Event: Government Events: Effectively Building Defences, Resilience And Capabilities Against Online Threats
Event Type: Conference
Organiser: Government Events (https://www.governmentevents.co.uk)
Date: Wednesday 25th September 2019
Location: Hallam Conference Centre

Online threats are such a hot topic these days, so much so that Government Events organised a conference which included many guest speakers from across different industries. Whilst I always try to keep my articles to a reasonable length so you are not put off reading them, I have to apologise in advance for this one. There was so much information provided at this event with so many guest speakers that although I have tried to cut this down as much as possible I’m afraid it is a long article! If you can bring yourself to read it, I’m sure you’ll find at least some of the information useful even if you don’t find it interesting!

Guest Speakers

The guest speakers included:

  1. Professor Jeremy Watson, Professor of Engineering Systems and Vice-Dean of Engineering Sciences, UCL (Chair of the event)
  2. Detective Superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chiefs’ Council
  3. Mike Hulett, Head of Operations, National Cyber Crime Unit, National Crime Agency
  4. Dmitriy Ayrapetov, Vice President of Platform Architecture, Sonicwall
  5. Dan Jeffrey, Head of Cyber Security Programme and Innovation, NHS Digital
  6. Ryan Manyika, Privacy Consultant, OneTrust
  7. Nikola Howard, Data Centre Manager, London Borough of Camden
  8. Linda McCormack, Head of Internal Communications, Anglian Water Services
  9. Noel Slane, Regional Vice President, European and Middle Eastern, Tekenable/Opswat
  10. David Cowan, IT Manager, Copeland Borough Council
  11. Dr Emma Williams, Lecturer, University of Bristol
  12. Dr Robert Nowill, Chair, Cyber Security Challenge UK
  13. Mathew Critchley, Head of Security and Resilience, Manchester City Council

These speakers shared experiences to help raise awareness of the Cyber Security threats organisations face on a daily basis as well as guidance on how to mitigate the damage these threats can cause. Like many of the events I have attended the message from these speakers was that “it’s not if an attack will happen, it’s when” and emphasis was on protecting ourselves as much as possible before it happens.

Experiences

One speaker shared their experience of their workplace being being hit by a Cyber Attack a few years ago that completely destroyed their digital systems and over 2 years later they were still rebuilding. Emphasis was put on making sure regular backups are kept secure and regularly tested, to ensure recovery is possible should the worst happen. Backups should be kept off the network so they cannot be accessed from a security breach and ideally a copy should also be kept off-site to help protect from a physical attack, whether it is malicious or natural.

Another speaker shared their experience of how easy it was to social engineer the staff at their organisation. They explained how they created fake LinkedIn accounts pretending to be an employee at their organisation and sending connection requests to other employees of the organisation. The employees gladly accepted the connection requests and one colleague event went as far as asking the fake female account that had been created out on date! This was a very easy and very successful way of social engineering.

Cyber Security Awareness Training

There was a discussion regarding educating our users of Cyber Security Threats and what techniques can be utilised to encourage our users to take an interest in helping the organisation stay secure. Making the training interactive and also personalising the training were effective ways of significantly improving the interest of the company employees.

An organisation created stickers which were distributed to staff and when a staff member walked away from their computer leaving it unlocked a colleague would put one of the stickers on their machine for the staff member to see when they returned. This simple idea created a little game between the employees where nobody wanted the shame of being “caught” for leaving their computers unlocked therefore this improved the rate of staff members locking their machines when they walked away from it.

Another useful consideration when providing Cyber Security Awareness to employees was to also tailor the training for the different departments. Whilst all employees tend to face the same common security risks, different departments also have their own Cyber Seucrity risks they would be more susceptible to. For example, a finance department is more likely to be targeted to hand over financial information such as credit card information. The VIPs of the organisation are more likely to be impersonated with their emails being spoofed or tricked into handing over their login details. It is important these departments are made aware of how they are likely to be targeted.

Psychology in Cyber Security

The psychology involved in Cyber Security Awareness training was discussed and useful tips were shared on how to engage our users with Cyber Security. A useful technique was to personalise the Cyber Security awareness training. Helping the end-user to understand that the Cyber Security best practises they were being taught at work could help keep them and their families safe at home immediately gained their interest. As well as personalising the Cyber Security Awareness training the organisation also created education videos which were appealing to a younger audience so they would also be interested in watching and learning.

Other psychological impacts to be considered when providing Cyber Security awareness training was the environment in which the training was being provided. If staff members felt overly comfortable and safe naturally their guard would be dropped and the amount of attention they dedicate to the training being provided to them with be lower than if they were taken slightly out of their comfort zone. This doesn’t mean all staff members should be taken taken to unknown location surrounded by strangers and forced to listen to Cyber Security training on repeat. It simply means that training should cater for the fact that if staff members feel “I am at work so I am safe from a Cyber Attack as our IT department will protect us” they are less likely to accept the role they are required to play in order to help keep the organisation secure.

Similarly, the time of the Cyber Security training should be taken into consideration. Staff members are much less likely to fully concentrate on the training at 3PM on a Friday afternoon than they are at 10:00am on a Tuesday morning (in a typical 9-5 working week). Training sessions should also be of a reasonable length, especially considering that Cyber Security is not really the top interest of most staff members there is no point spending hours and hours on a particular training session. It would be far more effective to provide shorter and more regular training sessions.

Cyber Security Threats

An interesting statistic was that traditional malware attacks were decreasing as other types of attacks were on the increase, such as Ransomware, IOT targeting and watering hole attacks (infecting a website that company employees may visit and become infected, before spreading the infection through the company network). This is largely due to the fact that Antivirus vendors have become quite effective and preventing traditional malware attacks. This has all resulted in malicious users now spending more time on working to evade capture with these new techniques.

DeepFake is a type of Ransomware that I have mentioned before in my CloudSec Event article and was mentioned again at this event has it continues to become more infamous. DeepFake is definitely a Cyber Security Threat that all companies and their employees need to be made aware of. It consists of pictures and/or voice recordings of an individual being manipulated to impersonate them. This can include videos being made of them and even phone calls being made using the compromised person’s voice.

A prime example of DeepFake Ransomware (which has actually happened to a company), was for a senior member of the finance department at an energy company being impersonated to a more junior member requesting they immediately transfer funds another account. It’s easy to be reading this thinking “how did the person get tricked into this? I’d never fall for it.” but the reality is that the impersonation seems so real and it is therefore extremely important employees are made aware of such malicious threats.

Conclusion

Well, I did warn you this was a long article. This event was extremely informational and there is honestly so much more that could be included from this event into this article but let’s not convert this article into a book. If you are serious when it comes to Cyber Security and you get the opportunity to attend a future event like this I would recommend you grasp it with both hands.

One of the parts I found so interesting from this event and highly advise Cyber Security professionals to take on board is just how much of an impact psychology has on Cyber Security awareness training. There is no point providing Cyber Security awareness training if you are not optimising the impact it has.