In the second of our series of interviews we speak with Vince Warrington, founder of Protective Intelligence, about cyber security, cyber essentials and the application of the DCPP in 2017.
Vince is a leading Information Assurance and Cyber Security expert with over 15 years’ experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.
Vince founded Protective Intelligence in 2005 to provide an optimum IT and cyber security service to enable organisations to effectively prevent accidental data leaks, secure their IT networks successfully and deliver robust security awareness training for all staff and stakeholders. His mission is to educate businesses, charities and Government departments to move away from traditional IT security models, to one where everyone within an organisation works towards the common goal of protecting information through joint responsibility and co-ordinated thinking.
It’s good to speak to you today, Vince, can we talk about cyber security.
Certainly, one of the schemes the Government would like to see businesses take-up is called Cyber Essentials. It’s a very good programme, essentially (pun intended!). There are two levels to it: Cyber Essentials, and Cyber Essentials Plus. Both are based around a self-assessment test, measured against five criteria:
Building on the base level, the Plus level adds a penetration test to the assessment, where an outside body will independently test your resilience. The scheme was devised by GCHQ to be repeatable and attainable, and makes sure your organisation is covering the basics of good cyber security.
These five key areas are vital to cyber security, and if you are getting these right – whether through Cyber Essentials or not – you should be reasonably secure against the most common forms of cyber attack. Implementing Cyber Essentials is estimated to stop 70-75% of the most common attacks organisations would receive daily. Cyber Essentials really is the basic building blocks of a good cyber defence – the surprising thing is, in my experience, is that a lot of companies of all sizes are still getting this wrong!
I have heard people saying ‘It’s a government thing, it’ll be long-winded and complicated’ but it really isn’t. Accreditation should be achievable for all but the very smallest organisations and, in any case, is what companies should be doing to protect their data anyway.
There is also the DCPP, which is a really good scheme for risk profiling and determining which category a contract falls into in the defence sector.
How do you think the Government can encourage take up of the scheme?
We’re already seeing government tenders being issued where a key qualifying criterion is being Cyber Essentials accredited. This is not surprising, as security becomes more and more important – and it is a government standard after all! We’ll see the requirement spreading from core central government and the defence sector into areas such as construction, where there are a lot of big contracts and associated data. The government feels there needs to be more basic cyber security hygiene – and it will get to the point where no company will be able to take on any public sector contract without certification. So eventually you’ll even see companies that provide transport to schools, for example, needing Cyber Essentials.
It will also pass down the supply chain, especially where we see larger companies sub-contracting aspects of public sector contracts down to smaller organisations.
Do you think that’s a general problem across the UK, that companies aren’t aware of the importance of cyber security to their company – they see it happening to banks and financial institutions but don’t realise that they are just as much of a target?
We see it all the time. While I think organisations, as well as the general public, slowly becoming more aware of the issue of cyber security, part of the problem is that the information put out tends to be technical in nature and, as a consequence, not very approachable. There’s a lot of information out there, but it doesn’t actually mean anything to most people. Sometimes the industry itself doesn’t really help matters by using jargon.
There is a big problem that organisations don’t comprehend the problem and think “why would anyone want to hack us?” But it really is an issue for everybody, as the majority of cyber attacks aren’t targeted at all. When using a tool such as ransomware, the cyber criminals operate a ‘shotgun’ approach and attempt to hit multiple targets in one swoop – often millions of email addresses in one go. As the nature of these attacks is somewhat random, anyone can become a victim, from your Grandma right through to a major bank.
Why do you think this is?
People don’t realise how much data is out there on them. I often say to people that this isn’t an IT problem – it’s a people problem. We need to understand how vulnerable our information can be and what it can be used for. So, looking at it simply as an IT problem is not going to work. We need to engage with people about the issues.
We like to think of ourselves as logical creatures that have emotions, when actually we are emotional creatures who can think logically. So a key part of solving the cyber security issue is making sure we can discuss it by appealing to both the logical and emotional side. We often hear that 123456 or QWERTY are still the most used passwords, so why do people do that? It’s because the IT industry has created a scenario where we have made passwords so difficult to remember that we forget them, and so people use something easy.
Yes, I see your right – it isn’t really a business issue – it’s a people issue.
You will always get some people in organisations who don’t care, but most people do want to help protect their data, their company’s and customers, but don’t really know how to do it. That’s where good cyber security people shine – they can make the end users care about protecting data.
What do you see as the main causes for concern in 2017?
The one that’s stands out to me is ransomware attacks. This is where infected emails are sent out and, if the malware is activated by opening the attachment or clicking on the weblink, it locks up your computer. You then must pay the ‘ransom’ to be unlocked or restore from a backup.
Most these attacks are completely random, they’re sent out to millions of email addresses at a time. They are not targeted and can go to anyone. It doesn’t matter to the criminal if it goes to a major corporation, a small business or an individual – they will most likely get their ransom paid.
Sadly, you can no longer think it can’t happen to you. Recent stats have shown that over half of all crime in the UK is fraud or computer-based crime, which is an incredible figure.
It will be something the defence sector really needs to think about.
The defence sector not only needs to worry about the same threats as most organisations face, they also should worry about Advanced Persistent Threats (APTs). This is where advanced cyber nations (such as Russia and China) are interested in our data and want to understand what our nation’s defence capability is. One of the really interesting things we’re seeing is how certain cyber groups, such as the Russian ‘Fancy Bears’ team who recently leaked athlete’s data, are increasingly being linked to Russian intelligence services, blurring the lines between cyber criminal and nation state actor. There will be an increase in these groups being used as plausible deniability within cyber espionage in future.
Like hacking in the US elections?
It is things like that which will make senior politicians and business leaders sit up and take notice of the threats and how vulnerable we can be. As threats intensify, people will look closer at preventative measures. There are problems with industrial control systems, which were never intended to be connected to the internet but have been made to do so for a variety of purposes, such as remote monitoring. In the past, there might have been ten people in a power plant monitoring the cooling system, but now it’s one guy with a laptop at home – but he’s also surfing the web, chatting, playing games etc. on that same laptop and the ‘air gap’ between systems has been eroded. It is an area where the Government and industry needs to catch up on.
Is there anything else you see as a major issue?
One of the big things we will see is the Mirai malware code. This code affects the Internet of Things (IoT) devices. So, you have CCTV cameras, DVRs, heating systems, fridges – I’ve seen an internet connected hairbrush which will go on market later this year – all becoming a part of the internet. The danger with many IoT devices is that they’re quick and easy to produce but they don’t have security included in them by design – there’s quite a lot of bad practice going on.
The Mirai code was designed to infect IoT devices to create a large, malevolent computer network called a ‘Botnet’. This network will then send out masses of data to certain websites and businesses in order to knock them offline. There have been some very significant attacks in the last year due to Mirai, and I’d expect to see an increase in volume and frequency of Mirai-based attacks this year and beyond. So if you’re a big defence company, you’re likely to see people trying to knock you off line with Mirai based Distributed Denial of Service (DDoS) attacks, possibly accompanied by ransom demands.
It certainly has happened in finance and defence won’t be far behind that.
The message is clear, industry, government and public need to be aware of their cyber security requirements and keep up-to-date. Cyber Essentials can put you on the path to a safer digital future.