Security Panel – The Cybersecurity Show – S1Ep1
WILL SPALDING [00:00:30] Hello and welcome to Security Panel with Celerity, essentially this show is going to be covering all things within cyber security and within digital security, and it’s sponsored, of course, by Celerity who are going to be mainly talking about areas in which not only can we improve things, but also within the whole world scope in terms of things which are going on and things that can potentially affect your businesses as well. So our first guest speaker that we’ve got with us on this show is David Kay, who is a Non-Executive Director for Celerity. Dave, thanks for joining me.
DAVID KAY [00:01:08] Pleasure. Thank you for having us.
WILL SPALDING [00:01:09] No, no, no problem at all. It’s it’s it’s a really good introduction, I think, into cyber security. So the first question I would like to put to yourself, because obviously you’ve got quite a thorough background within this market is what’s your current appraisal of the cyber security landscape? What’s your personal opinion in the way how things are developing within within cybersecurity as a whole?
DAVID KAY [00:01:33] Sure. It’s in many ways fascinating, but it’s also frightening. And you could also say it’s probably stranger than fiction. I am of the strong opinion that the escalation of cyber crime, cyber incidents is being driven by the strong participation of nation states. And there’s almost like a an arms race going out there amongst nation states to discover better attack vectors, more skilful ways of covering up tracks and many of the nation states actually make their the arms their cyber security malware available to gangs. In fact, on many occasions they will co-opt gangs to outsource to them some of the malpractice against other states, infrastructure, IT infrastructure and other infrastructure. So, my fundamental proposition here is that the nation state activity drives cyber crime, arms the gangs, enriches the skills talent of the gangs themselves and makes it fundamentally more dangerous place for us to live in.
WILL SPALDING [00:02:59] Yeah, I mean, it’s an interesting point because essentially there is so much as I said for the introduction there there is so much scope now within cybersecurity it’s not just one specific thing. And the introduction of AI and also I don’t mean to put the fear of God into people as well. But obviously with increasing with IoT in areas like that as well. What so are we going to see it in all aspects, not just in computer coding and things like that? Obviously, that is essentially what it is. But can can can you give us some more examples of of the type of areas that you’re seeing that’s exploitation from these gangs?
DAVID KAY [00:03:35] So let’s let’s just pick on the sort of four or five key, key reasons why people attack IT infrastructures. Well, one of the biggest is data theft. And, you know, recent examples of data theft could be the Marriott hack, which resulting in 500 million people’s names, addresses and of that a good proportion of credit card details being stolen and being hacked by gangs. Actually, in this case, there’s strong evidence it was a nation state. I probably won’t mention that right now. Maybe in another series. You know, another example could be Equifax. Where about hundred and forty million details were hacked, many of them in the UK, by the way, about 40,000 in the UK, including, again, credit card details. Now, where does this data theft end up? A lot of it ends up on on the dark web and on the dark web very recently in January of this year was discovered a huge data set of about 770 million email addresses with 21 million passwords and those combined because many people, 81 percent of people use the same password for multiple sites. Twenty five percent of us actually use the same password for all because of our memories, et cetera. So that actually ended up producing two point seven billion password, email address and password pairs.
WILL SPALDING [00:05:22] Pretty terrifying.
DAVID KAY [00:05:22] So the guys can control of this data, sell it, you know, credential stuffing and actually just just finishing off at the end of January. Four other files of similar size were also discovered. So once you’ve done the dedupe about three times, what I’ve just talked about size is actually. It’s like a massive big fat bird the size of Australia floating in the Pacific Ocean. Except this time it’s if you’re an ecologist, you would quite rightly be afraid of that. In this instance, it is yours and my password information our various e-mail addresses, our credit cards, et cetera, et cetera, is out there and it’s out there for hire.
WILL SPALDING [00:06:05] So what we’re saying essentially is there’s many golden gooses for these types of hackers. And obviously you use the hashtag when not if as well, which I think is is important, isn’t it really within what you’re describing.
DAVID KAY [00:06:19] Yeah. The comment I would say if you’ve not been hacked already, you’re going to get hacked tomorrow because it’s that level of certainty. And by the way, there are other areas like ransomware. It’s not just about data theft. You know, for example, in the NHS, the WannaCry hack, which affected actually 230,000 computers. Well, why.
WILL SPALDING [00:06:42] Are we talking specifically about the NHS scenario?
DAVID KAY [00:06:45] Yes, we are. In this instance, I’m saying as well as data theft. You could also have ransom incidents where where files are encrypted or locked, computers locked. And if you don’t pay the gangsters in bitcoin within a week, your files get deleted. So you’ve lost everything. So so you’re forced to pay ransoms and that is on the massive rise at the moment.
WILL SPALDING [00:07:12] So Dave we’ve obviously raised the concerns here for for businesses, what should boardrooms really do about this in that case, because you know, if we are using this when not if scenario essentially, which is if you’re not gonna be hacked today, probably likely at some stage in the near future you are. What can what can a board of directors or people of influence do about it?
DAVID KAY [00:07:35] Well, I think the board of directors are already aware that there’s a big focus on data and data protection, that the GDPR legislation came out in spring of last year. And many of them will have hired DPO’s data protection officers to be custodians of their data and make sure they comply. But I think many of them, particularly into the small and medium enterprise organisations, are complacent, really complacent. And let’s just remind ourselves that, you know, if there are 5.2 million businesses in the UK, which is there or there abouts, 99 per cent of those, 99 per cent are small to medium enterprises.
WILL SPALDING [00:08:18] And that makes up a large amount of our economy. Of course, if not all of it.
DAVID KAY [00:08:21] Our corporate tax base, our economy, our employment, our employment base it’s hugely important. And the thing about these organisations, they turnover, you know, in the region of 50 million euros, 50 million pounds. So they’re substantial and less obviously, they are big enough and substantial enough to be worth hacking rather than the sort of household names like Marriott, Equifax, British Airways, et cetera. But it tends to be a subject where boards are quite ignorant about the what they need to be doing, skills in these organisations are very rare, the right type of cyber security skills. And, you know, a survey was done recently that 43 percent of organisations were hacked or attacked last year. Two thirds of those 66 percent were in the SME community as well. So my contention is the board needs to be doing far more. And actually, it’s not just my contention. Kieran Martin, the chairman of the National Cyber Security Centre, has said very recently in November it’s not enough for a broad an SME board to abort X or appointed Y. Every single board director needs to be cyber literate to be involved in the cyber policies of these organizations. And he was quite critical, I think, about the take up within SMEs and businesses along the take up of how serious this threat is.
WILL SPALDING [00:10:03] This is a scary thing because I’ve heard examples for, you know, different people have come on, come on to Disruptive talking about, you know, people have even mimicked colleagues in certain scenarios and everything like that. So I think it’s to make people aware of this can happen to anyone. It’s not just a matter of just because you’re having to be a board director, your, you know, immune from this essentially happen to yourself. So in that particular case. What practical measures can be implemented, I suppose, and on more not only just a day to day basis, but for a continuous plan for SMEs and businesses that Celerity help out.
DAVID KAY [00:10:46] Good question. There are there’s plenty of information available on on on the Web. The National Cyber Security Centre recently, well actually it’s in 2016, published 10 guidelines that all businesses should adhere to in order to go on the journey to becoming far more cyber secure. And those steps would include things about secure configuration implementation, secure network development, how to manage risk, et cetera, et cetera. Now, interesting interestingly, those guidelines have been available for last two years. But of that SME base I talked about, less than 25 percent of them are aware of it despite all the publicity. The other thing that organizations can do is get certified. There is a cyber essentials program which certifying bodies again administered by the National Cyber Security Centre that can take boards through what are the imperatives that they observe in terms of making sure there’s a plan all the way through to cyber security professionals. What they need to be doing and employees. And again, I’m ashamed to say that less than 25 percent of this SME small to medium enterprise base are aware of the cyber essentials program. So I think there’s an element of complacency out there and lack of awareness as to what they should be doing.
WILL SPALDING [00:12:21] Yeah, because this is a thing, isn’t it? I think it’s not only just it’s for board of directors and for these SME that you describe. Okay okay if an attack happens on there as a business. Okay it’s bad for them. But they also have I suppose a social responsibility don’t they as well to not only just look after their employees and their stakeholders, but they also are, they’ve got, as I said, stakeholders. They’ve got their suppliers, they’ve got GDPR regulations, everything like that. If the chances are high for attack to happen and they don’t have the security in place and the hacker is successful. What are the main repercussions, I suppose, for for these companies that don’t have it in place?
DAVID KAY [00:13:01] Great question. The a survey was done by an opinion back in September, and it came up with the conclusion that in the UK 35 percent of businesses would not deal with an organisation they felt or there were rumours were not secure. So the impact on business is quite strong. Forget about the brand and the fines and any ransom ware you may have to pay. You’re talking about a business that may even be suggested as being insecure will not be dealt with and any company where a breach has been achieved. The same survey opinion survey said that 27 per cent of organisations would cease to deal with them at all. So massive this could be terminal for an SME. And my concern is that people aren’t taking this seriously enough.
WILL SPALDING [00:14:07] It’s an interesting point, though, as well, because if this is of clearly vital for SMEs, but it’s one of those things, if people don’t truly grasp it at a fundamental level and they think they’ve got other bills to pay, essentially they’ve got other overheads or they’re not quite doing as well in the market. It’s a difficult thing to balance, really, isn’t it, as well? But it’s a it’s a necessity also.
DAVID KAY [00:14:33] Absolutely it’s a necessity. I mean, these these companies are in the crosshairs of the cyber gangs. They should be under no illusion that if you know, if it’s not happened yet, it will happen. You know, in Celerity we use this hashtag, as you’ve said, when, not if. So it is going to happen to guaranteed it will happen. And a lack of investment in the right technology, the right skills could really result in the business, your business going out of business.
WILL SPALDING [00:15:08] Just moving on from the private sector and moving on to, you mentioned earlier about the NHS and the attacks happened on there a couple of years back or 18 months ago. And you’ve got you’ve got a lot of interest in the NHS right now. What what’s the reason behind that other than these these previous attacks?
DAVID KAY [00:15:25] There’s a feeling, I think within Celerity that there’s a lot of the SME issues that exist here in a key area of our public sector or infrastructure. And when we’re talking about hacking data, there’s no more precious data than your medical history, your medical data. So the protection of that is massively important. Plus, these NHS trusts there’s about 250 of them in the UK and the 7,500 GP practices.
WILL SPALDING [00:15:58] And sometimes openly, people know this, they’re not always communicating with each other as well.
DAVID KAY [00:16:02] Absolutely right. But again, these I mean, we know about budgets. Budgets in hospitals and trusts are at a minimum their ability to spend on new cybersecurity technology is constrained. There are some quite onerous additional government imposed regulations that NHS Trust need to adhere to because of the private nature of information. And the other problem that’s happening generically in the NHS is, as you’ve said, this use of connected devices, the IoT Internet of Things, you know, medical scanners, MRI scanners, insulin pumps, medical medicine at home, testing blood pressure remotely, all of these IoT devices are very vulnerable to attack. So what we’re talking about here is not just, you know, the data even, but you can be talking about life or death. And I don’t want to sound too too twee and too panicky. But we sincerely are talking about. I mean, the last hack cost the NHS about 90 million pounds, 19,000 appointments and medical interventions had to be cancelled. So the NHS Trust for us are crying out for maybe service that Celerity could provide via Citadel where you’ve got skilled cyber security professionals providing a managed service and taking some of the the care and worry away from the trusts so they can focus on making people better.
WILL SPALDING [00:17:42] It’s without you, without terrifying people or anything like that, or making it into too much of a horror horror film. It is something that does clearly need looking into. If you could give any advice right though just to round up, I suppose, this first episode to people who perhaps don’t know enough about it or where would you tell them to first of all, where to start to look into this and how you can go about looking at protecting yourselves and any other closing points that maybe we haven’t covered so far.
DAVID KAY [00:18:16] Sure. I think it’s important to recognize that most breaches start with user error. So education and training is a massive component of what companies should be investing in. There are hundreds of phishing kits available on the dark web to a gang that wants to start up in terms of ransomware or hacking. And, you know, running a very tight education program. We work, for example, with a company called OSP Cybersecurity, very knowledgeable, having your users trained, having them having training refreshers, making cybersecurity training a key component of the induction onboarding program for new employees. That’s absolutely vital that that every company, no matter how big, builda a culture of security awareness.
WILL SPALDING [00:19:14] And training is really important.
DAVID KAY [00:19:16] Absolutely. Training is probably the key gift that a board of directors can sanction and give to their employees and then reap the rewards in terms of not not being hacked. But there are other things, too. I mean, I would say speak to some of these trainers like OSP Cybersecurity, get a feel for, you know, what training they can provide. You could speak to the security software vendors. But bear in mind, when you do that, basically they’re selling their stack, their product, and you might be better speaking or at the same time speaking to a managed service provider, a security managed service provider who has chosen the best in class combination of software products from different suppliers to come up with a holistic service and speak speak to people like Celerity about what we can do with Citadel to to solve some of this cyber security issues that you’re facing on a daily basis.
WILL SPALDING [00:20:14] Great stuff, Dave. Fantastic having you on the show today. Really good to have your knowledge and advice about how to look after these SMEs. Unfortunately we’re gonna have to wrap things up there. A pleasure having you on. Join us next time for another security panel where we’ll be discussing all things again within cybersecurity. I’d like to thank our first guest as well for this great series that we’re going to be having, Dave Kay. So once again, we’ll see you next time for the next security panel.
DAVID KAY [00:20:43] Thank you.