Security Panel – The Cybersecurity Show – S1E3
WILL SPALDING [00:00:31] Hello and welcome to security panel brought to you by Celerity, we’re here for episode three. And in this week’s episode, we’re going to be talking all things regarding the human element. And there’s a lot of things, obviously, that affect us on a day to day basis within cyber security. And I see myself included. And I’d like to also say it is probably going to be affecting my guest as well, Richard Preece, who’s a Chief Trading Officer for OSP Cyber Academy. Richard, thanks very much for joining me.
RICHARD PREECE [00:01:01] Hi.
WILL SPALDING [00:01:02] So, Richard, give us a little bit of a background of yourself and a little bit of an overview, really, with OSP and obviously, I suppose, the connection there with yourselves and Celerity as well.
RICHARD PREECE [00:01:13] So OSP Cyber Academy is one of the Celerity partners as part of the wider offering to their clients. We very much support the training side, education awareness really from boardroom down to all members of organizations, and that ranges from face to face discussions and courses usually led by myself. So unfortunately for those who’ve got to put up with me down to online courses in both data protection and cyber risk and resilience and security.
WILL SPALDING [00:01:48] So, you know, that’s a great introduction there as well. And I think really the reason why we’ve got you here today Richard is to really discuss I suppose, this human element aspect and how it affects all of us on a daily basis, not only just in our personal lives, but primarily, of course, on a business level as well. I mean, what right now are organizations finding that the different threats are currently as well? And where does your role play within being a training officer with OSP and where does that play at in terms of identifying these these different threats?
RICHARD PREECE [00:02:22] Okay. So I think we need to, first of all, just step back and look at what the problem situation is. So, you know, most people think of cyber and they think of noughts and ones and matrix like images and funny things flashing red glow.
WILL SPALDING [00:02:36] I’m glad you pointed that out.
RICHARD PREECE [00:02:41] That is absolutely part of it. But the reality is you need to think about this as a cyber landscape and that’s composed of a physical layer. The real world, the networks, the information that flows through that networks, the multiple personas most of us have on those networks. People themselves and our social interactions, both physically and across cyberspace. And so we have this problem area of people to people, people to machines, machines to machines, interacting, passing data globally at the speed of light. And so consequently, that creates a huge complexity, uncertainty. Now that has a number of consequences. First of all, all people all processes all technology are inherently vulnerable and flawed in one way or another. Last time I checked I’m pretty flawed.
WILL SPALDING [00:03:45] I wouldn’t say that.
RICHARD PREECE [00:03:46] Well, believe me, I am so the concept of what’s known as the Swiss cheese model then kicks in so without anything happening, things will go wrong simply because those various holes, those flaws in people processes technology will align and something will happen.
WILL SPALDING [00:04:08] See, this is really the conversation that we’ve had on the last two episodes really for the security panel and talking about, I suppose, this these malicious attacks that do happen and these non-malicious attacks which really come from internally from employees themselves.
RICHARD PREECE [00:04:22] And we will we all make mistakes. Genuine mistakes, our culture just means that very often people because they’re trying to get the job done for all the right reasons and they circumvent the necessary policies and process and controls that are in place. So it’s only by understanding that and designing things from a people basis that you’re ever going to start tackling this. Too often I work with clients and they will say, oh, well, we have a policy for that. But it does that policy actually match reality. Culture eats strategy policies for morning, noon and night. It culture is everything. So the non-malicious is there. And then you’ve got these bunch of malicious actors who range from the state sponsored down to the opinions hoodie, the hacking into whatever system and everything in between. And they will seek to manipulate those vulnerabilities and create new vulnerabilities. And so it’s a case of when, not if. And that is actually for people quite a mindset shift because you like to say, I bought this piece of technology. Therefore, I must be safe because I’ve got a nice big castle.
WILL SPALDING [00:05:38] The hashtag when not if is obviously a slogan really I think, you know, created by Celerity directly as well. I think it’s a conversation that, you know, all cyber security companies really are having, it’s not just a matter of this is going to affect you. Maybe there’s a definitive answer to it. And yeah, at some stage, you are going to be affected on a statistic level, though, because I think you might have a greater understanding of it. How often do these incidents happen through employees directly rather than through malicious based, on a malicious level?
RICHARD PREECE [00:06:13] So if we look at open source i.e from all the tech vendors who publish their annual reports, they would argue about 80 percent of all successful attacks generally start with some form of human vulnerability. Normally through a simple phishing email, who hasn’t received an email and gone oh yeah, that looks credible and started wanting to press.
WILL SPALDING [00:06:41] That happened to me the other day. Not in our system. But like.
RICHARD PREECE [00:06:45] But it happens. And you know, family wise, my father came to me last week and said I think I’ve been hacked because of exactly that. He’s actually quite a tech savvy guy, but these things happen to us all. So it’s probably and then a key part of initial entry, if nothing else, in almost the vast majority of attacks.
WILL SPALDING [00:07:07] So from from your perspective from OSP, I know you work very closely with Celerity. Can you name any particular significant breaches that have happened as a result of human error, but also as well on a malicious basis as well? Obviously, I think WannaCry is stands out really, especially with the NHS attack there, which is something, from my understanding, slightly different. But can you give us any any direct examples?
RICHARD PREECE [00:07:33] So I would say you mentioned WannaCry. Let’s wind back and see why that occurred. WannaCry was a based on two things. It was based on a highly sophisticated worm, which the US National Security Agency had developed to exploit through Windows machines, which was hacked by the Russians. So the Russians hacked the Americans, published it six weeks later. By then, Microsoft had issued a patch to cover that vulnerability. But some alleged North Korean hackers had put on some fairly basic ransomware and thrown it into the system and caused chaos. Now, that was an entirely preventable attack and most companies, managed to avoided it. So the question is, why did it happen? And it happened because for whatever reason, the victim organizations hadn’t done the patching on time. Now, that was a combination of they were running software that was actually no longer supported by Microsoft or if it was still supported, they still hadn’t done it. People had made decisions from boardroom to server room to create those conditions. It wasn’t one decision. It was multiple decisions made by people in those individual organizations which created that problem.
WILL SPALDING [00:09:05] So that’s really interesting stuff there. But you know, what in particular are some of the techniques behind your training of organizations as well? I mean, I think you’ve also got some some stats there as well that you’d like to to share really to, I suppose, backup your your evidence there too.
RICHARD PREECE [00:09:25] So I believe IBM X-force just did some analysis and they put it down to nine hundred and ninety million data breach records associated with human error. So this is really serious. You can have the best technology in the world, which is not perfect, but it’s really good. And if you do it in defence in depth, it will put you in a really good place. But if it’s not properly used by people properly installed, and if it’s not properly understood how it fits into the wider piece, it will be for naught. So it it is madness to invest in things like Celerity Citadel and all that that brings. And then not just to address the people side. When I was in the military, we used to call lines of defence for big procurement projects. And one of them was, what’s the people bit? Because you could have the best tank in the world, haven’t got people to equip it and use it. It won’t work.
WILL SPALDING [00:10:30] Yeah so you’ve really got to have, I suppose, the brains behind behind it as well. And I think this is where the likes of Citadel and yourselves and Celerity obviously come into play there as well.
RICHARD PREECE [00:10:40] So what we try and do is a lot of this is based on a lot of academic research and hard experience of psychology and the practical application. And so the Nobel laureate Daniel Kahneman came up with the concept of system one system two thinking, so your system one thinking is your automatic, you know the right thing to do. It’s instantaneous. And that’s really good and really important. But that also, when it’s that phishing email makes you click on that link, makes you automatically just trust what’s been sent to you. So what we need to do is broaden people’s understanding, shown the dimensions of the issue back to that cyber landscape and understand how it all fits together and equip people to understand how they may be approached. Now, hackers will frequently use what’s termed social engineering. It’s actually the same tools and techniques that con-men use. It’s the same techniques that salespeople use. So the sorts of things they will use is they may try and demonstrate an element of authority. How many people if someone walks in wearing a policeman’s uniform and they say everybody leave, will leave because they’re an authority figure. The policeman says, do something. By and large, we do it. And that’s important. Well, people do that online. You know, we have CEO fraud. That is a really common thing. Pretending to be the CEO make make a payment, oh I’m not going to question that. I’ll make that transfer. Equally, you get use of techniques such as social proof. And this is where social media is so important. So someone has said that person’s all right. Therefore, they’re all right because we trust. And a lot of this comes down to trust because your business, whatever the business is based on trust, your people want to trust you to deliver your service.
WILL SPALDING [00:12:51] That’s a really interesting point. And you mentioned the fact that, you know, you’ve had a military background as well. Do you find when when questioning these things, this is something that needs to be, I suppose, brought into the boardroom, but also to organizations as well. Do you find, just going off topic slightly as well. But does, you know, questioning your officer is normally deemed not the right approach when you were going down a military line as well? Where does that come into play?
RICHARD PREECE [00:13:18] So I think you’re playing to a stereotype which isn’t necessary the reality in the military. I’ll give you example. A few years ago, I run a training course for the military in cyber resilience. That was really interesting because you got multiple generations at play. And what we found was the senior officers, they their perception was the younger ones understood it. They got security, cybersecurity. And they were actually looking downwards for advice and assistance. Talk to the junior officers and soldiers, they got how to use the technology. They didn’t get the security. And so you have this mismatch of perceptions and including of how much you want to do it. This is a team sport that no one knows all the answers. You’ve got to collaborate. You’ve got to follow the evidence and you’ve got to make take a judgment. At the end of one particular session with the command group of a headquarters, the brigadier said. So what’s different? I said, you’re perfectly used to make take your judgment based on different expert’s opinion. No different. And he said, got it.
WILL SPALDING [00:14:35] So that’s really interesting. I mean, if you’re talking about military and now moving back on, I suppose on more than a B2B level as well. What I suppose industries and sectors are you really seeing there being an attack on with with this attacking of employees as well because and using employees as, I suppose, a way to get in.
RICHARD PREECE [00:14:57] So I think there’s two aspects to this. There’s a regulatory aspect which is placing further requirements on certain industries. So we’ve all had GDPR or to be correct. The Data Protection Act 2018 the applying GDPR. And there’s been a lot of fuss about that. And that’s not gone away. And there is still material impact on your business if you get it wrong. If you are an operator of essential services, transport, health, energy, oil and gas, then there’s a thing called the Network Information Security Regulation, which has just come in and that places similar GDPR fines for general cyber security issues. Clearly, financial services are heavily regulated and becoming more so in having to demonstrate they’re working and having to demonstrate the trust that regulators and their clients place in them. But there is a myth that this is all too complicated. That I’m too small. I won’t be targeted and I can’t do anything about it anyway. The reality is they are all myths and they can all be addressed. But regardless of whether you think you are a prime target or not, by accident, you may become one. Ask Maersk Shipping quarter of the world’s shipping fleets, 70 odd ports around the world laid low by an attack aimed at the Ukrainians. But they had the same vulnerabilities which completely stopped one of the world’s largest global businesses.
WILL SPALDING [00:16:38] Can you give us an overview really for the viewers at home about the types of training that you do? Do you do online courses? Or is it in-house? How do you go about it?
RICHARD PREECE [00:16:48] So we we have both data protection and cyber security, online courses. But these are really designed just to give a baseline understanding of the issues. My experience now, I’ve spent 30 odd years training people in various contexts, including in this is it requires face to face work because that’s where people can ask the questions they are always afraid to ask. And so you’re going to create that environment that’s relative to your business. Every business is different. And so it’s only by having the right training board and senior executive level at management level at the specialist level and then general awareness, can you genuinely get everyone to be able to play to their position? And it is a team sport.
WILL SPALDING [00:17:41] And what would you say when you’re going into businesses to give you advice really and say, look, this this is the approach you need to go down. Would you say the biggest challenges are would you say there’s a slight reticence from the internal IT team or do they welcome it? Is there reticence between the directors or do they welcome it? Where would you say the biggest challenges are? Or is it just that people aren’t interested sometimes.
RICHARD PREECE [00:18:03] All of the above. But it is literally all of the above. But I think there is a lot of misconception. So I think very often IT teams feel that they will be exposed if something comes in and they’re afraid the directors will turn as well why haven’t you been doing this? That’s the last thing you want to do. You’ve got to create an environment where people can say this is where we are. We need to be able to get you to make a judgment. And it is judgment, not this is right, this is wrong, because everyone’s context is different. And if you look at the way data protection legislation has gone. If you look at the way cybersecurity legislation is going, no one is expecting a definitive. You must do this. What they are saying is apply principles to context to demonstrate a credibility about what you are doing. Make sure you’re doing it dependently consistently and then make sure that people are competent to make the decisions within them. They are the three components of trust, credibility, dependability and competence.
WILL SPALDING [00:19:12] And really bringing back this human element, I suppose.
RICHARD PREECE [00:19:15] Absolutely.
WILL SPALDING [00:19:17] And just quickly as well, because obviously, unfortunately, running out of time with this show. Can you give us any, I suppose, closing advice really for any organizations out there who are really, I suppose, looking at their cyber security in a little bit more depth and going, okay. Where do we start?
RICHARD PREECE [00:19:31] So everyone’s in a different position. In my experience, a lot of organizations do some things very well already. Other things they they don’t really address because they’re not sure. So I normally find a simple discovery which can be as simple as just stepping people for a simple scenario. What? What? How would you do this? How would you do this? And asking the questions from how you protect yourself, how you would detect something. How would you respond? How would you recover? And doing that at the business level and looking at what that would mean in your business impacts. What would that do to our reputation? What would that do for our people? How would our operations be interrupted? What’s the legal and compliance issues? What’s the bottom line? Remember, there is an increasing bottom line issue with all this material impact. And when we’re in an age where you can be sued for compensation for personal data breaches, you can be fined for various sorts of breaches. These numbers all add up before you even get into how much disruption to your business. And the fact that actually your business may not last because your reputation has been so trashed. If you’re in a highly competitive space and people don’t trust you anymore. You haven’t got a business.
WILL SPALDING [00:21:03] Great stuff. Richard, thanks very much again for joining me on. That is really interesting to have your insight there as well. Join us for the next episode of Security Panel, where we’ll be discussing yet again all things happening within a cyber security space as well and brought to you, of course, by Celerity as well. I’d like to say thank you once again to our guest, Richard Preece from OSP Cyber Academy. Thank you very much again, Richard. And we’ll see you next time.