14 Cyber Security Experts, highly intelligent presentations, excellent food, a FREE bar AND a Magician… err Hello? Why weren’t you there?
Whilst there, I filled 12 pages of notes! I’m not going to bore you with the minutiae, so here are the main ‘takeaways’ for me at the EU Cyber Security Conference, Leeds:
- SME’s need to take responsibility and protect themselves
- Someone is a victim of Cyber Crime every 10 seconds
- 18th Oct is ‘Get Safe Online’ day
- The first computer virus was made by Basit & Amjad Farooq in 1986
- Today there are over 1Million forms of Computer virus created daily
- Malware is the generic name for Malicious Software
- PICNIC (Problem In Chair, Not In Computer) in other words, your staff could cause security breaches without knowing.
- Don’t click any links online that you don’t trust
- Look out for small amounts of money taken from your bank from unknown sources, even if it’s 1p
- Use multiple words in your online passwords (inc numbers, letters and caps) and never use the same password for multiple websites.
- Know your legal responsibilities for operating online, holding databases and what to do in the event of a security breach GetSafeOnline.org
Tarun Samtani, CISSP
– 68% of problems occurred were due to Employee or Contractor negligence
- – If you’re a small business, you don’t need to spend a lot on Cyber Security.
- – To start with, look at all areas of your business at risk, and determine what you need to do to protect the most vulnerable, and protect that first.
- Ways to protect yourselves: Patch and update your computer software, Malware, Virus protection, firewalls, encryption, back-ups and storage security.
- The overall responsibility for the Cyber Security of a business lies with the Owner, or someone internal. They need to continually carry out assessments for: Policies & procedures, Training, Monitoring, Physical Security (do you have a lock on your server room?) and Breach management.
- Reporting a breach to the Information Commissioner’s Office There is no current legal obligation to report a breach of security, however, they believe that ‘serious’ breaches should be reported. What is ‘serious’? Phil explains this is still determined by YOU. If you have 10,000+ on a database that disappears or is hacked, then that should technically be reported. But even if you have just 100 records of a significant level of detail, then that ALSO should be reported.
- Elizabeth Denham is the Information Commissioner
- It is better to come clean and explain the situation to the ICO, than hide the evidence and try to protect your company reputation by witholding information. Take control of the message to your Customers and the Press, and tell them what steps you’ve already put in place to stop this happening again.
- Phishing examples to watch out for: p.aypal.info, restore-amazon.com, icloud-unlock.pl and net-flix.one they pretend to be websites which help you to reset passwords etc and then they take note of your password.
- UTF8 is the code used to make typed characters that are not quite what they seem. They appear online as alphabetical and numerical figures.
- Https is not enough any more – it’s easy for companies to obtain, even if they are Hackers. Https does not mean something is authentic.
- Spear fishing = targeting individuals instead of groups of people/organisations
- Tessler Motors – example of cyber hack. The company took a trip and put all the staff up in a hotel. Hackers heard this, and prepared a ‘Tessler’ email log-in page, which some Employees signed into – giving away their email passwords and access in the first 30 seconds of logging on!
- Companies… ensure you have a firewall in place and Intrusion Prevention System (IPS). Also, VPN encryption for employees logging into emails remotely, and insist on strong passwords.
- Carry out a ‘Risk Report’ for your business in detail, including disaster recovery and business continuity.
- Evaluate any operational issues that Cyber Security can impose on a business. For example, closing wifi off to an office may be one way to help to protect the business, but the Social Media team won’t be able to carry out their jobs!
- BP’s CEO explains that they face 50k cyber attacks every day.
- Voice imitation is on the rise
- The question isn’t *if* you’re next, it’s *when*
- In this World, nothing is safe. Technology appears to be stable, but interactions are developing into uncertainty.
– 91% of companies have experienced some form of cyber attack.
– 25th May 2018 – the General Data Protection Regulation comes into force
- – Cyber Essentials is a new Government backed and industry-supported scheme to guide businesses in protecting themselves against Cyber threats
- – ISO27001 is the standard that helps ensure you are protection People, Premises, Processes and PC’s. We need to consider ALL these factors when thinking about Cyber Security
- Online relationships can be lasting and authentic – not everyone you meet online is out to spam or scam you.
- Modern day protesting is just as effective online as offline!
- Digital Democracy = the ability for everyone to have their say online, put forward their beliefs, challenge the ‘norm’ and the decision makers with online petitions and forums.
Jenny Radcliffe, The People Hacker.
– Jenny makes educated assumptions about staff members and befriends them to access information about a company she’s trying to hack.
– Jenny has coined a phrase, The Human Factor, a perceived arena of trust, where she relies on the automatic behaviour (and familiarity/similarity) of people to give her what she needs.
– Explain about offline Hackers to your Staff, give them reminders often, discuss security breaches in the media with them.
– Change the minds (remove security fatigue) their moods (make them ambassadors) and their willingness to act on suspicions.
Gary Hibberd said at the outset, if you leave with even more questions than answers, that’s a good thing – the industry is changing daily, so questions will arise!
Here you go Gary…
- How can an out-of-date piece of software leave you exposed to Cyber Crime?
- Enable HSTS on your HTTPS – ok this bit got a bit too technical for me, help!
- Another technical item that I would love to know more about: Extended Validation Certificates.