risk first of all, because with with all contingency planning, with all business planning, risk is a central factor. It's an important initial consideration. In the area of cyber, what do you see as being the key risks at the moment?

SPEAKER_00

I think that there's a couple of main areas. Obviously, the likes of user or uh staff enabled risks, so weak passwords, being vulnerable to social engineering attacks. As well as the other types of risk for data security and the cloud as well. Uh so many people moving their data up into the cloud, whether it's private cloud or public cloud, there's different risk profiles associated with both of those.

SPEAKER_04

That's interesting because there's this sort of general what I sense, this sort of pressure for resilient working to use the cloud. But it comes with perhaps a different set of risks in terms of cybersecurity?

SPEAKER_00

Absolutely. When your data is all on premise, you have the lock and key over those, and then you're the gatekeeper for those threats coming into your organization, be they cyber or in-person attacks. Where you move your data out of your own borders, that's where the risk profile changes, and you have to keep a constant evaluation of those ever-growing risks for your sector, for the geographical location, and also to uh your staff training as well.

SPEAKER_04

Let me pick that up in a moment in terms of these two different kinds of operating models. One you know, very traditional servers, you know, very much in your own territory or you know, using your own infrastructure compared to something like the clouds and its its concept. But what are sort of main uh kind of attacks that are happening? Because I I I'll give you my view first of all, and then please correct me if I'm no doubt very, very wrong. But I see a number of issues around this thing called ransomware, and I see two key things generally, two key trends. And again, correct me if I'm wrong. But those trends are denial of service, DOS, which I believe it's called.

SPEAKER_02

Correct.

SPEAKER_04

And the second one is the stealing, manipulation, or holding to ransom data. Do you see those as the two main risks, or are other ones there as well?

SPEAKER_00

There are other risks, but those are the two main ones that um I've come across in the past, and obviously we've seen those are the ones that hit the news and have caused these large organisations to have massive losses or even fold uh as well. But uh the the denial of service can either be through taking down a website or access to the clouds or your own systems, whereas ransomware is taking your data and expecting you to pay for that data to be returned intact. Now, through immutable backups and air gap backups, you can help prevent some of that also through having multiple factor authentication, MFA. These are things that help reduce that risk profile and also help give a bit of resilience to your data risk profile. So you talk about air gap. Can you just explain that? There's two main types of resilient backups. One is is air gap and the other one is immutable. Immutable is where the data is prevented from being deleted or changed in any way. Air gapped is where it's kept separate from your own network and therefore cannot be accessed directly. And if you have something that's both immutable and air gapped, there are large services that offer that uh solution, then those are the best in breed at the moment.

SPEAKER_04

So if I was to go back to the difference between and the issues surrounding cloud-based storage systems, etc., and if you house them yourselves or yourself, what offers the most resilience, or is it 50-50 with different dynamics, or is there one better way or another better way? What's your view?

SPEAKER_00

I think that you have to have something that does both. A solution that does both, or two separate solutions. Defence in depth has always been the watchword of security and risk avoidance for IT cybersecurity solutions.

SPEAKER_04

Moving on from the actual risk, what are the sort of key signs do you think that something has happened? Is it literally a sudden impact, somebody's clicked on a link and then everything just kind of stops, or is it more subtle?

SPEAKER_00

Ordinarily, a lot more subtle than that. If somebody clicks on a link and it's a phishing link where they're trying to gather either keystrokes by injecting some software onto a company machine, or whether it's just to get you to go to a fake website like a banking website or something where you're going to give company or personal information over that a hacker can use at some stage in the future to either have financial or operational gain over yourself or the company itself.

SPEAKER_04

And in your experience as a senior IT expert, what's happened to you? Can you give us sort of any sort of practical example where it has either happened or you've recognised the risk, there have been some sort of indicators and you've gone right, I've needed to intervene.

SPEAKER_00

I think that through staff training evaluations for cybersecurity awareness, it's become very apparent very quickly on those sites where staff aren't as astute and risk aware as say uh possibly should be, or or that uh management believe that they are. And that's where having trial phishing attacks and things like that, where test emails uh sent through spoofing what would be a regular attack, and then being able to demonstrate that back to management to show that more training is needed on a staff side of things. That's just one aspect, then obviously looking deeper into processes and systems to see whether it's more fundamental level of awareness and uh resilience that that is needed within the organisation.

SPEAKER_04

Uh you you raise a really good point, I think, in terms of this is not just the head of IT's problem.

SPEAKER_00

No, it it has historically been put on IT's shoulders, but it impacts a whole business, and that's where a more resilient business is the one that accepts, recognises, and prepares for those those risks.

SPEAKER_04

We'll come on to the resilience uh the and the response in a moment. Let's look at risk management first of all, and just get some golden nuggets, because here at Foresight Solutions we we can help you with a simple questionnaire as well to help you understand where your gaps are. But before we get to that, let's just take a little look at some of the basic essential IT security requirements. So, what sort of areas, what sort of approaches would you recommend to any organisation, really large or small?

SPEAKER_00

Staff training is one key one to make sure that uh staff are aware of how the business can receive attacks, whether they're in person, whether they're via email, or whether they're just by the processes that are meant to be in place to keep the business safe. Also, making sure that the systems enforce those safety measures through making sure that there's complex passwords, that they're changed regularly via more than one form of authentication to all key and core systems like multi-factor authentication via more than one method of device to authenticate that person. Backups, both air gapped and immutable storage, multiple areas of defence in depth for security, not just single vendor security appliances or systems, more than one vendor looking at multiple different areas, treat it as an insurance policy, it's something that you don't want to call on, but it's there to protect you in case people do try and seek out any weaknesses in uh in your systems or uh processes.

SPEAKER_04

And there's a human aspect here as well about monitoring, about horizon scanning what's out there. Now you go to all the sort of usual sort of government-based websites and agencies, they're always keeping you up to date. But I think both IT managers and more broadly staff, keeping them aware of the types of risk and the types of trend as well, is that useful?

SPEAKER_00

It is. IT security bulletins and themes for a quarter or a month to keep making sure that staff are aware of what to look out for, maybe highlighting any other similar organisations that have been hit recently, how they were hit, and making sure that those areas as a priority are addressed.

SPEAKER_04

So learning from experience, but always keeping that horizon scanning set of glasses or goggles always on. Always on. Good. Now let's talk about how we at Foresight Solutions can can help. Now you have very kindly put together for us a really, really good, basic but comprehensive questionnaire asking what I think are kind of like the basic questions. Can you just sort of take us through what you see to be the key issues around IT security resilience? The sorts of questions that you you're you're asking, and importantly, the sort of the attitude and the approach that organizations should take when they're looking at this type of questionnaire?

SPEAKER_00

The questionnaire that we have is not intended to be a technical tick-boxing exercise. It's an open conversation between IT and the business to make sure that the business becomes aware of if and where there are gaps to have that honest conversation and then be able to engage with those areas of the business to make sure that they reduce or uh close those gaps.

SPEAKER_04

Just looking at it and looking at the advice that we offer through this, as you say, it's not about have you got this widget, have you got this bit of software, have you got this, that, or the other. You do go into things like those wider areas, such as governance and planning, the foundation block for any good resilient strategy, as well as asking those important technical questions as well. One of the things that is has always frustrated me is getting organizations to believe that there's an issue before things happen. So the best emergency preparedness and response is actually preventing the emergency.

SPEAKER_00

Absolutely, I I completely agree.

SPEAKER_04

And this is one of those key areas where you would continue to encourage that viewpoint.

SPEAKER_00

Yes, the questionnaire helps highlight these areas and also gives a bit more of a forum to have those conversations and then work with partners like Foresight Solutions to come in and help reduce those risks and identify gaps.

SPEAKER_04

Absolutely. So we can help you with that. Stick around to the end of the podcast, we'll give you details of how you can get that sent to you. Very, very useful. Let's just talk about the response because I'm sure that that is quite a worry. The examples that I've got during my experience is that one, there's blind panic and uh nothing works, you can't get in, and you know, you try and log in, and the Active Directory or whatever is just not playing ball, and you you can't access this and you can't do that. From a technical perspective, how does a response kind of work?

SPEAKER_00

The ideal situation would be not to panic, but to do things quickly. Contain the incident uh first, but avoiding random troubleshooting and knee-jerk responses. If there's an incident response plan, invoke the incident response plan, get the right team in place to deal with the uh the incident, and then assess what systems are involved, what data's involved, what impact uh could it have, can we restore safely things like this that are just standard parts of incident response packs.

SPEAKER_04

And I think the other thing that um sort of I picked up on from you know various sources that have talked to me about these sorts of incidents is the frustration that you as the user can do absolutely nothing about it. And that there is a need, an absolute need and recognition through the planning processes to sort of manage expectations of the users and to say, Do you know what? This could be off for a few days.

SPEAKER_00

Absolutely. There's uh communication internally and externally is key in any major incident, and it's good to have a communications manager or a r uh if it's a small organisation, a role that is associated with that, communicating both internally and externally to manage that, those expectations to to staff so that it minimises the panic, and obviously we don't want to exacerbate the situation by people not doing the correct behaviours that are prescribed uh within the the incident pack.

SPEAKER_04

Yeah, and that links so much, doesn't it? Your point um at the start of this conversation um is about the response plan in general and how organisations both respond and I would suggest cope with these sorts of attacks, being resilient. Yeah, absolutely, and you know, linking it in with the business continuity process and saying, okay, what are our critical functions? What can we do if we don't have this critical resource? And if we can't do anything, then do we have a minimum standard or is there a limited amount that we can do or we can deliver?

SPEAKER_02

Yeah.

SPEAKER_04

And if not, what's the coping strategy?

SPEAKER_00

Well, yeah, what workaround do you have in place? Are there manual processes that we can put in place as an interim measure that will still be able to deliver a service to our customers whilst retaining our integrity of the business and service to everybody?

SPEAKER_04

This is one of the questions that that I get from time to time. How can I email people to tell them there's a problem if our email's not working?

SPEAKER_00

That is a valid question. There are third-party email critical service and solutions for that, and we would be willing to advise on those kinds of things. I'm sure that your IT departments are more of the uh more than aware of those solutions. If you've got a robust major incident solutions pack, then it should include every single core business system and process if it was impacted, what the workaround, what the acceptable downtime and resolution time of those would be, and obviously you would have like a restore solutions for every single point of your core business solutions, and uh obviously making sure that you deliver to the uh that your teams and any IT partners deliver to those.

SPEAKER_04

You hit that uh very important nail on the head as well, which is it's a collective response, isn't it? It's not just the head of IT um trying to get things back and working and a very very hard-working team, actually, through business continuity planning, you look at the resilience of your critical functions and say what backups can we use, and if not, how do we cope? What are our minimum levels? What else can we do? And it needs to be integrated, doesn't it?

SPEAKER_00

It needs to be hand-in-glove solutions for this. So making sure, once again, harking back to communication, making sure that the different business teams are working with each other and have open communications, regular open communications with each other whilst this incident is ongoing until it's resolved. What about um rehearsal testing exercising? That's a must and a given. I've seen far too many backups fail and not being able to restore a viable solution. Back after a failure. And those were just system outages. So these weren't even targeted attacks.

SPEAKER_04

And I think that's another important point is that not every IT issue is going to be malicious.

SPEAKER_00

No. You have to plan for all eventualities, whether they be malicious or just incidental.

SPEAKER_04

Some interesting points there in terms of preparedness, some interesting points there in terms of risk, risk management, assessment. As I said, we've got this wonderful questionnaire that will give you details of how you can get at the end of this podcast. And we've examined a little bit about response, resilience, and continuity. I'm going to put you on the spot a little bit here, mate. In terms of your experience, if you were to give just some high-level top tips to anyone listening, whether they work in senior leadership, whether it's frontline management, frontline operations, whether they work in IT, what's your advice on this issue?

SPEAKER_00

I think the main message is to don't wait for a cyber incident to see whether your business can cope. Test, test, test. Make sure that all areas of the business are openly talking about this. It's a regular scheduled conversation about risk, about exposure, making sure that your IT teams understand about the acceptable downtime and restore points for your data and making sure that all areas of the business are aware who's responsible for which system and what part of data and their processes around that as well. Resilience is uh is about alleviating fear.

SPEAKER_04

I like that. But do you know I'm gonna take that one from you, my friend. David, it's been an absolute pleasure talking to you today. Thank you for your time on Foresight Matters. And uh again, David is one of our associates and uh through us here at uh Foresight Solutions, be delighted to help out and support you in IT resilience. David, once again, thank you very much. Thank you very much again for having me.

SPEAKER_03

This is Foresight Matters.

SPEAKER_04

So a really enlightening and interesting conversation with David regarding IT resilience. Reflecting on the conversation, what are my key takeaways? Well, before we get to any of the technical stuff, really think about governance, planning, and getting a corporate belief that there is a need to do something. Within that, if you are doing things to try and deal with cyber attack, cyber resilience per se, check and check again. If you haven't had that conversation round your senior leadership table with your IT lead, manager, or head of IT, do it sooner rather than later. One to get some assurances, but secondly, and this brings me on to my second takeaway, and that is understand gaps. Understand what is missing and what you can do about it. Now, IT can be very, very costly, and for some organizations, particularly small ones, there is this kind of cost-risk balance analysis. And if you can't afford the gold-plated response, what risks are you prepared to live with? And does that link in to your resilience and continuity strategy about saying, okay, then for these critical functions, whether it be part of our mission, our assets, the way that we operate our business, what we legally have to do, what we uh want to do, have we got a good understanding of our business continuity priorities and the workarounds or the coping strategies if we don't have certain IT capabilities available to us and if there are going to be, in particular, protracted recovery times. The third thing that I've really taken away from the interview as well is that it's everyone's issue. And I know that's a really sort of common thing to say, and I'm sure you're yawning with your mouths closed, but it's important. It's as important as a health and safety policy, as a safeguarding policy, as a procurement policy, as this policy, as that policy. But actually, is the organization, are the people of the organization signed on as well, and are as aware and as proactive to look out for these cyber incidents, these cyber risks, and to freely report concerns and escalate these types of concerns very, very quickly. So a risk doesn't become an instant. And it's one of those classic sayings, prevention is better than the cure. And in terms of IT resilience, with the high-profile cases that uh unfortunately you continually see in this particular area, then it's well worth investing in that prevention strategy, as well as including it in your governance, your planning, your policy, and your approach, and to look at the technical abilities to both prevent but also to respond as well, including instant response and business continuity.

SPEAKER_03

This is Foresight Matters.

SPEAKER_04

So if you'd like a copy of our questionnaire, it's our IT resilience quick assessment. We'll be delighted to pass it on to you. Just go to our website, ForesightSolutions.net. That's ForesightSolutions.net. Click on contact us. There's a form there. If you scroll down the page, there's a personal email to me, David at ForesightSolutions.net. Get in contact, and we'll be delighted to send it to you.

SPEAKER_02

Foresight Matters with David Cloak is a trending audio production.