Anthony Young DTX 2019 Interview
NATALIE TURNER [00:00:14] Hello and welcome back to day one of the Digital Transformation Expo. You’re with me Natalie Turner, and my fantastic co-host David Savage. How are you?
DAVID SAVAGE [00:00:23] Good, thank you. Much happier with that intro? Yeah.
NATALIE TURNER [00:00:26] You didn’t like stunning or wonderful no? Anyway, Anthony, thank you so much for joining us today. Anthony Young is the director of Bridewell Consulting. Thank you for joining us, could you tell us a little bit about what you do your company and why you’re here today.
ANTHONY YOUNG [00:00:45] Yes, so Bridewell Consulting, we’re a cybersecurity services firm, we do governance, risk compliance, cloud security work penetration testing, data privacy. We’re here today talking around about security with different organisations and some penetration testing services to companies who want to test where they are in terms of their security, and what sort of levels have they got.
DAVID SAVAGE [00:01:12] Out of interest, you talk there about penetrations testing. Just before we went on air, you were mentioning about red team assessments, which are simulated attacks. Whats the expectation of a client going into that, because I suppose they be somewhat disappointed if all of a sudden they found that they were very easy to breach. But at the same time, that’s kind of a positive outcome. That’s actionable.
ANTHONY YOUNG [00:01:30] Yeah, that is very positive action that comes out of it. So what we’ve seen in the past is pentest, which is looking at a particular system or a particular area. It doesn’t take in the whole organisation. So we have a red team or attack simulation. We’re looking at the physical security. We’re looking at the people, we’re looking at the actual the systems themselves. And they can actually get a good picture where their security sits as an overall holistic view. So they can actually then go to the board and say, look, we thought we were our guess sort of the level with security, we’ve actually paid for an organisation to do a full well, full wide attack on us. We’ve found that actually we’re lacking in, say, people’s security or physical security or training and awareness within a particular department, because we’ve done ones where we’ve sort of matched the tailgate into organisations. And then plug say like a Raspberry Pi on to internal network. And then from their gain access to that Raspberry Pi. Over the 4G network onto there and manage to numerte of different servers. This is just using lots of different skills and being able to find where those holes are within an organisation. So we use a lot of different skills across the organisation, not just our pen testers will have different types of security experts getting involved. So from our side. It’s great fun. You know, you get some properly attacking organisation and see where the holes are in good faith and good faith. That’s another come from companies from their side. They get someone to actually the good guys find where the holes are rather than someone who actually could be highly motivated to still find actual data or personal data or sensitive data. So, yes, it’s great from thats side of things.
NATALIE TURNER [00:03:11] So talking about the cloud, what are the security implications of businesses moving in to that direction?
ANTHONY YOUNG [00:03:17] So a lot of organisations are moving towards AWS as your office 365. An example we’re sort of seeing at the momet along with Office 365 currently is a huge increase in phishing attacks. So a lot of emails being sent to people at work in marketing or administration trying to get them to pay in their username and password. So pretending it’s coming from their internal I.T. support saying, oh, you know, we’ve seen a breach on your account. We need you to put in these details so we can reset your accounts and so on that I’m getting these details and then accessing the Office 365 accounts. So it’s making sure that they’re properly configured and set up. So the two factor authentication that’s on there. Another area as well with Office 365 that we’ve seen quite a bit. We have these reinforced attacks because you’re going through Microsoft Office portal so you don’t have any control over the IP that are on that. So you can’t black IP’s. And so therefore, someone could just keep running your sustained attack against the user. It will lock out off their set amount of attemps. But then they can just pick it up and try again. We’re seeing a lot these sort of attacks from China and Russia at the moment trying to get to organisations.
NATALIE TURNER [00:04:27] It sounds like there’s a lack of skills in some companies. I mean, how do they how do you identify that and what advice would you give to avoid, you know, cybersecurity threats, and vulnerabilities.
ANTHONY YOUNG [00:04:41] Skills piece is a big issue across our industry as a whole. What we’re sort of saying in advising is trying to get companies to skill up from other departments so look for people who are just really passionate about cyber security and train them in it and get them involved in. Because it’s a fascinating subject, an area to be working in and I’ve been working in it pretty much my whole life. It’s a fantastic area to be in so don’t get held up on, oh, this person needs a certificate. This person needs this sort of career pathway to be an excellent security proffesional. I mean, we’ve taken people from all walks of life into the company, but if they got that passion, just willingness and desire to learn. You know, we’ve had excellent pentesters for instants so people coming in to do that ethical hacking, who haven’t come from a security background. It comes from a more traditional infrastructure I.T. background, but giving them that chance. They understand basic software development background to be able to give them back chance to move into it. Love it and grow and develop.
DAVID SAVAGE [00:05:43] I’ll make some generalisations here. And feel free to correct here because you probably will need to. But yeah, if you think about workforce and that skills piece, a lot of people coming into organisations gens and millennials are probably digitally native. For once, you know, using phrases that you’re familiar with, whereas people in senior roles might not be quite so savvy with technology, and yet they’re also potentially the biggest targets yet for anyone who is looking to be opportunistic. Is that an issue? Because I suppose. Again, getting those people on board might be challenging as well.
ANTHONY YOUNG [00:06:11] So, I mean, I think. The huge amount media presence I’ve been across cyber security the good thing is that on the border gender. Cyber security is always like one of the top three risks. So from a board perspective, they’re really sort of bought into and obviously the rise of GDPR and the massive fines that associated with that again. Again that’s got the minds focussed on that saying. But from as you’re right, so from a targeting perspective, someone who isn’t quite so savvy about what to look out for from a security perspective through a phishing attack. I mean, I think I read, cant remember where it’s from, sort of like over 80 percent of attacks are initiated from a phishing. Sort of email at the moment. That’s the easiest way for people to get into this organisation is going after those who are not tech savvy is the easy way to go after it because they may be quite busy as well. So they’re just sort of flicking through, trying to do things on the go. Just thinking i’m just going to hit this and fill in these details and forget about it and not realise or using multiple or the same password. We’re seeing that, you know, weak passwords across multiple accounts. Again, it’s something which we see a lot more with the less tech savvy. Mellinnials was coming through. You’ve been to taught a bit more about, right? I need to use, multipul different passwords. Password managers and various other things. But they’re less savvy on things like social media. So you got the trade off so you definitely find out the whole life. Facebook millennials through social media. Whereas those that have been around a bit more wary about what they’re putting out on. That’s on the side of things.
NATALIE TURNER [00:07:45] So what are the trends are you seeing in the market?
ANTHONY YOUNG [00:07:49] So trends wise, we are seeing I say that maybe into the cloud perspective alot companies doing that. We’re seeing a big push from manufacturing companies to increase security, especially around operational technology. So these machinery, that speed connect on to the internet. So being able to do manufacturing and design and those pieces. So see some big increases in security around those areas and segregation of the operational technology that works when the I.T. networks to make sure they’re all secure those systems are a lot older. So it’s a lot harder to have them patched and kept securely so we’re seeing a big increase in in that area that’s being out of step with a big increase in and it’s still a big increase number of IoT technology internet of things been connected to the Internet, which is increasing and attack surface for a lot of organisations? Sometimes they’re not thinking about these devices the’re plugging into their networks. I just think this will make our job easier. Or we can be able to monitor things from my home or from when I’m on holiday. But there are adding more devices and increasing their attack surface and the more you increase the attacks surface. The easier it is for attackers to get in. They got more points to be able to go after. That’s. That’s another area that we saw talked a bit earlier about that sort of skills shortage piece as well. Which means, across security there’s always been that sort of piece coming in
NATALIE TURNER [00:09:19] It’s such a huge, complex subject, isn’t it? It’s difficult to say all of it in the space of 10 minutes
ANTHONY YOUNG [00:09:26] I know it is hard to cover it all in 10 minutes it is a fascinating sort of area to be working in and you can just tell by the buzz around the a place like this. How many companies are there? And it’s not something which we’re going to be able to sort of solve overnight cyber security. So we all need to work together and collaborate. We work very closely with the National Cyber Security Centre. So we collaborate a lot with public sector and that side of things looking at the threats to the UK, but also to critical national infrastructure in the UK.
NATALIE TURNER [00:10:00] So talking about this event and collaboration. What does digital transformation mean to you?
ANTHONY YOUNG [00:10:06] That is the big question on everyone’s lips at the moment . So it’s about neighbouring businesses to grow and thrive and to be able to engage with these new technologies in a secure manner, you know, embrace technology to drive for business. But think about what security controls in place and how could it be done. And if you have had a breach of the worst has happened just look at that. What lessons can be learned? And then making sure when you take on this new technology, don’t make the same mistakes again. Embrace technology, move forward. So many fantastic technologies out there now and businesses need them to really sort of grow and move forward.
NATALIE TURNER [00:10:46] We’re at the right place aren’t we for that. Well look it was lovely having you. Thank you so much for joining us. That is all from us for now, however, you can join in on the conversations on LinkedIn and Twitter by following Disruptive Live and hash tagging DTX Europe. We will see you in a bit. We’ll be back after a very short break.