Cyber News Global - Issue 3

Editor in Chief

Dear Reader, Welcome to Cyber News Global, this collaborative publication has been brought together by the UK’s leading Energy Sector Publication OGV Energy and UK Cyber Security Specialists, OSP Group Limited.

A combined wealth of experience, networks and specialists will ensure that CNG becomes a leading platform for the Cyber Sector in the UK, USA and Middle East.

Our Editor Elspeth Reilly is a talented writer with a Master of Science focused on Creative Writing from The University of Edinburgh who was also art Director for The University of Edinburgh’s creative writing anthology.

In addition, Elspeth also has a bachelor’s degree in graphic design from the American University where her activities included Vice President of the Graphic Design Club and Poetry Editor of the American Literary Magazine.

Thomas McCarthy

CEO, Cyber News Global

Kenny Dooley

Director, OGV Energy

If you have a contribution of relevant industry news please email Elspeth to editor@cybernewsglobal.com

Have an inspiring day and read on!

Zero Trust - GISEC

Cyber World Championship $1Million Prize

“Attack is the best form of defence”

By H.E. Dr. Mohamed Al-Kuwaiti and Dr. Aloysius Cheang

Managing the Human Element of the Security Chain

By Dr Fene Osakwe, Global Cyber Security Leader - Best-Selling Author

Breaking the mould and closing the gap

By Carmen Marsh, CEO of United Cybersecurity Alliance

The Future Belongs to The Curious - Meet the Tesla Hacker Interview with David Colombo

How did this get so bad?

Isabelle

Chief International Office, Zendeta

What the CISO says - Start the conversation, don’t delegate it!

Women in Cyber Security

and Director of MyEmpire

Increasing women participation in Cyber Security

How To Mitigate The Effects Of Quantum Computing On Business Data Security

By Amanda Prelich, Dragonchain, America’s Blockchain

Cybersecurity trends that will drive change in 2023

Honeywell

Protecting Operational Technology – an Industry View

Resilience Decision Making

Cyber Centre of Excellence is Launched

Human-Centred Security

By Chris McDermott, Lecturer, Human-Centred Security Research, RGU

1With your efforts, the UAE was listed in the Guinness World Records for having the most users in a CTF competition as well as the largest bug bounty competition—have you seen a rise in interest for cybersecurity since the success of these events?

Yes, from 3 indicators. Firstly, there are many more cybersecurity events, some of them regional/globally, being held in the UAE. Secondly, the World Cyber Championship launched at the start of 2023 saw phenomenon participation numbers. Lastly, we are seeing more students getting interested in Cybersecurity, for example seeking cybersecurity related internships.

2Under your leadership, the UAE has risen to the 5thplace within the ITU Global Cybersecurity index – advancing an incredible 42 positions from the last assessment –whathas been your principal strategy when promoting cybersecurity?

Staying open, collaborative and building a culture of cybersecurity in a public-private partnership building on strength of our partners is our principal strategy.

3Can you give an example of a successful cybersecurity project implemented in the UAE?

Our Cyberpulse initiative, which is critical in imbuing a DNA of cybersecurity as we build a culture of cybersecurity for our students and residents.

INTERVIEW

4Looking to the future of cyber, how do you see the cyberthreat landscape evolving, and how do you propose we best evolve to meet tomorrow’s challenges?

We need to continue to build on our 5 strategic pillars in our cybersecurity strategy, specifically building defence-in-depth harnessing on deep tech such as AI supporting our foundational capabilities such as NSOC that allows us to take a proactive cybersecurity strategy where offense is the best defence.

5What role does collaboration play in addressing cyber security threats in the UAE?

Cybersecurity is a team sport that requires us to harness the collective strength of all the stakeholders in the ecosystem in order to systemically address cyber threats.

6How does the UAE balance national security concerns with the need to protect the privacy and rights of individuals and businesses?

We have enacted a personal protection act form the purpose of this under the umbrella of national cybersecurity strategy.

7What advice do you have for businesses operating in and outside of the UAE to improve their cyber security posture?

Observe good cyber hygiene by adhering to global best practices and international standards in cybersecurity.

8 What are some of the key trends and developments in cyber security that are relevant to the UAE?

The rapid digital transformation brought about by the pandemic and the dawn of the Metaverse together with favourable macro economic factors are key to drawing more talents and cybersecurity companies including startups to set up shop here in the UAE, thereby granting the UAE into a global cybersecurity hub status.

9 How does the UAE approach cyber security in critical infrastructure sectors such as energy and finance?

We approach them as with how we approach the other critical information infrastructure, - by building layered defence and practice defence-in-depth in collaboration with all the stakeholders in the ecosystems and with our partners, based on global best practices and international standards. Getting the right partners with the right people with the right skills and attitude is the key.

What do you see as the future of cyber security in the UAE?

The UAE is well poised to be the globally trusted digital oasis and a global leader in cybersecurity advocacy and best practices with more and more leading cybersecurity firms and unicorns to be borne out of the UAE.

Supply Chain Security

‘the weakest link in the supply chain’

Supply Chain Security Course – This course is aimed at staff who deal with third parties within their organisation’s supply chain. With this training you will improve awareness of the supply chain cyber risk and help to implement good practice.

This course includes:

• Understand the cyber risks to your supply chain

• Understand how to establish and maintain control of your supply chain

• How to check your arrangements for confidence in your supply chain

• Recognise how to encourage continuous improvement and build trust with suppliers.

This course makes recommendations based on NCSC best practice, implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause.

It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts, because of the trust you have sought in the security of your supply chain.

Mid-East Zero Trust Access network market tipped for double digit growth as cybercrime threats surge

GISEC Global 2023 to shine spotlight on ‘never trust, always verify’ IT infrastructure model dubbed by experts as the security framework of the future

Dubai, UAE, 10 February 2023: Middle East governments and corporates are expected to invest heavily in Zero Trust Access (ZTA) IT systems over the coming years to ward off the omnipresent threat of cyber-attacks, providing a major boost to the region’s cybersecurity market that’s predicted to more than double in value over the next five years.

Exhibitors at next month’s GISEC Global cybersecurity exhibition in Dubai, said ZTA security – an approach to designing IT infrastructure with a ‘never trust, always verify’ model – will be highly sort after in 2023 and beyond, as organisations seek to protect their data and systems against constantly evolving and increasingly sophisticated cyber threats.

In the Middle East, the pervasive ‘work from anywhere’ culture is convincing companies to double down on their efforts to protect digital assets, fuelling the region’s cybersecurity market that, according to analysts Markets and Markets, will grow from US$20 billion in 2022 to US$44.7 billion in 2027, clocking 17 percent annual growth.

Rising IoT traffic, increasing technological advancements and modernisation of enterprises are also fuelling demand for zero trust security solutions, with MarkNtel

Advisors, a research company, expecting the Middle East ZTA market to grow by 16 percent annually over the next five years.

The core cybercrime methods haven’t changed, but the sophistication of them has increased. The good news is IT security professionals and C-level decision makers will have no shortage of solutions to investigate at the 11th edition of GISEC Global 2023, which returns to the Dubai World Trade Centre from 14-16 March, featuring more than 400 exhibitors from 42 countries.

Household names such as tech titans Huawei and Microsoft will be out in full force at the annual three-day event, alongside headline ground-breaking infosec companies including Spire Solutions, CPX, Mandiant, Pentera, Cloudfare, Crowdstrike, Edgio, Secureworks, Synack, Threatlocker, and Votiro.

“In our increasingly digital world, security is a key concern and area of focus,” said Waseem Hashem, Business Group Director for Modern Work & Security at Microsoft UAE. “At Microsoft, we have a long-standing commitment to securing our platforms and providing solutions, and our answer to safeguarding the digital space in the face of evolving threats is the Zero Trust network and architecture.

“Businesses worldwide are prioritising secure and efficient network access, making the adoption of Zero Trust non-negotiable. In the Middle East, in particular, where cyber threats are becoming more persistent and sophisticated, the implementation of this approach is a critical step for organisations to protect their sensitive data.”

CPX, a home-grown cyber security entity based in the UAE, will this year showcase its complete suite of end-toend cybersecurity capabilities covering all industries from energy & utilities to government and defence, healthcare, finance and transportation. Commenting on the Zero-Trust networks, Paul Lawson, Executive Director at CPX, said: “The fastpaced growth of emerging technologies like AI/ML, Cloud and IoT has put a strain on an organization’s ability to secure, protect and mitigate looming cyber threats.

“We expect these shifts to significantly contribute to a rise in the adoption of Zero Trust models. A Zero Trust approach distrusts all entities by default, requiring all users inside and outside a network to be continuously authenticated and authorised.

Added Lawson: “In the Middle East, many organisations still depend on a traditional firewall-based perimeter architecture. As organisations embrace new advanced technologies and frequently migrate to Cloud, they should align and enhance their cybersecurity posture by deploying Zero Trust ‘aware’ technologies.”

Zero Trust to replace VPN by 2025 – Gartner

Another key factor behind the growth of ZTA is the increasing adoption of cloud technologies, leaving organisations migrating workloads to the cloud increasingly vulnerable to wily attackers, posing major challenges and causing significant losses.

Tech research firm Gartner predicts that zero trust network access will even replace virtual private networks (VPNs) by 2025, with the rise in remote work and the continuing threat of cyber-attacks urging companies to scout for more robust security frameworks. As a result, says Anil Bhandari, Chief Mentor at ARCON – a cybersecurity provider with sales headquarters in Houston, Texas – organisations are gearing their investments towards a system that, among several characteristics, uses multi-factor authentication to verify the identity of users and devices.

“According to our research, adopting zero trust networks and architecture will be a top priority for IT security executives in the Middle East and around the world this year,” said Bhandari, who will be at GISEC Global 2023 with ARCON’s Converged Identity Management platform – a Software as a Service identity and access management platform.

“In the Middle East, in particular, for a typical large-scale enterprise or mid-size company, the IT perimeter is no longer confined to onpremises data centres. As modern-day IT infrastructure is large and distributed in hybrid and multi-cloud setups, Middle East IT security leaders will look to build micro-segmentation and micro-perimeters for controlling and securing digital identities.”

CyberKnight recently partnered with American zero trust real-world cybersecurity company Xage to accelerate ZTA adoption across the Middle East.

“Currently, we see XDR, data security, threat intelligence and application security with the highest demand. Our purpose remains the same going forward – to help fight cybercrime using Zero Trust.”

Elsewhere, US-based StrikeReady will showcase its award-winning AI-powered Cognitive Security Platform at GISEC Global 2023. AI capabilities such as reinforcement learning, natural language understanding, and proactive conversational AI enable StrikeReady’s Cognitive Security Platform to offer innovative features such as a virtual cybersecurity assistant.

Anurag Gurtu, Chief Product Officer at StrikeReady, said in order to continue to evolve in the same way that attackers do, thriving organisations must have ZTA as part of their cyber security transformation.

“The Middle East is one of the few regions that adopts cyber security early, so I suspect many businesses there have looked into ZTA,” said Gurtu. “Attackers are innovative, and their tactics continue to evolve to defeat existing cyber defences. It is imperative that the industry adapts and evolves in order to stay competitive with attackers.”

GISEC Global is organised by the Dubai World Trade Centre (DWTC), with the annual three-day event also comprising an extensive conference programme under the theme ‘Connecting minds, boosting cyber resilience’, with 13-tracks tackling the evolving cyber landscape and corresponding threats across multiple industries.

“The Zero Trust model addresses the Middle East’s growing concern of cyber-attacks on critical infrastructure, while providing a more comprehensive approach to security by requiring verification of all users and devices, regardless of location, and implementing strict access controls,” said Riju George, Group Director for GISEC at DWTC.

Zero Trust’

‘Think

at GISEC Global 2023

CyberKnight, a UAE-based cybersecurity value-added-distributor will meanwhile have a dedicated ‘Think Zero Trust’ theme at GISEC Global 2023, with CMO Olesya Pavlova, stating that attackers are continuously expanding their capabilities and taking advantage of an evergrowing number of attack vectors.

“In 2022, we saw that cybercriminals targeted Middle East critical infrastructure, including information technology, financial services, healthcare, and energy sectors, with headlinegrabbing incidents,” said Pavlova, whose

“The largest ever edition of GISEC Global in 2023 will deliver an unmatched ecosystem of the world’s premier cybersecurity players, helping governments and businesses address unprecedented security risks, while enhancing their opportunities to innovate and thrive in a constantly evolving digital economy.”

WORLD CYBER CHAMPIONSHIP

+250K Cyber Programmers and Cyber Experts in our community $1.000.000 PRIZE

CyTaka

CyTaka has an International sportive and positive cyber security community for awareness and sharing free support to protect anyone anywhere.

We have developed many vertices over a wide range of Security issues over IT/ IoT/OT/Web/Network/Software, and other categories for cyber experts and cybersecurity programmers.

CyTaka Hack

CyTaka Hack is a weekly virtual competition through the CyTaka App for expert level members only.

Together with simulations of cyber cases and defense, we give the opportunity for programmers and cyber experts to prove information security skills, and earn money.

CyTaka A.I

CyTaka invests in new AI-powered experiences and supercomputing that hackers use for generating cyber challenges and simulations.

CyTaka A.I simulates anonymous attacks and various industry cases inside a safe and isolated environment.

“ATTACK IS THE BEST FORM O F DEFENCE”

- is the cyber art of war theme for 2023

The past three years have been of immense global upheaval. The Covid-19 pandemic, geopolitical instability, and rapid de-globalization have fuelled global tensions, sparking off a paradox of a global cyber pandemic amid rapid digital transformation and growth.

Background

The UAE was not spared of these changes. The upheaval of the Covid-19 pandemic cultivated an urgent need to increase the pace of digital transformation, hence paving the way for the UAE to establish itself as a trusted regional digital hub. The country took advantage of the situation and ramped up digital initiatives to become a digital economy leader in the region. Immense efforts were employed to build a conducive environment in the UAE with the right government policies. An industryled regulatory regime and a uniquely open economy helped drive digital innovation further while many other countries were closing their borders to contain Covid-19. Having said that, the UAE did not throw caution to the wind. Instead, it implemented wellcalibrated measures designed to build controls that enhance trust, security and branding of a world-leading economy. Such an economy is resilient in the face of cyber pandemic headwinds characterized by supply chain attacks and ransomware blitz, amongst other threats in a volatile risk landscape. Indeed, this bold approach embraced by the UAE over the last three years has been instrumental in the rapid digitalization in the country, building up a momentum that elevates UAE into a global digital leader.

Moving from a position of defence to offense

Over the years, various platforms have become increasingly influential in supporting the digital leadership efforts of the UAE. Among these are DWTC’s flagship event GITEX and its sister event, GISEC. While GITEX focuses on the entire ICT spectrum, GISEC specifically provides cybersecurity leadership. Being hosted for the 14th consecutive year in 2023, GISEC has grown from strength to strength, becoming a platform of choice for the UAE to be an agent of change for top cybersecurity enterprises from 40 countries. CISOs from major corporations across the Middle East, Africa & Asia, government dignitaries and cyber leaders, regional and international innovators and experts come together to shed light on the world’s most pressing cybersecurity challenges and discuss ways to stay ahead of potential threats through robust and innovative strategies.

Football offers an excellent analogy, with the recent FIFA World Cup still fresh in our minds. While the defence is critical, winning the game requires players such as Lionel Messi, who, as a midfield general, will not only orchestrate and control the game to play according to the winner’s tune but also possesses a poacher

instinct that enables him to switch role instantaneously into a menacing striker and a magnificent goal getter. As such, this year’s theme for GISEC is to take the fight to the cyber attackers by following the age-old adage: attack is the best form of defence. CISOs should therefore adopt a GISEC-first strategy, using a page out of the cyber attacker’s own playbook. Through GISEC, we can build a platform based on openness, transparency and collaboration because, just like football, building cybersecurity requires teamwork.

The case for a GISEC-first strategy in proactive defence strategy

A GISEC-first strategy encourages CISOs to take a proactive approach because the traditional reactive model is simply ineffective. Today, only 19% of global cyber leaders are confident that their organizations are cyber resilient. Further, the need for more effective cyber defence tactics is only becoming more urgent as digitization takes hold. By 2025, digital transformation will inject $100 trillion into the world economy, according to the WEF.

With this in mind, top cyber executives will unveil CISO’s 2023 strategy at GISEC to decode

the uptick in cyberattacks and costs while navigating the evolving threat landscape. The new era of cyberattacks ranges from Metaverse cybercrime, crypto-jacking, 51% attacks on blockchains, drone exploit delivery attacks to Quantum threat, cloud security to applying AI internally and at the edge across healthcare, banking & finance, utilities, oil & gas, transport, nuclear, defence & communications.

GISEC is, therefore, the ideal platform of choice for CISOs to learn from each other as we develop our own game plan for our organizations. There’s a renewed sense of urgency for collaboration because cybersecurity rules have changed since the pandemic and the rapid rise of threats in new ecosystems like the Metaverse & Quantum computing. To define the new cybersecurity paradigms, we are gathering an extraordinary league of cybersecurity leaders at GISEC. The UAE Cybersecurity Council fully supports GISEC’s initiative of creating an inner circle for InfoSec leaders to discuss critical challenges and help build the cyber resilience of businesses in the UAE and the world.

Moreover, GISEC is not just a platform for CISOs to join forces. It is also the platform of choice to train our technical team to beat cyber attackers at their own game! This will be the second year GISEC will host a Bug Bounty Challenge. Last year, The Bug Bounty Challenge set a Guinness World Record for the largest Bug Bounty competition in the world. In GISEC 2022, we also set another Guinness World Record for most users in a CaptureThe-Flag (CTF) competition. Together with the $1 million award bounty for the World Cyber Championship (a form of CTF competition), we are set for a fruitful CTF, bug bounty and technical exchange for GISEC in 2023.

Thirdly, in line with tradition, an innovation sandbox for start-ups and/or new/emerging technology pitching will be held again under GISEC. Known as GISEC Cyber Stars, we shall work with transformers of the industry towards cyber resilience and therefore build capabilities to get in front of the cyber attackers in addressing some of the BHAG in cybersecurity globally today.

Back to basics

However, before we start to tackle sophisticated cybersecurity problem set, we need to return to basics through capacity building, by providing training and enablement to all stakeholders of the ecosystem, while at the same time reinforcing the recognition of the importance of cybersecurity and encouraging the adoption of basic cyber hygiene thus building a culture of cybersecurity for the nation as a whole. Towards this end, the UAE Cybersecurity Council, in collaboration with its strategic partners, launched the Cyber Pulse initiative that aims to encourage the community members in the UAE to play part in cybersecurity efforts. It seeks to increase public awareness on suspicious online activities and explains the necessary steps to be taken to prevent becoming a victim of Phishing. The initiative also provides training courses, workshops and lectures about cybersecurity in an increasingly digital world. As a result, the UAE has successfully integrated the digital lifestyle into everyday

living of its citizens and residents, through creating smart telecommunications and digital transformation infrastructure, further advancing its status as an inspiring model of development and digitisation.

In fact, the first national cybersecurity innovation centre was launched in Abu Dhabi Polytechnic last October, that provided an action plan to enable the next generation of cyber professionals to tackle cyber skills gaps while also protecting UAE citizens and businesses from global threats. This lays the foundation for UAE to be a key player in the region for cybersecurity, and further position the country as a safe hub.

Truly entering into a new era of the CISOs

Last but not least, GISEC aims to empower the industry to take a proactive posture by fostering collaboration between partners and professional bodies. The various partnerships formed during GISEC will serve as feeders for future projects and collaborations that will be featured in future GISEC and GITEX conferences.

We have previously written about the coming of the golden age of CISOs, marking a turning point in cybersecurity. We have stated a prerequisite for that to happen, which is the need to return to basics when it matters the most. GISEC as a platform and the adoption of the adage “attack is the best form of defence” as the heart and soul of the cybersecurity industry, binding all the stakeholders in the ecosystem together, will be critical for realizing this dream. Otherwise, we’d be risking everything on a pipedream if non-action is allowed to prevail.

Conclusion

“Attack is the best form of defence” is the cyber art of war theme for 2023. The time is ripe for us to take a proactive approach to defend our assets rather than being reactive, setting up stalls and waiting for cyber attackers to appear but not knowing when they will appear, where they will show up and in what form and shape that they will be carrying out the attack. Assuming that you will not get hit is no longer a luxury we can afford, given that ransomware attacks will remain prevalent this year. Cybercrime is highly rewarding financially for successful attacks, the primary driver for escalating cybercrime.

Taking the fight to the cyber-attack requires brains as well as brawn. In the Art of War, Sun Tzu talked about the importance of ”Laying Plans” in any warfare. While he advocated against war fare, but once that decision is made he spoke of the need to take actions swiftly, but not without an elaborated plan that dedicates more than 50% of the estimated time taken for the battle to complete, where all possible scenarios are played out. And chief among all, is the need to ensure a robust, united backline that are harmonized in not actions but in intents as well, leveraging on culture and mindset to reach a common ground internally that will mobilise the entire nation into supporting the warfare.

Fortification, supply chain and constant capacity building to ensure the reserves are ready to be called up anytime, and that is what it takes in cybersecurity as well. Before we take the offensive, we need to ensure that we have the best cyber defence mechanism in place. And that is the motivation for the National Security Operations Centre or NSOC initiative that will be showcased during GISEC.

Following that, we shall create a community of action for the cybersecurity industry, for example, through the GISEC CISO Circle, that the industry can come to adopt a baseline cybersecurity strategy with a common design factor of a proactive approach of pushing the last line of defence forward towards the enemy den further away from our defence line and our digital assets. Next, we shall turn on protein overdrive and build up the muscles to wrestle with the enemies in the pit, with technical excellence taking center stage where our best of the best can hone their skills in the various competitions such as Bug Bounty and CTF that will be hosted at GISEC.

Lastly, we shall validate our latest techniques and technology in the innovation sandbox. GISEC is a treasure trove of tools, providing the necessary people-process-technology support that we can harness to realize our strategy and burn cybersecurity into the DNA of our organizations, keeping the enemies at bay and on the back foot, pushing them to be on a constant retreat from our line of defence and pushing it deep within enemies’ territories with no time to create havoc for us making it economically inviable. These cyber adversaries will eventually collapse like a house of cards as we enter a new era where the CISOs finally enter the boardroom and be counted as equals among our peers. And that is where the CISO revolution starts, not ended as we usher in the new digital era and the CISOs as the guardians of this new

Managing the human element of the security chain

The chain here suggests all the various elements of an effective cyber security ecosystem, broadly categorized as “Process”, “Technology”, and “People”. Processes speak to the policies, structure, and procedures that we put in place to ensure that security is appropriately governed. I always advise that these processes be aligned to best practice such as ISO27001, COBIT, NIST. Technology broadly speaks to the systems, devices, technology solutions and tools deployed to prevent, detect, or respond to cyber incidents. Then, there are the “people”: those who execute the strategy, the “people” who write the processes, the “people” who manage the technology, the “people” who have to comply or flout the “processes”, the “people” who are the target of various phishing emails — phishing emails are when attackers send malicious emails designed to trick people into falling for a scam, typically, the intent is to get users to reveal financial information, system credentials, or other such sensitive data.

In fact, according to Verizon’s 2022 data breach incident report: 82% of data breaches involve

a human element, including phishing and the use of stolen credentials. (www.verizon.com/ business/en-gb/resources/reports/dbir/). This figure is supported by further research conducted by the FBI’s Internet Crime Complaint Center (IC3), whose most recent Internet Crime Report found that phishing — including vishing (fraudulent phone calls), smishing (fraudulent text messages) and pharming (forced redirection to a fraudulent website) — is the most prevalent threat.

So, what are some ways to manage the human threat in your organizations? There are several ways, but I will focus on three in this article.

• Training your users - There is a difference between user awareness (which we do to tick compliance boxes) and training. If we had a small fire incident for example, a user who is “aware” may know where the fire extinguisher is, but they may not save the day if they do not know how to use it to put out the fire. However, the trained user not only knows where the fire extinguisher is, they also know how to use it, in order to put out the fire. Conducting 30-minute-long generic user awareness session or e-learning is a good starting point, but that has to be a part of a more elaborate training calendar for staff of the organization on cyber risk. These trainings must be bespoke and vary for procurement, finance, legal, HR, IT, executive management and so on.

• Understand your users – We talk a lot about asset categorization, which means know what your high value information and low risk assets are within your organization. High value refers to systems that act as a warehouse for sensitive information, information that should it be compromised during a breach would have catastrophic consequences for your

organization. Low value refers to systems that should they be compromised, the impact on the targeted organization would not be major. We need to apply the same concept to people. Who are your most naïve users? Who are your high-risk users, based on empirical data? And in comparison, who are the users with access to your organization’s most sensitive systems? The users who should their credentials be stolen by a malicious user, the consequences for your organization would be severe?

When it comes to cybersecurity education and training, the approach to training a user with access to your organization’s highly sensitive systems cannot be the same as the approach taken when training a user whose access is limited to non-sensitive information. Similarly, if you invest in technology which monitors the activities of your users, the level of observation cannot be the same for these two types of users. Therefore, it is vital that you properly categorize your users.

• Test the users – Simulating various cyber-attack scenarios (aka: an incident response plan) is not something to take for granted or something that can be ‘outgrown’. If you were to suffer a cyber breach today: Do your users know their role? Who should talk to the press? When speaking to the press what should be said and when should it be said? Who is to contain the issue? What is the isolation process? What is the first thing I do if I suspect that I have been hacked? Testing and running real life scenarios, without pre-informing the users being tested, will give you actual figures and data which you can then leverage into improving your cyber program.

“A chain is as strong as its weakest link”. This is a phrase that first appeared in Thomas Reid’s “Essays on the Intellectual Powers of Man,” published in 1786. At this time, there were no conversations about cyber security. Centuries later, it is the term that best describes the overall theme to managing cybersecurity risk.

OUR PURPOSE

YOU EXPLORE THE FUTURE. WE SECURE THE PRESENT.

OUR SERVICES

CPX specializes in cyber defense expertise that is designed and deployed with surgical precision to deal with any risk and any threat. Come and discover our end-to-end cyber security services:

Cyber News Global’s Editor-in-chief, Elspeth Reilly, had the pleasure and honor of speaking with Carmen Marsh, CEO & co-founder of Inteligenca and President & CEO of United Cybersecurity Alliance about their organizations’ incredible work helping to close the gender gap in cybersecurity.

Elspeth Reilly: Thank you so much for speaking with Cyber News Global. Would you share with us about some of the incredible work that your nonprofit, the United Cyber Security Alliance is doing?

Carmen Marsh: Yes, there are two main programs / initiatives that I am really proud of because we have been carrying it on for now close to five years, and we have gotten some really good results.

One of them, Hundred Women and Hundred Day Cybersecurity Career Accelerator, is a tuition-free upskilling program for women. It’s a full cycle, fast-track program that really focuses on hands-on workshops. We provide industry certification training for our participants. As well as career coaching, mentorship, and study groups. We have a really great community. As of date, we have upskilled 320 women, and 94% of those are already working in cybersecurity jobs – it’s a complete full cycle program.

The results are amazing. We are entering our fifth year, and we are starting a new program with a new cohort on March 20th. We have also expanded globally, one of the pilots we are working on currently is to launch this program in Japan. We are having conversations about launching a similar program with the Philippines, the UK – it would be a great program for any country.

Because this is a non-profit initiative, United Cyber Security Alliance was formed to support this program. Our students are dependent

on the grants. Initially, my business partner, Paula Dube and I, started Inteligenca, which is a cyber-risk management consulting company, which is for profit. But, as we started launching our training program, it made sense to launch this non-profit as we were receiving grants from the government, and donations from philanthropists – so this non-profit makes it much easier for anyone to support and sponsor our program. We continue to grow with great successes, and with a lot of support from our local, and our global community.

The second initiative that I am proud of, The Cybersecurity Woman of the Year Awards, is also long-running – first taking place at Black Hat in Las Vegas in 2019. So, this will be our fifth year! It’s an amazing initiative, and the reason why it started, the reason why I thought it was necessary for our community is because there has always been a little bit of stigma associated with jobs in cybersecurity, as it’s a field that historically has been male dominated, which isn’t attractive to women wanting to enter the field. When you’re young

and you’re thinking about your future career, you want to be in a fun and exciting environment with diversity – a career that doesn’t necessarily carry the preconception of being ‘too technical’ or, though I hate to use this word, ‘nerdy’, so it was important for me to change the perception of cybersecurity because I have been in this job, in this field, and in this community since the nineties – since the very beginning!

We didn’t even have ‘cybersecurity’ starting out, because the internet was just starting, it wasn’t widely used in the beginning. We had ‘information security’, and of course, looking at that term now, when you consider what its definition was at the beginning, ‘information security’ has grown in so many different directions, in so many unique and specialized areas – a lot has changed. Now, we have around 150 different job roles in cybersecurity and around 35 different job categories – a lot of people outside of the field don’t realize this, women including. With the Cybersecurity Women of the Year Awards, I wanted to create a spotlight for two reasons.

The first was to create role models for women of all ages. If you have any interest in cybersecurity, you need to know what kind of women are working in these roles. You need someone to relate to, you need to make the career relatable – you need to get people thinking “look at these amazing women, their incredible achievements – I can do that.”

And that’s really what my goal was with these awards: to get these role models in the media, highlighting everything that they do because then others will say “Okay, wow. She’s brilliant, she’s beautiful, she’s elegant and she’s technical.” You can be all of these things – It’s not one or the other. If you want to work in cybersecurity, you can be whoever you are. You don’t have to change and become somebody who fits the preconception of “cybersecurity expert” – hoodie, colorful hair, tattoos – you don’t have to. You can if you want to, but you don’t have to.

I also wanted to make the awards glamorous in order to showcase that cybersecurity is more than its preconception, so we said: “let’s do a gala!” There was a 50/50 chance that the theme would be well received; cybersecurity is more of a technical community, day to day we are more jeans and t-shirts kind of people. The reception was incredible! It was a night celebrating talented woman and celebrating in style –evening gowns everywhere! It was one of the best parties. Beyond that, it was heartwarming: we can look however we want, make-up or no make-up, dressed-up or casual – no matter what, we can be super, we can be dynamic, we can be hackers.

The inaugural Cybersecurity Women of the Year Awards was a success! Now, as we near our firth year, we have become global. Candidates from over 50 countries have been nominated for awards. It’s wonderful to see as well, that large

tech companies like Microsoft, Intel, Dell, are incredibly supportive of our event and sponsor it every year. I’m happy I took the risk! It’s paying off in more ways than one: not only do women in the industry have an opportunity to be celebrated, in fact, the celebration of the award winners carries on beyond the night itself – they advance in their careers, gain more traction in the industry overall, thereby, shining a greater light on women in the industry – and women outside of the industry are gaining a greater interest now that they have role models to look to. It’s a win-win for everyone.

Elspeth Reilly: The Cybersecurity Woman of the Year Awards has provided women in the field an incredible opportunity to be celebrated not only for being titans of the industry, but to also showcase the multiplicity of cybersecurity. Showcasing and celebrating people from all different backgrounds is vital, especially in an industry where, as you mentioned, people are often pigeon-holed into a certain “look”

Carmen Marsh: Absolutely. And of course, people often only see the ‘technical’ side of cybersecurity – it’s not only technical! That’s why our program, one thing that our program, Hundred Women and Hundred Day Cybersecurity Career Accelerator has two different paths.

We specifically designed our curriculum to have nontechnical and technical routes. Non-technical is really propping our participants for jobs, for example, in project management cybersecurity, account executive, marketing. There are so many jobs that are related to cybersecurity that aren’t technical.

When someone is first enrolled into our program, we ask: “what is your interest?” Everyone is unique and we see equal interest in both. It’s important to highlight that not all cybersecurity jobs are technical, because not everyone who is interested in cybersecurity is interested in the technical side of the operations.

Elspeth Reilly: That’s a great point – There is a big misconception that knowing how to code is necessary if you want to work in cybersecurity. To combat against these misconceptions, it is crucial that people know that there are other avenues into cybersecurity, beyond the technical route.

Carmen Marsh: Absolutely, and for our program we don’t require a college degree because we know that cybersecurity can be upskilled. Or, if you do have a college degree but it’s in a field that’s “unrelated” – it doesn’t matter. We have had tremendous success from women in our program who were hairstylists, medical billers, Uber drivers – women who decided they wanted to upgrade their careers, upgrade their lives. They didn’t have a technical background because they didn’t need one.

If we want to close the gender gap in cybersecurity, we need to promote

opportunities for women which showcase that there are ways into the industry which don’t require a technical background, a college degree in a related study, or even a college degree at all. There are ways for you into the industry, and you can be successful.

Elspeth Reilly: Your program provides incredible opportunities to women interested in cybersecurity – do you have any advice for young women just starting to find their interest in cybersecurity?

Carmen Marsh: It’s tricky because there’s a lot of information and resources available – so many that it can be overwhelming.

Elspeth Reilly: You’ll be speaking at GISEC soon – your second time! How has your experience been in the Middle East, at GISEC, and what’re you looking forward to?

Carmen Marsh: Last November, I travelled to Saudi Arabia to speak at Black Hat, and something that really stood out to me was the amazing women in the Middle East, their incredible kindness, and the support that they have for each other.

The women who attended all have a chat group on WhatsApp, and the amount of support that is shown for one another, is just incredible to see: smiles, hearts, flowers are constantly flying across the screen – it is true support. In this industry, there’s a lot of competition, and it’s good to be competitive, but not at the expense of others. It is always better to support one another, to lift each other up. We have to be together, it’s not one or the other – there’s plenty of opportunities, and success to go around for everyone. Let’s elevate each other, let’s empower each other, let’s support each other. My experience in the Middle East was a perfect example of that goodwill. I had very similar experience in Dubai when I was there last March for GISEC, and this will be my second time getting to have this heartwarming and empowering experience with women in the Middle East.

We are hoping to have the opportunity to launch our Hundred Women and Hundred Day Cybersecurity Career Accelerator in Saudi Arabia, in Dubai, and elsewhere in the Middle East.

GISEC is an incredible platform, and it’s wonderful to there with amazing women from around the world – global women coming together to share their experiences and their point of views.

Elspeth Reilly: Events like GISEC are so important because it’s vital to have the global community to come together to collaborate. In the end, we all need to work together to combat the cyber threat landscape.

Carmen Marsh: Exactly, and that’s the mission and vision for the United Cybersecurity Alliance. Everything we do is to bring the global cybersecurity community together: to collaborate, share knowledge, and help one another build global resilience because we are strongest together.

If we want to close the gender gap in cybersecurity, we need to promote opportunities for women which showcase ways into the industry

The Future Belongs to The Curious

Cyber News Global Editor-in-Chief, Elspeth Reilly, had the pleasure and honour of sitting down with David Colombo who first gained notoriety as the Tesla Hacker when he ethically, and with the permission of several Tesla vehicle owners around the world, hacked into their car’s systems to demonstrate the holes in Tesla’s cybersecurity measures. Now he travels the world as a consultant, keynote speaker, and as a champion of cybersecurity awareness and education.

What was your main motivation behind your initial investigation into Tesla?

David Colombo: It was only curiosity – that’s what kick started my career in technology. I got my first laptop for my tenth birthday – “how does this work?”. So, curiosity got me started, and it is the same thing that led to the Tesla story.

Because I was thinking about how all these cars are now fully connected. If we go back 80 years, there was no technology in a car — it wasn’t a digital car. Then, we had cars with some interfaces like Wi-Fi, TSM (Trailer Sway Mitigation), and cameras. Now we are connecting those cars to so much more, they’re now connected to other cars, to smart roads, to traffic lights, but all of them also communicate back to the manufacturer.

Traditionally if we look at how cars are being hacked, it’s one car and one hacker that is near that car, attacking local attack surfaces. It got me thinking, why should someone just be near that one car, attack that one car?

If all those cars now constantly communicate back to the manufacturer, someone would be able to [access that communication] route, and they would be able to control multiple cars around the world — completely remotely. So, that was a thought I had in the back of my mind.

That thought led to “how does it work now?”, “How do those cars communicate?”, What interfaces are there?”, “What does the backend infrastructure look like?”

I’m a Tesla fan myself because it’s an iPad on the wheels, right? So, I was just trying to figure out how did all works, I didn’t even think I would find anything — I didn’t even think about hacking anything. I just wanted to understand how the infrastructure works, how the communication works, what it all looks like. Then I came across a few red flags when doing that investigation.

That’s remarkable that this investigation was spurned on purely by curiosity, but it led to this great discovery, a gap in their technology. You mention that everything began on your 10th birthday when you received your first laptop, was this what ignited your interest in cyber? Opening your first laptop opened a whole new world for you?

David Colombo: Exactly. At first it was only coding because I was curious “how does it work?” It’s not magic, its only technology so somehow it must work.

Then, I figured out that I’m growing up in the best time ever because I can leverage technology to learn about how it works. You can just open Google and learn about all these things – I thought that was just wonderful. Then I figured out that everything is code, and so I thought that I better start with coding because that’s how all of these things are built.

So, I really started my tech journey back then with only coding, understanding how it works, then building all of these things: building websites, building apps, and it’s really cool if you’re an eleven-year-old and you can run your own apps and say, “I made this!” That was really fascinating.

My interest in Cybersecurity came two or three years later when I discovered my first vulnerability. I was coding, understanding the basics, and then I came across my first vulnerability, and I was thought “this is super interesting, now I can do things I shouldn’t be able to do.” And on one hand, it’s cool to learn about cybersecurity and hacking and all of these things. But on the other hand, you can already see that cybersecurity is going to be one of the most pressing challenges moving forward when we digitalize our whole lives; starting with smart homes, autonomous cars, even creating infrastructure that is fully digital. So, that really grabbed my attention and my passion; I spent like all my time on it, even though school was the next day — I didn’t care, I would be awake until 4:00 in the morning, sitting in front of my screen, coding and tagging.

“People always ask me: how do we make the defensive part [of cybersecurity] cool? Of course, hacking into something is cool, but how do we make the defensive part cool? And I’m thinking, what do you mean make it cool? It is cool. We just need to get it out there and show it to people.”

It’s very clear that this is your passion, and it’s incredible that you developed it at such a young age. You said earlier that we’re living in a digital world, and it’s only going to get more and more connected —how do you think we should get the younger generation more interested in cybersecurity?

David Colombo: We need to show it to them. That’s that’s the only thing we have to do. Cybersecurity itself, is such a fascinating field. It’s really interesting, and there are so many cool things happening, but not too many people know about them. People always ask me: how do we make the defensive part of cybersecurity cool? Of course, hacking into something is cool, but how do we make the defensive part cool? And I’m thinking, what do you mean make it cool? It is cool. We just need to get it out there and show it to people, right?

You’re incredibly passionate about cybersecurity and technology! I read an article which mentioned that you and your father protested to allow you to attend school for only two days a week, was this so that you could better pursue these passions?

David Colombo: Definitely. So, that was what followed. Now I was into cyber security, I was spending all my time on it. Two, three years in, I was sitting in school in Germany, 10th grade, and I asked myself, “why should I sit here in Latin, if I could be out there helping to protect those organizations?” So, I decided I have to quit school. For me, it wasn’t even a question. What is going to be more important within the next decade? Cybersecurity or Latin, right? “I have to get out of this.” According to German law, you have to go to school until you’re 18.

I was thinking that if there’s a bug in my code, I don’t sit back and relax — I get into it and I fix it. So, I was trying to apply the same principle to my schooling until I found someone at the Chairman Chamber of Commerce who understood what I was saying.

I lived in the middle of nowhere, about 200 people in the town. So, he was driving out there, and it took him like two hours to get there, just to speak with me and to take a look at what I’m doing. Then, we finally got that special permission [which allowed me] to only go to school one or two days a week and use the rest of my time to, to further go ahead with my pursuit of cybersecurity.

For example, if hospitals are getting attacked from cyber threats and we have an incident response team rushing to the hospital defending against the attack and figuring out what happened — we just need to show that all of these exciting things are happening to the younger generations to ignite their interest. Once we are able to ignite it and spark it up, it’s going to be their passion!

Absolutely, it all comes down to education and awareness. You bring up an interesting point about hospitals getting attacked. It’s a great example to shed a light on because being the good guy in that situation is cool, and it is exciting, and it’s great to be able to help people, to step in, and to block those attacks from occurring. We have to demonstrate that cyber resilience is exciting.

David Colombo: Exactly. We also must show these young people who have extraordinary skills where to go, where they can prove themselves — we need to guide them to where they can actually use their skills for good. We need to talk about bounty programs, or about Capture The Flag (CTF) events where they’re able to prove their skills and be in a great community rather than going to the dark side of cyber. If we go back to when I started in cybersecurity, there was not much available. That is something that luckily is changing now. If we take a look at Hacker One and Buck Route and CTF events, these opportunities are happening, but we need to direct people towards them and show them; there are places for them if they have exceptional skills, if they’re interest in the topic, there are ways to test their skills, to prove their skills in an environment where it’s safe and where it’s legal.

That’s an excellent point — it’s vital to not only create opportunities for people, and especially younger people, to be able to utilise their skills and expertise, but to broadcast them effectively so that people know such opportunities exist. Speaking about the future generations: what do you think personally is future of cyber and how is going to in turn going to affect the cyber threat landscape?

David Colombo: Cyber is definitely going continue to grow as an industry and, with a lot more focus on the cyber-physical things that we are connecting. We are now talking about building Smart Cities. Who’s going to secure them? If you go on LinkedIn right now and you want to find Smart City security engineers — it doesn’t exist yet. We are going to see a lot of automation, but automation can only do so much; it can’t replace a human because cybersecurity is such a complex topic. Because of this, we need a lot more people into the workforce.

We need to start tackling the 3.5 million unfilled cybersecurity positions. It boils down to accessibility.

People don’t see these opportunities and so they don’t get access to them. That’s what we need to change to bring it to the attention of a lot more people, show those pathways, get them into the field. Because every major enterprise is searching for cyber security experts.

I was recently in Germany’s Business newspaper Handelsblatt where there was an article saying that “we are at the breaking point.” In Germany, a lot of organizations are getting hacked and of course, they need to call up cyber security companies to help them recover. But a lot of the time now when that they call up these cyber security companies, these companies tell them “Sorry, we don’t have the capacity to help you.” Which is creating major issues for those organizations in need. So, across the board, whether on the offensive side or on the defensive side, we need experts.

Also, when developing cybersecurity capabilities, something that I always like to point out is that I don’t even have a Tesla myself, so if you have cybersecurity researchers that are really eager to learn automotive cybersecurity, where do they do it?

How many people have the ability to buy a $70,000 car and risk breaking it while doing their research? We need to create environments where we give people access to these systems.

How many people have the ability to buy a $70,000 car and risk breaking it while doing their research?

How did this get SO BAD?

Everybody heard about cyberattacks. No industry, country or size of organizations are speared from hacking. Being compliant does not seem to prevent breaches and companies that invest massively still have incidents. The situation has reached a point that even insurance companies don’t want to cover cyber policies anymore, since the risk for them is simply too high.

How did this get so bad? And what can we do to have an effective protection?

ZENDATA has been fighting cybercrime for more than 10 years and the secret of our success is in our way of collaborating with the top management in a rational and pragmatic way, that aligns our mission with the business objectives of the organization. “Companies and government are tired of vendors that promises a tool that is going to magically block all the cyberattacks, but eventually fails. Managers don’t trust the cybersecurity industry and believe we are failing our mission. This is the trend I am fighting to change,” says Isabelle Meyer Chief International Officer of ZENDATA who committed herself to educating and accompanying executives from diverse industries on how to approach their cyber protection.

Alternative: There is no silver bullet. The company’s ability to maintain a delicate balance between their risk profile and risk tolerance, while also investing in the right technology and promoting employee awareness, is essential for ensuring the uninterrupted continuity of their business operations.

At ZENDATA, we are making it our mission to protect businesses from these growing cyber security threats. We have a proven track record of success, starting from a humble beginning in

a garage to now working with law enforcement, Interpol, and States. Our team of passionate engineers is always growing and learning, constantly challenging us and our clients to achieve the level of excellence that is needed in today’s fast-paced digital landscape….

The opening of our first office in the UAE two years ago was eye-opening. We realized that our approach was very innovative and unique. People asked us how we made it, since there is so much competition in the market. At the end of the day, when you are truly passionate and desire to take the time to transfer knowledge and help a country grow from within, you can always transmit this craving. The UAE, to add to the equation, has this desire of growth and knowledge. The leadership is so motivated of learning about experiences and realizations. Most importantly, the take actions and implement a real baseline of cyber security because they understand the cruciality of it.

We understand that every client is unique, and we tailor our services to meet their specific needs. Our complete, fully managed MSSP 360 cyber protection through our Security Operation Center (“SOC”), using over 35 tools, full audit, based on operational risks and exposures (not on compliance) and our own ZENDATA vulnerability assessment dashboard, pen tests, and red teaming, are just some of the services we offer. We also provide consultancy services and are the cyber expert in terms of CYBER Operational Technology services, the protection of operational technology infrastructure, people, and data, for the Switzerland highways.

In addition to our expertise and reliability, we prioritize partnership with law enforcement agencies to ensure that cyber security is the responsibility of everyone. We have worked on hundreds of incident responses, including targeted ransomware attacks for public and private entities. We share our threat intelligence on a pro bono basis to help prevent cyberattacks and are one of the most important provider on Open Source services, working with the three largest threat intelligence companies in the world.

Cyber Security should not be just for specialists, the role of defenders applies to everyone. It has now become a social responsibility. In order to translate this important implication, ZENDATA has its own TV shows on National TV in Switzerland and appears on a weekly basis in the media. “Awareness is key, and being able to vulgarize for everyone, the continuing growing threats and the cyber-criminal organization, in order to properly defend ourselves”, says Mrs Meyer. We make it our mission to have a social impact in what became today, companies’ biggest risk. As the World Economic Forum called in its latest report, we need to all be defenders to the “Cyber Storm”. ZENDATA is not just a commercial enterprise but also a responsible corporate citizen.

In conclusion, ZENDATA’s story is a testament to the power of perseverance, innovation, and collaboration. By thinking outside the box and always putting its client’s needs first, the company has established itself as a gamechanger in the cybersecurity landscape of the Middle East. The company’s mission statement says, “Don’t be the next one.” Act now and partner with ZENDATA to protect your business from growing cybersecurity threats. With its track record of excellence, trust, and reliability, you can rest assured that your business is in safe hands.

perseverance, innovation, and collaboration.

What the CISO says

Start the conversation, don’t delegate it!

As a team of Virtual Chief Information Security Officers (vCISO) and supporting cyber security and data privacy specialists, we deal with a diverse array of organisations across Asia-Pacific, Europe and the USA, from very small, to enterprise and government entities. While no two organisations are the same, the challenges with implementing cyber programs and the requirements to establish a fundamental baseline of cyber protections and readiness, are consistent. Regardless of location, regulation, language, or industry sector.

Getting the fundamentals in place provides all organisations the framework from which to build business resilience, but more importantly, it provides the cyber controls and confidence that enable the business to grow and achieve its vision.

But the ‘fundamentals’ we are talking about here are not the traditional security controls around people, process and technology. The ‘fundamentals’ discussed here are readiness activities all businesses can take to ensure the best possible outcomes for the long term.

From our collective experience across the global team, here are the 4 simple and effective things all businesses - and most importantly, the business leaders - can do, to establish the foundations of a robust, efficient, and effective security posture.

1. Start the conversation, don’t delegate it.

As a business leader, you may not have deep knowledge of cyber security. The reality is, not many do - even the ‘experts’ have their domains of expertise and gaps in deep knowledge of other domains. Cyber is a complex, broad, and constantly evolving business operation. Delegating it means business leaders will lack understanding and either delay progress as a result or provide inadequate direction to the real business risks that need addressing.

Simply starting, driving, and being a key voice in the conversation with support from subject matter experts will provide faster execution, more focussed improvements and, importantly, the most efficient investment for the best returns.

2.Know what you have and where it is.

You may hear terms like ‘asset registers’ and ‘information assets’ which, to the industry insider are common and understood terms, but have little meaning to the outsider. Unfortunately, industry jargon often complicates what is not a complex task – it’s a task that takes time but doesn’t require the skills of 20 year industry veterans with a list of certificates and postnominals after their name.

Understand what you have and where it is – what websites are your employees logging into to execute their jobs, what software has been installed on devices, and what devices have been issued and to who. A simple spreadsheet of these ‘assets’ opens a very simple ‘what can go wrong’ discussion that will lead even the least technical executives down an understood path of risk evaluation, leading to clearer decisions on what we need to protect, but more importantly ‘why’ we need to protect it.

3. Raise awareness and build confidence.

Hiding, or at the least not elevating cyber discussions to the broader company and stakeholders relegates cyber to the ‘unimportant’ basket. It also creates a perception of negativity, which leads to individuals hiding mistakes, small issues becoming large issues, and a culture of blame, denial, and excuse.

Extending on point 1 above, elevate the conversation throughout the company to raise the awareness. But it goes beyond a subject matter expert, or the head of IT simply reminding everyone of the threat. Embed security near-misses, human errors, and real incidents into regular team meetings – call out proactive behaviours where a malicious email has been detected by a team member and allow individuals to own minor errors without recrimination. By raising awareness, and empowering teams to interact on day-to-day cyber matters, you build a more positive and resilient culture that will enable effective response to the more serious incidents.

4. Write down your response plan, and test it regularly.

Hoping you don’t have a breach is not a strategy. Not knowing you have had a breach is a big problem. Not having a tried and tested game plan for dealing with the inevitable incident is even worse. Incident response plans do not need to be 100-page theses. They need to be clear, concise, and effective. Without one, you will spend three times longer and possibly many more times in cost, responding to and recovering from an incident.

Developing a simple, understandable, document that clearly outlines what to do when an incident occurs is critical. But it will only be effective if you test that process regularly – firstly to assess where it may fail to work in a real incident, but more importantly to train those individuals involved in the response on their roles. So, when the time comes, everyone knows what they need to do, when, and how their role contributes to, and supports, the broader team.

Cyber security is a complex business matter. As a vCISO, one needs to navigate complex organisations to support continual improvement. To do this, they are reliant on senior management taking a leading role to influence engagement to support the investment a company has made. Proactively owning the conversation, having a broad understanding of the landscape, and encouraging openness while having a clear plan for dealing with the inevitable will set up the foundations to ensure any organisation, in any industry or country, and of any size, can build effective and sustainable resilience.

WiCSME’s Journey in the Arab Region: Increasing women participation in Cyber Security

Women in Cyber Security Middle East (WiCSME) was founded in April 2018 as a volunteer group to build a robust, and dependable network of passionate female cyber security professionals in the Middle East and North African (MENA) countries, and eventually, increase the percentage of women in the workforce and encourage more female leadership in cyber security in the region.

The group has grown from 9 founding members to over 2000 members from 23 countries. These members, whilst being on the move, are deeply connected with the regional culture, and societal values, which makes it uniquely family-like.

WiCSME has a number of key capacity building initiatives, all of which were firsts in MENA. WiCSME Annual Conferences reflect on and celebrate the success of these initiatives. These Annual Conferences, began as a virtual event in 2020 and then in 2021 & 2022 as a hybrid with the onsite conferences being held in Saudi Arabia and Oman, respectively.

The WiCSME Annual Conferences are based on 3 key pillars:

1. Create Opportunity for Hands-on Learning through the WiCSME Capture the Flag (CTF) competition.

This is a 24-hour live hacking competition where one of the critical criteria to participate is having at least one female player on the team. From 2020 to 2022, we saw a growth in women’s participation in the CTF. The CTF saw a manifold

increase year on year, beginning with 35% of 380 participants in 2020 to 50% of 790 female CTF players in 2022.

2.Showcase Knowledge through multiple knowledge sessions.

The 2 days Annual conference provides an opportunity for the women in the region to share stage with many internationally successful and inspiring women, thereby not only unveiling the wealth of knowledge held by these regional talents, but also proving the much-needed platform to practice and motivate themselves to continue acting at world class.

3. Acknowledge and celebrate the female cyber jewels through the WiCSME Annual Awards.

It a formal way of recognizing, showcasing and appreciating the unique capabilities and contribution of women in cyber security in their capacities as rising stars, leaders in the field, or contributors to broader communities. Since start of these awards, we have felt a tremendous increase in the confidence of our members, transforming from a follower to a leader; contributing back to the community in their own unique ways.

These speak for the impact that WiCSME is making while recognizing the challenges that we often face in the regional setup. We have experienced historical moments by establishing a platform for our sisters in the region which is fuelled by respect, openness to ideas, constructive feedback and a passion to strive for excellence.

In 2022 we saw WiCSME evolving as a visible contributor in national and international cybersecurity leadership, such as Expo Dubai and United Nation’s OEWG (Open Ended Working Group). It was in the United Nation’s OEWG, where WiCSME leadership, represented by Dr. Reem Al Shammari, first boldly talked about our success so far and the dream of creating a United Nations of women in cybersecurity, creating a sustainable and secure future, for generations to come.

WiCSME continues to break barriers and achieve new records. We are creating history, delivering by example that, with the right minds connecting with the right vision, fuelled by passion, things can change for the better. We are also proud to mention that in this region, we have support of the best allies in the industry:

• various government organizations

• other global women in cyber organizations

• male allies

• many leading cybersecurity event organizers

They believe in WiCSME’s mission and support us as we try to find bigger and better ways of changing the norms of the future. WiCSME

is now an active contributor in many leading cybersecurity events, providing the channel for its members to showcase their expertise and contribution in this industry. In 2022, Middle East saw the highest numbers of female speakers in international events being held in the region, such as RSA Conference and Black Hat middle east.

This is a living proof that WiCSME is a multiplier. The members now have a network and safety net of like-minded women to lean on and grow together. We continue to collaborate with the public and private organizations, government, academia, and community programs. We hope that there will be a day when we will have the United Nations of Women

in Cybersecurity, uniting all the tremendous efforts of all women in cybersecurity groups around the globe to collectively support us in achieving the mission. As with the recent events of layoffs in the tech companies, we, together with other Women in Cybersecurity groups globally, need to work hand in hand to continuously engage, motivate, and inspire the women to stay stronger together, and remain consistently committed to this advocacy.

We were committed to start and now we need to be consistent to finish

Quantum Computing

HOW TO MITIGATE THE EFFECTS OF QUANTUM COMPUTING ON BUSINESS DATA SECURITY

On Business Data Security

A quantum computing future promises to provide answers to our most complicated questions by solving complex problems at excessive speeds. Businesses will experience significant improvements in efficiency and operational costs, improved cybersecurity, and significantly improve machine learning and AI. However, the same technology that will lead to these advancements in AI as well as eradicate cancer, provide clean energy, and increase optimization will take today’s encrypted data and decrypt it in minutes, exposing sensitive business information.

Data security should be front and center for businesses today. Unfortunately, it’s often an afterthought that exposes businesses to costly data breaches. Cybersecurity has long been an expensive challenge for businesses. Estimates put the cost of cybersecurity damages to reach $6 Trillion annually by 2021. With the coming threat of quantum computing, those costs could skyrocket.

Today, the energy sector, healthcare, and global infrastructure are all at risk to malicious actors that seek to take advantage of vulnerable access points. To be proactive in their security protocols, organizations should attempt to identify any weak areas of their systems that may be targeted by those who plan to steal sensitive information or disrupt operations for personal gain.

Unfortunately, today’s businesses are not always properly equipped with the means to do this and as a result, direct losses due to ransomware attacks are predicted to exceed $265 billion by 2031.

Dragonchain offers businesses six tools to secure their business systems from today’s bad actors and be ready for when quantum computing goes mainstream.

Cybersecurity Solutions Now and for the Future

Dragonchain takes an architectural approach to security by leveraging a platform of blockchains and advanced capabilities to secure business data. We offer businesses a combination of data segregation, data mirroring, disaster recovery systems, embedded quantum encryption, smart contract gated data access, and advanced identity system to mitigate the risks of sensitive information being exposed or captured by

unauthorized parties. This is the holistic approach businesses must take to reinforce vulnerable access points both inside and outside of their organizations to stay ahead of bad actors.

Data Segregation

Dragonchain offers a hybrid blockchain to mitigate risks associated with data breaches. Sensitive data is secured at the business level where the business can selectively choose what data to distribute and to whom. Since sensitive data from every transaction remains with the business, it limits the attack vectors during the verification process. Only proof of the data is sent for decentralized verification leaving the private and proprietary data secured by the business and reducing the risks associated with exchanging unnecessary data. This type of data segregation allows the system to be GDPR, CCPA, and HIPAA compatible and safeguards personally identifiable information (PII) from end to end.

Data Mirroring and Disaster Recovery

Dragonchain offers a data mirroring and disaster recovery system for immutable proof of the state of data at any point in time and allows an organization to automate data integrity verification and restoration. This allows a customizable approach to let the business have the assurance that their data is safe even if an attacker compromises their systems or requests a ransom to return or decrypt stolen system data.

Embedded Quantum Encryption

We already know data segregation helps to limit the amount of data being exposed (with or without permission). With the use of olymorphic RNG-based quantum encryption and signing capabilities integrated at the core of our hybrid blockchain architecture, an Enterprise can secure its sensitive data with strong and efficient quantum-safe encryption at rest and in motion.

If the unthinkable were to happen and a data breach were to occur the business could still provide proof of data states so that users of said data would know it’s been compromised. Through the use of our patented interoperability technology, businesses can use our proprietary quantum encryption technology or they can integrate their preferred method, including a combination of encryption methods.

Smart Contract Gated Data Access

Smart Contract Gated Data Access requires users to access all create, read, update, and delete (CRUD) data through the use of smart contracts. Every access event is on-chain and includes full authentication and authorization capabilities. Access controls are flexible and can be either key based or use a traditional authentication process. These smart contracts can stipulate who is allowed to access the data, what criteria they must meet if any, and what operations are allowed to them.

Advanced Identity

Advanced Identity for Businesses and Organizations Businesses and organizations will find enormous protection against internal and external data breaches with the use of an advanced identity system. By removing the storage of sensitive information, the system can decrease the risks and liabilities that routinely come with a breach of identifying data.

Advanced identity systems also allow businesses to streamline Know Your Customer (KYC) and Anti-Money Laundering (AML) procedures to prove anti-fraud and regulatory compliance.

Advanced Identity for Internet of Things (IoT) and AI With the sheer number of IoT devices in use today and AI quickly becoming a reality, proof of identity for every digital device is crucial. Any connected device offers an open vector for bad actors to access sensitive information. Advanced identity technology can be used to prove any digital device is as claimed thereby limiting fraudulent devices from being used to gain access to connected systems.

Human Behavior Marketplace AI

In the end, sometimes it comes down to human behavior. Dragonchain leverages human behavior to incentivize employees and partners to follow a workflow process such as security best practices. The system can combat organizational and team inefficiencies and improve data integrity.

Additionally, we offer a comprehensive system to identify and protect against insider threats such as sabotage, fraud, intellectual property theft, espionage, and other externally sourced manipulation of behavior.

Combined with Dragonchain’s patented interoperability and patented scalability technology these tools allow businesses to capture and secure copious amounts of data with already in use business systems and IT personnel to provide on-chain proof of every (CRUD) operation.

Every transaction recorded on-chain comes with measurable proof of immutability and allows businesses to retroactively access historical data that they may not have thought important at the time it was recorded and gives businesses the ability to prove every data interaction and verify a complete chain of custody on all data items and events.

Overall, the negative effects of quantum computing on businesses are not insignificant, but they are not insurmountable either. As with any new technology, there are risks and challenges that businesses must navigate. By understanding these risks and taking steps to mitigate them, businesses can harness the power of quantum computing for data integrity and gain a competitive edge in their industry.

CYBERSECURITY TRENDS that will drive change in 2023 and beyond

Today, many conversations about cybersecurity focus primarily on information technology (IT) systems rather than operational technology (OT) environments. OT environments that control, monitor and actuate processes, equipment and operational environments are often overlooked, but they are just as important to security.

The number of cyberattacks on critical infrastructures, globally, are cause for concern. For example, in 2022, Costa Rica was the first country to declare a state of emergency after a cyberattack on the Ministry of Finance and Social Security Fund. The UK is not immune to these threats, with cyber threats to the UK’s critical national infrastructure (CNI) highlighted as a concern in the National Cyber Strategy 2022.

Given the potentially exploitable nature of OT systems, it is imperative that private and public bodies look ahead and consider that they’re deploying the right strategies to best protect their systems. A new avenue for disruption, that is the least protected and newly exploitable,

is OT. This threat landscape will continue to evolve as more and more OT systems converge in an increasingly connected Internet of Things (IoT) environment.

Digitalisation enabling attacks

Digitalisation is playing a significant role in the built environment. Building systems are becoming increasingly digitalised, with power management, fire protection, access control, and visitor tracking enabling interconnectedness via IoT.

Whilst these new technologies have an array of benefits, they are susceptible to cyberattacks if security leaders do not take necessary precautions to protect OT systems from bad actors. Smart building technologies often fall short of OT environment cybersecurity best practices, creating weak spots that can open a back door to attackers. The historic mindset of protecting building management and other control systems by air-gapping them from the internet is no longer effective.

Attacks on critical infrastructure like data centres or transportation hubs have the potential to cause significant issues if vital systems are infiltrated and essential services disrupted. Malicious actors can gain access to sensitive information such as patient records or communication systems in airports. With increasing cyber threats, tougher regulations and complex control systems, facilities need a simple, centralised way to administer enterprise-wide cybersecurity that encompasses both OT and IT systems.

Cybersecure OT technologies

Today, there remains a widespread lack of understanding of how to securely digitalise and employ new technologies. As organisations look towards a more digitised future, OT and IT environments continue to merge. This movement towards a more connected enterprise, coincides with an increase in cyberattacks whereby the UK, alone, experienced a 77 percent increase in 2022, compared to 2021. As such, it is

ATTACKS ON CRITICAL INFRASTRUCTURE LIKE DATA CENTRES OR TRANSPORTATION HUBS HAVE THE POTENTIAL TO CAUSE SIGNIFICANT ISSUES IF VITAL SYSTEMS ARE INFILTRATED AND ESSENTIAL SERVICES DISRUPTED.

imperative that cybersecurity becomes foundational to the design of digitalised OT systems, given consequences of a cyberattack on an OT system can be much graver than a breach of personal information.

Luckily, the development of new technology within the OT ecosystem will start with considerations of how to make it secure; it will no longer be retrofitted as an afterthought. As digital transformation continues, engineers and product development teams will increasingly take a ‘security and privacy by design’ approach.

AI will become the lynchpin to improve OT cyber defenses

The agility and self-learning capacity of artificial intelligence, including both machine and deep learning, will increasingly make next-generation technologies indispensable to cybersecurity. Whether we are using AI to detect emerging threats via deep learning or AI-based deception that provides the ability to lead attackers away from critical assets.

As threat actors continue to learn how to exploit new vulnerabilities in OT systems, the need for AI-enabled defenses that can quickly identify exposure and prevent or mitigate breaches will be paramount to protecting our most critical assets.

A cybersecure future

As organisations are looking towards an increasingly connected OT environment, there are many vulnerabilities that should be taken into consideration. The benefits of smart building technologies also far outweigh the negatives. Embracing these technologies and protecting organisations from cyber threats is possible and companies can, in fact, do both.

Mirel is the VPGM / Head of Cybersecurity for Honeywell Building Technologies (HBT).

Having spent over a decade embedded across varying domains Mirel has global experience leading from the front in engineering, operations, marketing and sales disciplines.

Employing a strategic mindset at all times, Mirel focuses on fast paced innovation by developing talent and building a high-performance team culture. Embracing challenges head on, Mirel carries a proven track record of managing diverse teams in highly matricized global organizations while

navigating ambiguity to steer toward clear measurable, repeatable, scalable objectives.

Most recently, Mirel is dedicated to addressing challenges, driving new breakthrough growth opportunities, capabilities, efficiencies and promoting best practice excellence across the everchanging IT / Operational Technology (OT) Cyber Security landscape.

Mirel believes in using simple methods to distill complex topics in order to educate, empower and enable teams to integrate emerging technologies across Digital Operations (Cloud, AI), ICT and Cyber Security.

Honeywell is a Fortune 100 company that invents and manufactures technologies to address tough challenges linked to global macrotrends such as safety, security, and energy.

Find out more at www.honeywell.com

CYBERSECURITY

Reduce Your Cyber Risks. Protect Your Building Data

Protecting Operational Technology – an Industry View

There is a growing perception that Operational Technology is the next big focus area for cyber security. Certainly, the incidence of attacks seems to be increasing, although reporting is still low. Moreover, World events such as the war in Ukraine and its associated energy conflict have concentrated minds on industrial security as the Global situation becomes less stable, and the boundary between state intervention and criminality becomes increasingly blurred.

The huge potential for ransom, extorsion and economic disruption now seems clearer than ever. The Energy Sector in particular looks like a great target, but it is the indiscriminate nature of many forms of malware which is perhaps most worrying: there is no need to be targeted in order to become a victim and many successful attacks can be seen as a form of collateral damage which was never envisaged by the initiator. These forms of malware can be seen as hybrids of weapons and contagions –analogous to biological warfare in some ways. Add OT security’s implications for safety and the environment, and it is easy to see why it is attracting attention. But what are companies doing about this? What are we seeing as industry, and the Energy Sector in particular, tries to adapt to a changing threat landscape?

Firstly, we need to understand that we are dealing with commercial entities here. Companies exist to create value and sit within complex ecosystems, with multiple threats and a host of conflicting drivers. Government entities are subject to many of the same pressures. Quantifying the risk and consequences of attack, and the benefits of security investment in terms of value and ROI, is difficult. Perhaps the most obvious driver is the operational cost inherent in increased ‘downtime’ due to cyber attack, but many industries are still on the road to truly datadriven operations, may be subject to other factors such as weather in offshore operations, and significant downtime is often seen as a fact of life. Reputation, and the consequences for share price, would be another significant driver, but it is really where this starts to overlap with some form of licence to operate, backed by Government regulation and enforcement, that we are seeing most traction for what can otherwise seem like an intangible issue. Add in safety and the environment, for instance in the Health and Safety Executive’s enforcement of the Network and Information Systems Regulation in the Energy Sector, and we move to a much more tangible imperative.

OT security can be made feasible and cost effective, but it will require considerable collective will to regain the initiative.

So, given increasingly effective industry drivers, what are the issues? We tend to see cyber security as a technical activity, but the first issue we encounter in most situations is governance. Put simply, who is responsible for OT security? It may be that the IT Department has ended up with the lead – either explicitly or by association. Alternatively, the integrator or OEM might be assumed to have this role, or perhaps it is Operations or Engineering. Sometimes different elements have responsibility for different OT networks at a single site – a difficult situation for the Duty Holder to manage, especially where the supply chain introduces extra vulnerabilities. Either way, we would suggest that clarity of roles and responsibilities – and associated resourcing –is a necessary precursor to technical intervention.

On the technical level, from what we see, it is fair to say that there is a lot of work to do. The issues set out above, along with the prevalence of aging equipment connected in ways that weren’t originally intended, and not fully patched or patchable, has left us with a matrix of vulnerabilities: essentially a large and complex attack surface. Key issues would be asset and vulnerability discovery, network visibility and alerting, network segregation and event response – but there are several others, all underpinned by personnel awareness and training, and with an underlying issue to do with insecure network architectures. Having scoped the problem, we seem to have encountered a bow wave of work which runs the risk of pushing OT security from the ‘not understood’ pile to the ‘too difficult’ pile.

How to move forward against this difficult backdrop? Well, wicked problems must be addressed by teams, not individuals. In this case, the team must include operators, license holders, cyber security companies, integrators and the supply chain – to name but a few. Our military background tells us that the most important element in any team is trust, so that is where we must start. Building trust won’t be easy in an attractive industry with many new entrants at various levels of competence and where ‘vendor fatigue’ has taken hold, but it is essential if we are to make progress against increasing threats.

However, even given the right relationships, we simply don’t have enough qualified people and simply increasing the training pipeline won’t generate the right level of industry experience. This is where technology has to come in. Processes such as asset discovery, segregation, alert response, compliance tracking and training need to be increasingly automated: not taking the humans out of the loop, but putting them in control. Trust will be a factor again here –interventions in OT networks must be safe and there is too much loose talk of AI. Legacy systems will need particular attention, especially those that can no longer be patched effectively.

So we are somewhat behind the power curve, but with the right industry drivers, improved governance, trusted teams and the right technology we stand a good chance of turning this around – not without some investment, of course. OT security can be made feasible and cost effective, but it will require considerable collective will to regain the initiative. The good news is that some companies are grasping the nettle in exactly this way: they are the leaders who will show industry the way ahead. Regulatory compliance may be the key driver for OT security at the moment, but we look to the time when it will be overtaken by competitive advantage.

Take control of your Operational Technology

CyberPrism provides Software as a Service, underpinned by industry - leading technical professional services, to protect Operational Technology, chiefly within the Energy Government sectors. We are dedicated to producing cost-effective, client-specific your OT.

Take control of your Operational Technology

Take control of your Operational Technology

Software as a Service, underpinned by industry - leading technical practitioners and protect Operational Technology, chiefly within the Energy, Maritime and are dedicated to producing cost-effective, client-specific solutions to safeguard resources required to re-establish safety and security in the face of current compatible network visibility, alerting, incident response, and protection of low-risk, using tried and tested technology, and compatible with any OEM’s experience and judgement are key to the Platform, which is backed by our proven spent protecting Critical National Infrastructure. We reduce the scale of the what they do best: take control.

CyberPrism provides Software as a Service, underpinned by industry - leading technical practitioners and professional services, to protect Operational Technology, chiefly within the Energy, Maritime and Government sectors. We are dedicated to producing cost-effective, client-specific solutions to safeguard your OT.

Our Platform reduces the resources required to re-establish safety and security in threats. Incorporating OT - compatible network visibility, alerting, incident response, devices and systems; it is low-risk, using tried and tested technology, and compatible equipment.  Human experience and judgement are key to the Platform, which is expertise, borne of decades spent protecting Critical National Infrastructure. We task and allow people to do what they do best: take control.

CyberPrism provides Software as a Service, underpinned by industry - leading technical practitioners and professional services, to protect Operational Technology, chiefly within the Energy, Maritime and Government sectors. We are dedicated to producing cost-effective, client-specific solutions to safeguard your OT.

from provides within facilitates communication and continue. legacy, patchable

Guard

CyberMonitor

CyberSupport

Our Platform reduces the resources required to re-establish safety and security in the face of current threats. Incorporating OT - compatible network visibility, alerting, incident response, and protection of devices and systems; it is low-risk, using tried and tested technology, and compatible with any OEM’s equipment.  Human experience and judgement are key to the Platform, which is backed by our proven expertise, borne of decades spent protecting Critical National Infrastructure. We reduce the scale of the task and allow people to do what they do best: take control.

Our Platform reduces the resources required to re-establish safety and security in the face of current threats. Incorporating OT - compatible network visibility, alerting, incident response, and protection of devices and systems; it is low-risk, using tried and tested technology, and compatible with any OEM’s equipment.  Human experience and judgement are key to the Platform, which is backed by our proven expertise, borne of decades spent protecting Critical National Infrastructure. We reduce the scale of the task and allow people to do what they do best: take control.

Guard

CyberMonitor

CyberMonitor

CyberSupport

Guard protects OT from malware ingress and provides ‘smart segregation’ within industrial networks. It facilitates secure two-way communication and allows critical industrial and safety processes to continue Guard can also protect legacy, unsupported and un-patchable devices from attack

CyberMonitor is a Security Orchestration Automated Response (SOAR) software solution. It monitors and manages IT and OT networks, generates alerts and tracks compliance. Built on innovative data comparison software, which allows it to ingest and compare data from any source, it works with any OEM’s equipment.

Guard protects OT from malware ingress and provides ‘smart segregation’ within industrial networks It facilitates secure two-way communication and allows critical industrial and safety processes to continue Guard can also protect legacy, unsupported and un-patchable devices from attack.

cyberprism.net

Guard

Guard protects OT from malware ingress and provides ‘smart segregation’ within industrial networks. It facilitates secure two-way communication and allows critical industrial and safety processes to continue. Guard can also protect legacy, unsupported and un-patchable devices from attack.

CyberMonitor

CyberMonitor is a Security

CyberMonitor is a Security Orchestration Automated Response (SOAR) software solution. It monitors and manages IT and OT networks, generates alerts and tracks compliance. Built on innovative data comparison software, which allows it to ingest and compare data from any source, it works with any OEM’s equipment.

CyberMonitor is a Security Orchestration Automated Response (SOAR) software solution. It monitors and manages IT and OT networks, generates alerts and tracks compliance. Built on innovative data comparison software, which allows it to ingest and compare data from any source, it works with any OEM’s equipment.

CyberPrism provides a complete range of cyber security services and solutions. Our products and services provide key elements of the NIST cyber security protocol: Identify – Protect – Detect –Respond – Recover.

CyberSupport

Orchestration Automated Response (SOAR) software solution. It monitors and manages IT and OT networks, generates alerts and tracks compliance. Built on innovative data comparison software, which allows it to ingest and compare data from any source, it works with any OEM’s equipment.

CyberPrism provides a complete range of cyber security services and solutions. Our products and services provide key elements of the NIST cyber security protocol: Identify – Protect – Detect –Respond – Recover.

CyberPrism provides a complete range of cyber security services and solutions. Our products and services provide key elements of the NIST cyber security protocol: Identify – Protect – Detect –Respond – Recover.

CyberPrism range of and solutions services the NIST Identify Respond

Phone: +44 020 7873 2414

Email: contact@cyberprism.net

CRIMINALS USING THE DARK WEB THINK YOU CAN’T

SEE THEM WITH SEARCHLIGHT CYBER, YOU CAN.

GAIN THE ADVANTAGE OVER THREAT ACTORS AND CRIMINALS

Illuminate threats with dark web intelligence

Pre-empt ransomware and cyberattacks

Defend your organization

TRUSTED GLOBALLY BY ENTERPRISE, LAW ENFORCEMENT AGENCIES, AND GOVERNMENTS

TO LEARN MORE, VISIT:

Compliance in an Ever-Evolving

Cyber Threat Landscape

Why compliance is crucial to businesses and stakeholders

The world of compliance has often lagged behind the release and adoption of new technologies. Organisations around the world will always seek new ways to stay ahead of the competition and continue to grow to survive. It is a classic case of the tail wagging the dog, or from the ground up.

There can be several drivers for an information security program, which can include regulation, incidents, and reputation. Thankfully, whenever you are in an industry which is heavily regulated thankfully you have the hard work of justifying the program already done. This is the stick rather than the carrot of course, however, for long term success and buy-in, the carrot is more fruitful. An important point is that compliance does not necessarily equal security.

I’m sure many readers will understand the definition of compliance, however, to make sure we are on the same page here I think it’s important to cite the definition. This is an important point, because often in the information security world there can be a great deal of confusion and differences of opinion with certain terms e.g. the risk associated.

Complexity in the Compliance Ecosystem

Organisations can struggle with understanding and interpreting regulatory requirements. There can be complexity in this ecosystem with regulations and they can often have an impact on each other and even sometimes overlap requirements from other regulations. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both regulate the use, and protection of personal data, including individuals’ rights to access and control their personal information, as one example. There are some commonalities, but there are also some key differences. Whether you are considered in scope or out of scope of various regulations very much depends on where you and your customers are located. There are of course, various reporting requirements from various regulations too, which increases complexity in the system.

The Impact of not Complying

The impacts of non-compliance can ultimately affect the organisations bottom line. This is something that our business stakeholders will understand in financial terms. When speaking about impacts to business stakeholders we should seek to translate our language into meaningful terms that they understand, and what impact means from a financial perspective.

To communicate the impacts of incidents to business stakeholders, Factor Analysis Information Risk (FAIR) provides a great model for understanding, analysing and quantifying information risk in financial terms. The impacts of incidents and breaches are far more than just being served fines by secondary stakeholders (regulatory bodies). There are other forms of loss that can be realised and should be communicated in your risk analysis:

Productivity loss

Losses that result from an organisation’s inability to deliver its products or services

Response loss

Losses that are associated with managing the event itself

Replacement loss

The costs associated with the replacement of a capital asset or a person

Fines and judgements

Penalties levied against an organisation through civil, criminal, or contractual actions, usually the result of a Confidentiality related scenario

Competitive advantage

Losses associated with a diminished competitive advantage

Reputational Damage

Losses associated with an external actor’s perception that the value proposition of your organisation has been diminished

Each regulation will have its own enforcement, fines, and penalties for non-compliance, as detailed in figure 1. The severity of the fines will depend on the nature, type of finding, and how it was discovered. Consider if the non-compliance was discovered as part of your audit program, then we could say with a high degree of certainty that this would likely be lower, compared to if it was discovered by an external threat actor in a breach scenario. It is important to note that these fines can vary depending on the specific case, the severity of the violation, and the discretion of the relevant authority, so it’s cost effective if you have an internal audit program. If you don’t have an audit program in place this could serve as a business case for just that, supported by objective data.

Speaking of objectivity - If we look at data relating to data breaches as part of our situational awareness, the global average cost of a data breach is now $4.35M. That’s a fairly sizeable number and would certainly affect the organisational bottom line in terms of profit.

Definition of Compliance

the act of obeying an order, rule, or request

When I think about that definition there are some verbs and adjectives which stand out to me: obeying and rules. Organisations can often get caught up in tick box exercises, and that can happen when talking about compliance, or talking with senior stakeholders who are not traditionally from an information security background. I like the NIST Cybersecurity Framework (CSF), which has been widely adopted in our industry and for good reason; it is outcome driven rather than being a tick box approach and provides useful guidance in the form of information references. This helps to introduce simplicity into a complex environment of regulations and standards.

The cost per stolen record is $164 , which has increased slightly from $161 the previous year. To get good data of course, you need a large sample across horizontals so that we can increase our confidence in the data. It can of course, vary on the cost per stolen record, so you might want to represent that as a distribution instead of being precise.

A measurement is a reduction in uncertainty, and it can be helpful to review industry reports from incidents globally to help inform decisions and incorporate these into risk analysis.

Achieving, and maintaining compliance is crucial in today’s interconnected world which is why it’s important to ensure you have a well resourced GRC function. Introduce simplicity in the system to combat the complexity by ensuring you have the resources required; you can’t change the external regulatory landscape, but you can change how easy or difficult it is to adhere to.

CYBER ASSURANCE

Do you need to demonstrate your information security commitment and compliance, and assure customers that their information is protected? Or do you need to ensure your supply chain are managing their cyber security risks?

The IASME Cyber Assurance standard is a comprehensive, flexible and affordable cyber security standard. It provides assurance that an organisation has put into place a range of important cyber security, privacy and data protection measures.

Risk based and includes key aspects of security such as:

Incident Response

Asset Management

People Management

Physical Controls

GDPR compliance

The first step along the certification pathway for IASME Cyber Assurance.

Pricing dependant on the size of the organisation.

Involves an independent audit of your processes, procedures and controls conducted by an IASME Certification Body and Assessor.

A legitimate alternative to other alternative standards.

The next step after completing IASME Cyber Assurance Level 1 certification and our highest level of certification.

Pricing quoted independently by a Certification Body.

To find out more about IASME Cyber Assurance, and how it can help your organisation, contact our IASME Cyber Assurance Certification Manager via the contact details below.

samantha.alexander@iasme.co.uk

iasme.co.uk/iasme-cyber-assurance/

HOW TO HIRE A HACKER

SHOWCASING SKILLS

Well, if you ask Quorum Cyber, an Edinburgh-based MSSP, it’s through using a Capture the Flag event to assess the technical capabilities and impact skills of candidates.

For the second year running, Quorum have engaged with training provider Capture the Talent to create a fun and engaging 48-hour event that tests skills across a number of domains including OSINT, Cryptography, Forensics, Web App Hacking, Steganography and more.

CASE STUDY: QUORUM CYBER

Cybersecurity skills are in high demand. The industry is booming. Even amid layoffs at tech giants like Google, Amazon, and Microsoft, adverts are flooding social media looking for more tech bods in the security space.

At the same time, we’re seeing an influx of talent reskilling into cyber. Bootcamps are popping up left, right, and centre.

A quick Google search reveals over half a billion results when we type in ‘Learn Cybersecurity’. Content is out there and people are consuming it. Voraciously.

SELECTING THE RIGHT CANDIDATE

This is why matching up talent with the roles we’re hiring for can be extremely difficult. When every candidate we see has their Bachelor’s or Masters in Cybersecurity, certifications coming out of their ears, and a shit hot CV, how can we determine who is the right person to bring on board? How can we be sure they really do have the skills required for the job at hand? How do we know if they’d fit in our team?

Alongside testing technical abilities, the team at Capture the Talent also use an informal group chat setting to get to know the candidates in more depth and monitor how they interact with each other, work together, and communicate.

This allows Quorum to get a rounded view of applicants and identify strengths and weaknesses in a recruitment process that candidates actually enjoy.

COMFORT ZONE

When participating in a recruitment process, we know that candidates often feel stressed and anxious. Feedback so far has shown that a CTF-style recruitment event has lowered stress levels for candidates and has allowed them to have fun.

One candidate, Amy Harvey, explains her thoughts on Quorum’s recruitment process:

“I really enjoyed this CTF, it was brilliant having the opportunity to work on it individually and even better that you were unable to view the scoreboard.

This meant I wasn’t comparing myself against others and solely working at my own pace. It’s definitely been a real confidence booster and shown me what I can truly achieve when I put my mind to it.”

or join the Discord community

THE EVENT IN NUMBERS

40 PLAYERS 40

CHALLENGES

48 HOURS

WHAT THEY WANTED

Quorum wanted a recruitment event that was fun for candidates, cyber-specific, and effective at baselining technical abilities and soft skills of candidates looking to join their graduate scheme.

WHAT THEY GOT

The event went better than we could have hoped for. We turned candidates into a community and the picture we were able to build up on each participants strengths and weaknesses and how they engaged and interacted with others taking part was brilliant and exactly what we were after.

AND HOW IT WENT

From the very first meeting with CTT it was clear that they were experts in their field, really understood what we were after and shaped the event to bring out the best in those taking part, ensuring that they had a great time, whilst showing us what their capabilities were.

One of the most important concepts in cybersecurity leadership is resilience decision making. This involves the ability to make quick and effective decisions in the face of uncertainty and rapidly changing circumstances, remaining in the eye of the storm. Research suggests, effective leaders in cybersecurity exhibit a number of key traits, including a willingness to take calculated risks, a focus on strategic thinking and problem-solving, and the ability to stay calm under pressure. In order to do this, leaders must have a clear Super North Star, “an unambiguous statement of intent” about where their organisation is heading and most importantly, does everyone in the organisation say the same thing?

Leaders must have a clear strategy and have thought through the contingencies they may have to enact, understanding how they and their team deal with difficult situations.

My thought process is always as follows:

• What are the facts of the situation?

• What is a creative way to look at the situation?

• What is positive about this situation?

• What are the dangers and risks?

• How do I now feel about his situation as I make the decision?

The best leaders know how to think under pressure because they have rehearsed it.

One of the most important concepts in cybersecurity leadership is RESILIENCE DECISION MAKING

The field of cybersecurity is ever-evolving, with new threats and vulnerabilities emerging on a daily basis. As such, it is important for organizations to have effective leaders in place who can guide their teams through the constantly changing landscape.

Managing a diverse workforce

The cybersecurity industry is compiled of a diverse workforce, and successful leaders in this field must know how to work with cognitive diversity. It is clear from studies that people now respond best to leaders who provide them with clear expectations and goals, offer regular feedback and recognition, and provide opportunities for professional growth and development. Leaders who can communicate effectively and provide the necessary support and resources are more likely to have a highly engaged and motivated workforce. This means the ability to adapt your communication style and realise you need to understand the position of your audience.

My personal view is that most people have always needed the above in place for a leader to be effective. That cognitive diversity is essential for organisations to fully reach their potential, and this requires leaders to be able communicate with talented people who can be challenging.

Working from Home

In the wake of the COVID-19 pandemic, remote work has become the norm for many organizations. Leaders in cybersecurity must be able to manage teams in a remote environment, and this requires a different set of skills and strategies.

a great team.

Effective remote leaders are able to set clear expectations and guidelines, communicate frequently and transparently, and provide their teams with the necessary tools and resources to work effectively from home. Leaders who can maintain a strong team culture in a remote environment are more likely to have a highly engaged and productive workforce. However, this does not mean that people should work entirely from home. It is important to acknowledge the importance of human connection and interaction. Humans are social creatures, and we thrive on social interaction and connection. When we are isolated from others, we can experience feelings of loneliness, depression, and anxiety.

To create a brilliant environment, it is essential to design spaces that align with how our bodies and minds naturally function. Providing opportunities for people to move (standing desks, walking meetings). Areas that have natural light and plants alongside fresh air and areas for social interaction.

In my opinion there needs to be a balance to remote working and being in an office. A three day (office) to two day (home) ratio gives the correct balance.

In this article, I will explore the current concepts of great leadership in cybersecurity including resilience decision making, managing a diverse workforce, working from home, values, and building

Values

Values are a key component of effective leadership. Leaders who articulate a clear set of values and principles, and who model these values in their own behaviour, are more likely to inspire their teams and earn their respect and loyalty. According to studies, compelling leaders place a high value on integrity, honesty, transparency, and accountability. However, these values should not be laminated and look good on a wall. Are the values in your organsiation explicit and does everyone model the behaviour that is expected? If not, under pressure teams that do not exhibit strong values generally do not perform well.

When did you last check the values in your organisation? Please remember the values you walk past are the values you accept.

Building a Great Team

Finally, effective leaders in cybersecurity must be able to build and maintain a great team. This involves recruiting the right people, providing them with the necessary training and resources, and fostering a strong team culture that has a high support, high challenge mentality is crucial. They prioritise team diversity and inclusion, encourage open communication and collaboration, and provide their teams with opportunities for professional growth and development.

Does this happen in your organisation. Are you growing the next generation of leader and what is your legacy going to be?

Finally, great leadership is critical to success in the constantly evolving field of cybersecurity. Leaders who exhibit resilience decision making, can work effectively with a diverse workforce, manage remote teams, prioritise values, and build a great team culture are more likely to succeed in this challenging and complex field.

As the industry continues to evolve, it is important for organisations to invest in developing their leaders and fostering a culture of strong leadership at all levels of the organization.

Floyd Woodrow is a leadership expert, entrepreneur who coaches and mentors’ senior leaders from around the world.

His success in business has come after a distinguished military career where he was awarded the Distinguished Conduct Medal for his services in Iraq and an MBE for his services.

Floyd is the chairman of the Quantum Group which is a leading fintech investment incubator. Floyd was recently selected as one of the top 50 fintech entrepreneurs in the UK by the Financial Technologist Magazine.

Floyd also heads a charitable foundation called Compass for Life which delivers educational programmes in schools and colleges across the UK, assisting disadvantaged children with their educational and aspirational needs.

His book “The Warrior, the Strategist and You” is available on amazon.

Police Scotland Youth Volunteers

Become Cyber Aware Warriors

Police Scotland Youth Volunteers (PSYV) join forces with Robert Gordon University and OSP Cyber Academy

Around 1000 PSYV’s are being trained in aspects of cyber awareness via an online training portal delivered by OSP Cyber Academy, one of the UK’s leading online cyber training providers. The aim is to help the volunteers understand the threats and risks that they face on a daily basis online and share this knowledge when engaging with family and friends to help protect them.

So who are these Cyber Warriors? PSYV?

There are currently 43 PSYV groups across Scotland and they are represented in each of the 13 Local Policing Divisions, with over 900 young Volunteers and over 200 adult volunteers nationally.

The purpose of the PSYV is to promote a practical understanding of policing amongst young volunteers, encourage the spirit of adventure and good citizenship, support local policing priorities through volunteering in local events and initiatives to raise awareness, give young people a chance

to be heard and to inspire young people to participate positively in their communities.

The PSYV provides young people aged 13 – 18, of all backgrounds, a positive means of engagement with the police through regular training, participation in community safety initiatives and through volunteering in their communities leading to this project being an ideal opportunity to engage about cyber awareness for protection online.

All age groups of PSYVs including adult volunteers will gain the cyber knowledge necessary to support this great initiative, through peer mentoring.

More importantly they will be learning skills to help them educate the most vulnerable in society, with these newfound skills they will then go into the wider community armed with this capability to deliver education and awareness via a thought provoking “Escape Rooms’ styled exercise developed exclusively for this Project by the science and technology faculty at Robert Gordons University.

This is very much the start of the journey with a hope that the success of this programme might gain more valuable support from the Scottish Government who have been instrumental in making this project happen, to date this is the first programme of its kind in the entire UK, so Scotland intend to deliver on its challenge.

We are a membership organisation for Scotland’s digital technology industry. We underpin a thriving community which brings together the ambition, talent and expertise across our industry to grow Scotland’s digital economy.

Our membership includes technology businesses across a wide range of sectors, in addition to universities, the public sector, financial services, energy industries and specialist providers.

By becoming a member you will:

Raise your profile

Gain exposure to key audiences, highlight your capabilities to our expansive network of members and cluster tech companies in Scotland and beyond. From speaker and sponsorship opportunities, to access to our extensive community via our social platforms and bulletin, we will enable you to be heard in every corner of our industry.

Expand your network

Receive introductions within our network of over 1000 Scottish technology companies. Access valuable ecosystems through our Cyber and Data clusters. Attend our events for free or at a discounted rate, for the opportunity to network with our community.

Strengthen your business

Access new funding calls and procurement opportunities that we highlight to our membership. Receive business support such as HR and legal advice to help you on your journey as you grow.

Be part of the conversation

ScotlandIS will keep you apprised of the latest industry trends, insights and research. Join Specialist Groups such as our Software Engineering Leaders Forum and Marketing Meetups to explore challenges with peers and the potential to work together. Our steering groups such as Policy, Cross-Sector, and Diversity & Inclusion, will help you stay informed and shape the future of Scotland’s tech sector.

www.scotlandis.com

UNIVERSITY CYBERSECURITY CHALLENGE

The Challenge

Calling all cybersavvy undergraduates to create & cultivate a concept for an app which utilizes AI technology to promote cybersecurity awareness & education.

The Oppor tunity

The 3 finalist teams will be invited to present their concept at the International Cyber Summit on August 31st 2023 in Aberdeen, Scotland — travel & accommodation will be paid for.

Cyber News Global presents the inaugural Cybersecurity University Challenge:

An academic challenge which presents the opportunity to create and cultivate a concept for an app which utilizes AI technology to promote cybersecurity awareness and education to those most vulnerable to cyber risks: the younger generation, and the elderly. We are calling for submissions from undergraduate students currently enrolled in university. Those interested in the challenge will form teams of three and collaborate on the project together.

Initiative

In teams of three develop a concept for an app which utilizes AI technology that promotes cybersecurity awareness and education to those most vulnerable to cyber risks: the younger generation, and the elderly.

Be creative in your problem-solving — How has AI Technology been utilized in similar ventures? Is there an overlooked initiative that could help fill the gaps?

How can we make cybersecurity accessible and digestible to both a younger demographic and the elderly?

How will this app improve cybersecurity awareness, and moreover, how will it inspire education, and leave its users with a better understanding of how to spot and avoid cyber risks?

Deliverables

Due by 24:00 (GMT) May 31st 2023.

• A detailed and data-driven project brief of 3-5 pages

• A wireframe

• A case study

Opportunity

Following our review of the received submissions — conducted by [insert esteemed judges here] — three teams will be selected as finalists who will be invited to present their concept at the International Cyber Summit on August 31st 2023 in Aberdeen, Scotland — travel & accommodation will be paid for.

The finalists will have ten minutes to present their concept to the panel of judges, who will then make the final decision in the awarding of 1st, 2nd, and 3rd place.

•

•

Cyber Centre of Excellence is launched

iESE is proud to announce the launch of the Cyber Centre of Excellence (CCOE) which is being showcased for the first time at the District Councils Network (DCN) annual conference in February. We believe the creation of the CCOE, which will represent a collaboration by UK public bodies underpinned by an Advisory Forum made up of some of the UK’s best brains in cyber security, will help drive forward major advances in the level of cyber protection in our local authorities and the UK public sector.

With our vision of making the UK the safest place to live, work and play online, the creation of the CCOE brings together the most knowledgeable and well-respected people in the industry to understand the cyber threats we face and how to address them. Through this expertise and member collaboration we aim to stay abreast and ahead of the growing and ever-present threat, offering peace of mind to the UK public sector.

We aim to make military grade support, products, training and advice available to the public sector by understanding what best-of-breed protection is and making this knowledge and these innovations available to procure simply at high street prices through our collective purchasing power. Essentially, the CCOE will offer a one-stop-shop to assist members throughout their cyber security journey from implementation and beyond. It does not aim to replace other organisations, such as the National Cyber Security Centre (NCSC), but aims to give practical guidance on implementing cyber security advice and standards and will also be well placed to assist if things go wrong.

You can read more about the CCOE on pages 3, 4 and 5 of this issue. To find out more about the CCOE, please go to www.ccoe.org.uk or contact us directly at enquiries@iese.org.uk

Local authorities urged to get involved with the CCOE

LOCAL AUTHORITIES AND OTHER PUBLIC BODIES ARE BEING URGED TO GET INVOLVED WITH THE NEWLY-FORMED CYBER CENTRE OF EXCELLENCE (CCOE) WHICH WAS SHOWCASED FOR THE FIRST TIME AT THE DISTRICT COUNCILS NETWORK (DCN) ANNUAL CONFERENCE IN FEBRUARY.

The CCOE will offer access to training, advice, products and services backed up by a group of advisers who will keep the CCOE abreast of cyber threat and up to date with new innovations. Any products and services offered under the umbrella of the CCOE will be tried and tested for the public sector. The initiative aims to offer military-grade protection at high-street prices through utilising iESE’s connections and collective purchasing power.

Dr Andrew Larner, Chief Executive at iESE, said: “At the moment there is a perfect storm where the complexity and frequency of attacks on local government are increasing. The innovation in the attacker is huge but our response as a sector isn’t. We know that there are gaps in our defences, especially in terms of operational technology, and we are working on plugging those gaps before they become a major issue. We need to make this business as usual and not frightening. The CCOE will sit at the forefront of best practice and act as a one-stop-shop to ensure local authorities and other public bodies are as secure as possible in this everchanging environment.”

Development of the CCOE has been led by an Advisory Forum of some of the most knowledgeable people in cyber security the country, including prominent legal experts, ex-military and ex-police personnel who have worked and continue to work in protecting the security of the country.

“By synthesising and continually synthesising their knowledge and through member collaboration we will increase our ability to stay ahead of the game. If you want protection that is five years ahead in the opinion of those who protect the national security of the country, then get involved,” Dr Larner added.

Council leader shares cyber learning

IESE HOSTED A STAND AT THE RECENT ARAB INTERNATIONAL CYBERSECURITY EXHIBITION AND CONFERENCE IN BAHRAIN WHERE THE CENTRAL THEME WAS EMPOWERING GLOBAL COOPERATION IN CYBER SECURITY.

Councillor David Tutt, leader of Eastbourne Borough Council and Chairman of iESE attended alongside Dr Andrew Larner, Chief Executive at iESE. Cllr Tutt said there were some key messages he had taken away from the conference regarding local government. First was the need to raise awareness of the level of risk being faced and for the sector to stay regularly updated about new and emerging threats. Secondly, he said the conference highlighted that collaboration would be key in future on both a global and national level.

“What we need globally is to collaborate on the things that have gone wrong. Organisations tend to close ranks when something happens – we don’t want to say we’ve been attacked or that we paid a ransom or what the consequences were. We need to share that information if we want to protect each other. A key takeaway for me from the conference is that there is an enormous need for universal standards across the industry and adoption of those on a global basis,” he explained.

Cllr Tutt said a demonstration by an ethical hacker on a Tesla car showed how people with a little bit of know-how can cause issues for malicious purposes, fun or financial gain. “The UK local government has 10,000 cyberattacks a day. We have seen the impact on some local authorities, and it is not just the financial impact, although that is immense and runs into millions, it is the loss of data and personal information of residents getting out into a wider domain and the impact of not being able to run your services for your residents or not being able to run payroll for your staff,” he explained.

Cllr Tutt said the conference had further opened his eyes to the level of risk faced by UK public authorities. However, he added that he remained hopeful for the future due to the creation of the Cyber Centre of Excellence (CCOE) and its commitment to helping protect local authorities and the public sector from cyber risks.

Keeping your organisation secure

The Cyber Centre of Excellence (CCOE) is an initiative aimed at all local authorities and UK public bodies to help them stay abreast of cyber threats and give them access to easy-to-procure military-grade protection at high street prices through collective purchasing power. It will be able to assist with the full remit of what an organisation needs to do and know to stay as cyber secure as possible.

We know that navigating an ever-changing cyber security landscape is difficult for local authority leaders with many competing priorities and limited budgets. That is why the cyber security industry is coming together to create the CCOE – an initiative underpinned by an Advisory Forum of world class experts to help you navigate cyber security for your organisation.

The CCOE is a place for organisations to collaborate and share knowledge of threats. It will also act as a one-stop-shop to help those involved in cyber protection understand what their unique risks are and how to best tackle them.

Kurtis Toy CISSP, Managing Director of Onca Technologies, is a Virtual Chief Information Security Officer (vCISO) who has been appointed as the Convenor of the CCOE. He has been working alongside iESE to develop the Cyber Centre of Excellence (CCOE) and ensure the Advisory Forum represents the range of skills needed for a cyber and data secure organisation. Here, he outlines some of the current threats facing local authorities and terms commonly used in the cyber security landscape:

Phishing

‘Phishing’ describes an unwanted email that might contain dangerous content or have a hidden agenda. This could be in the form of a hyperlink or URL that redirects to a malicious site or downloads an attachment with hidden malicious content.

Multi Factor Authentication (MFA)

When logging in, we use at least one factor to identify ourselves, such as a password or PIN, through a smartphone or a secure USB key, or via a fingerprint or facial recognition. Multi-factor Authentication uses at least two of these methods to log in, helping prevent password compromise.

Zero Trust

‘Zero Trust’ is a term a used for both security models and network architectures. In both

cases, the main concept is “never trust, always verify”. This means all devices, access or identities should not be trusted by default, even if they were previously trusted or are connecting through a known network or location. Zero Trust is often implemented to promote strong verification processes that are continually re- examined and re-established and provide minimum access privileges.

Zero Day

Although this sounds the same as Zero Trust, it is not directly related to Zero Trust security or architecture models. A ‘Zero Day’ vulnerability is a security flaw that has been discovered but there is no security patch for it yet. Once discovered, Zero Day flaws are often exploited very quickly so it becomes a race against time for the software provider to develop and distribute a security patch.

Layered Approach

A ‘Layered Approach’ is a term often used within information security. Whilst it sounds like this means one tier of security being layered on top of another, it really means multiple solutions should be put into effect to defend against the same or similar issues. The idea is to build a suite of defences to act as contingency plans for one another and should include security tactics for people, processes, and technology. The best approach is to have a failover for every avenue possible and review your security controls on an ongoing and regular basis.

Ransomware

Ransomware is a type of malware, malicious software, that blocks access to the victim’s data and threatens to keep it unavailable or even delete it unless the victim pays a ransom to the attacker. This is a very common type of attack so it’s highly important to take every possible precaution against them. Defences against ransomware include: adequate training for all staff, including scenario training; technological defences such as antimalware, email protections and even AI; ensuring backups are maintained and immutable (see below);

updating software regularly to ensure patches for Zero Day vulnerabilities are in place and implementing robust access control policies.

Breach

A cyber security breach is an incident resulting in the unauthorised access of computer data, applications, networks, or devices which results in information being accessed without authorisation. A breach can cost a company a large amount of money, not just in shoring up defences to prevent further breaches but also for potentially stolen intellectual property or critical company data. If the breach also includes personal data, the ICO (Information Commissioner’s Office) must be informed within 72 hours of the organisation becoming aware of the breach. Fines may be issued under the GDPR if adequate protections for personal data were not in place.

Nation State Threats

Cyberattacks of this nature are initiated and sponsored by countries or geopolitical groups and are referred to as Nation State Threats, which aim to disrupt infrastructure, business, government and military. These types of attack can be particularly difficult to identify as the attackers often shift blame to cyber gangs, other foreign entities or hacktivist groups.

IoT and OT

IoT denotes the Internet of Things and includes technologies such as machine learning, machine-to- machine communications, big data, sensor data and other data collected on automated devices.

OT denotes Operational Technology and defines a specific category of hardware or software that functions to monitor and manage the performance and operation of physical devices. OT systems often support critical infrastructure and industrial operations.

Immutable Backups

An immutable backup is a copy of data that cannot be altered, deleted or changed in any way once the back-up has completed, not even by system administrators. This type of back up can be critical when a company needs to recover or restore data after it has been lost or damaged, whether through a cyberattack or a natural disaster.

Meet the CCOE Advisory Forum

The CCOE’s goal is to create an entirely new level of protection in the UK and help the public sector become resilient against cyber threats. A shared service in the best traditions for local public services ensures that we all have the best people, the best technology, and the best protection. Our team have unparalleled experience, having run the UK’s military cyber offence and defence capability, having built the defences of the Bank of England, and also hold clearance to work on national cyber defence infrastructure.

Sitting behind the CCOE is an Advisory Forum of some of the UK’s leading experts in cyber security. This group will keep the CCOE up to date with threats and abreast of new innovations. Here they share their biographies and their thoughts on the CCOE:

Kurtis Toy

Kurtis Toy is a Virtual Chief Information Security Officer (vCISO) who has been appointed as the Convenor of the CCOE. After gaining an MSc in Biology he worked for an oil servicing company where he ended up working in IT. He became responsible for the IT information security in the company, leading to him becoming Global IT coordinator. He then gained an MSc in Information Technology, next becoming Global IT Team Leader before leaving to establish his own company in 2016. Further qualifications he has gained since include becoming a GDPR Foundation and practitioner (Data Protection Officer), ISO 9001 internal auditor training and ISO 27001 lead implementor. He is also a CISSP (Certified Information Systems Security Professional). He describes the CCOE as giving local authorities access to an umbrella of protection akin to a “validated Google of cyber security knowledge”.

Major General Martin Smith

Major General Martin Smith

CB MBE is the Managing Director of CyberPrism, a cyber security company which protects Operational Technology (OT) and IT in the UK and internationally.

Before joining CyberPrism, Major General Smith had a 33-year career in the Royal Marines, becoming Commandant General of the Royal Marines. He commanded the UK’s Amphibious Force and led the UK’s maritime counter terrorism force. He also founded the unit known as 30 Commando Information Exploitation Group. Major General Smith is pleased to be part of the CCOE Advisory Forum. “CyberPrism fills a gap in that there is very little knowledge and experience in operational technology in the marketplace. Playing our part in the CCOE helps fulfil the full range of services

needed by local authorities to address their cyber vulnerabilities. The CCOE is an initiative in which no single company is pretending to be able to do everything. It is a joint force of a range of experts in their own fields which will work for the good of the public sector.”

Dane Clackworthy

Dane Clackworthy is Head of Business Development and Sales at CyberPrism, a cyber security company which protects Operational Technology (OT) and IT in the UK and internationally.

Before joining CyberPrism, he had a 20-year career in the Royal Marines where he gained extensive experience in radio communications and information assurance. His positions included being Yeoman of Signals, the Chief Communication Manager for the UK’s Response Force Task Group. The RFTG was a Very High Readiness force of 1,500 personnel that could deploy worldwide in 5-days. More recently, he was the unit Data Protection Officer, IT Security Officer and was project lead for the aviation CIS infrastructure plan for the Queen Elizabeth-class aircraft carrier.

At CyberPrism, he continues to enjoy relaying technical information between stakeholders in plain language that everyone can understand. “My role in the CCOE will be to keep the forum up to date on best practice in securing OT in a clear concise way that brings real value. There is a general lack of awareness about OT risks. We look forward to helping local authorities and public service organisations take the necessary steps to understand and secure their vulnerabilities.”

Irene Coyle

Irene Coyle is Chief Operating Officer at OSP Cyber Academy, a managed service provider of cyber, information security, data protection training and education programmes. She joined OSP Cyber Academy after a 30-year career in the police force in a variety of roles, including that of Chief Inspector for recruitment within Police Scotland.

During her career in the police force, Coyle held various roles which centred on protecting people’s data, including as Detective Inspector of the Public Protection Unit at Grampian Police. In this position she was Project Manager of the Grampian Police Vulnerable Persons Database, a project which was then rolled out across Scotland. Coyle is also a Data Protection Officer, a NCSC Certified trainer and holds a teaching degree. OSP Cyber Academy has joined with the CCOE to provide member access to its suite of training tools.“To be involved with the CCOE is great. This new group wants to provide the best that it can for local authorities which is admirable. It is not about driving high profit for the experts involved, it’s about driving the cyber resilience capability across communities. I am excited to see where it goes and being part of building cyber resilience across the public sector.”

Thomas McCarthy

Thomas McCarthy is the founder and Managing Director of OSP Cyber Academy. He has previously held various roles in training auditing and safety, including several positions in the energy sector. As someone with a wide range of industry contacts and knowledge, McCarthy has been instrumental in helping to establish the advisory forum for the CCOE. OSP Cyber Academy are a UK Government- certified managed service provider of cyber, information security, data protection training and education programmes. The company has joined with the CCOE to provide its members access to its suite of training tools.

“In the last five years I have been involved with just about every cyber organisation there is in the UK and overseas. The CCOE is one that has been designed and set up to make a difference and to deliver, as opposed to just talk about delivering. The problem with cyber is that it is an ever- evolving threat landscape and things change so rapidly that the only way you can stay resilient is by keeping up to speed with what is going on. I think the CCOE will do this and has the capability to deliver for all public sector bodies.”

Sandip Patel KC

Sandip Patel has been a Barrister for more than 30 years and was appointed Queen’s Counsel (QC), which is now known as King’s Counsel (KC), more than ten years ago. He became involved in cyber security law after being asked to prosecute several cases for the Crown Prosecution Service. His cases have included that of Glenn Mangham who stole Facebook’s source code from his bedroom in North England using an ordinary desktop computer and Seth Nolan-Mcdonagh, the boy who ‘almost broke the internet’. Patel is also Director of cyber security consultancy Quantum Resilience International and Chief Legal Advisor at OSP Cyber Academy. He is pleased to be involved with the CCOE to contribute knowledge of legal compliance and advise how this might evolve by looking to other countries. However, he warns that legal compliance is the minimum organisations should aim for. “Regulatory compliance is not cyber security in my view. We know the public sector is extremely vulnerable and I am pleased to play a part in helping protect these organisations.”

Niall Burns is one of the founders and Chief Executive Officer at the specialist risk mitigation, business intelligence and loss prevention company Subrosa Group. He started his career in the Royal Marines and then subsequently within UK Special Forces Communications where it was instilled that sensitive information should be delivered in a direct and confidential manner. Subrosa has been helping keep people safe for more than 25 years, including advising clients on keeping data safe. Cyber Security services are now a large part of their remit. Its services include penetration testing of systems, networks, and web applications, identifying vulnerabilities in internal and cloud-based systems, and identifying configuration vulnerabilities. It can also help clients review and assess processes and policies. “Something like the CCOE where you have experts who are not confined by purchasing protocols will be invaluable to the public sector. It will be able to look at the pros and cons and it won’t be handcuffed to say you have to do this, this and this. Use us as the experts to check you are getting fit-for-purpose and quality products because a lot of people are mis-selling out there.”

Dr Rois Ni Thuama is Head of cyber governance for Red Sift, one of Europe’s fastestgrowing cybersecurity companies. She works with key clients across a wide market spectrum including governments, legal, finance, and banking, to spread a contemporary understanding of cyber threats, risks, liabilities, and resilience across diverse audiences and stakeholders to drive effective change. In 2022, Dr Ni Thuama was part of the team of cybersecurity experts tasked with the revision of NATO’s cybersecurity curriculum as part of the Partnership for Peace Consortium’s (PfPC) Defence Education Enhancement Program. She also presented on the legal implications at The Impact of Artificial Intelligence on Future Conflicts Conference in Washington D.C. Ni Thuama is also contributing editor with PCPro, focused on significant cyber threats, the latest trends, risk management and building in defensibility for firms. She is also a regular keynote speaker at cyber conferences.

Colin

Colin Jupe is CEO of Assurity Systems, a company which provides advanced cyber security solutions to a variety of sectors including local government. He is also a qualified General Data Protection (GDPR) practitioner and the Managing Director of VXPartners, a company which helps organisations become and remain compliant with UK Data Protection law. Prior to launching Assurity Systems, Jupe held a management consulting role where he predominantly assisted technology companies with marketing and finance strategy and was also formerly Director of a marketing database and data processing company. “UK government and PLC are under attack more than ever and those in charge of local government have enormous pressures extending from budgetary and personnel issues

through to IT. Rich private organisations are poaching all the good cyber-IT professionals which means the public sector must outsource to get access to skills. The cyber protection industry is a vendor-led industry. Who can you trust? How do you know which is the best solution for your organisation? This is a difficult problem and understanding what solutions are good for today and fit for tomorrow is almost impossible without the sort of collaboration offered by the CCOE.”

David Woodfine

David Woodfine is the managing director of Cyber Security Associates (CSA), a company he started with former colleague James Griffiths in 2013. CSA began as a consultancy practice and still offers this trusted advisor service helping clients with aspects of cyber security such as assessments, help gaining certifications, incident response and general cyber road maps and development. CSA also provides 24/7 managed Security Operations Centre (SOC) services to help monitor, prevent, detect, investigate, and respond to cyber threats. Before starting CSA, Woodfine had a career spanning 28 years in the Royal Airforce, where he undertook a range of roles related to cyber security, including holding the position of Commanding Officer of the Ministry of Defence Cyber Defence Unit. “The CCOE is both an information sharing platform and a one-stopshop offering a framework of services so local authorities won’t have to go to twenty vendors, they can just come to a safe pair of hands and know that if they buy something approved by the CCOE then it is world class. We can also share intelligence on threats and lessons learned which will be invaluable to public bodies. Being part of the CCOE may stop any future attacks through monitoring and sharing information and, if the worst does still happen, the CCOE can help with key aspects of recovery and help improve the ongoing cyber security posture.”

Dougie Grant

Dougie Grant is Managing Director Europe & Global Head Incident Management at Nihon Cyber Defence. He started his career in the military and from there moved to the private sector working in IT where he became interested in cyber security. From here, he progressed into law enforcement, spending eight years as the Cyber Lead for the Police Service of Northern Ireland where he started building online investigative capability looking at the online components of crimes. He finished his public sector career in the City of London Police seconded to GCHQ and NCSC where he spent five years as a Senior Coordinator at the National Cyber Security Centre (NCSC). He remains associated to the NCSC as part of its Industry 100 (i100) initiative and holds an MSc in Forensic Computing and Cyber Crime Investigation as well as other certifications. “Opportunistic attacks are one the biggest threats we face. Anyone from the comfort of their living room can scan internet connected systems and networks globally to see if they can get in find vulnerabilities and exploit them to gain access and disrupt them, sometimes with catastrophic impacts. We have got to ensure that everything being acquired or used by the public sector is secure at its core and that is not there yet. If you are going to procure equipment or deploy technology or systems it is essential to understand the risk and threat and impacts of attacks and breaches which is something the CCOE can assist with.”

Councils urged to consider OT risks

Local authorities are being urged to consider operational technology (OT) as part of their cyber security risk landscape, attacks on which could potentially result in serious health and safety incidents.

Operational Technology (OT) refers to technology used to monitor and control processes. Recent years have seen an increase in attacks on OT. The reasons are twofold: firstly, hackers have realised that OT often presents a vulnerable target and, secondly, systems are more integrated than ever before, increasing the likelihood that malware can move between IT systems and connected OT.

In May 2021, the Colonial Pipeline Company in America had to shut off its oil pipeline due to concerns that a ransomware attack on its billing system could spread to its OT network – an example of how an IT attack could compromise OT. While in July 2022, an Iranian steel manufacturer saw a hacktivist group target machinery causing a fire at its plant in an intentional direct attack on OT.

Local authorities might believe that they don’t have OT of any significance, but Major General Martin Smith CB MBE, the Managing Director of CyberPrism, a managed services company which protects Operational Technology (OT) and IT in the UK and internationally, said this is a commonly held misconception. OT that might be at risk of direct or indirect attack could include CCTV systems, traffic light systems, lifts, security-controlled doors, fire control systems, heating, lighting, air conditioning and more. In public services such as the NHS it can include equipment such as hospital scanners.

“There is a whole range of OT that local authorities won’t have addressed. The fact is that most organisations know nothing about their OT, so some form of basic assessment is a good place to start,” explained Major General Smith. “Until about two years ago those out there who wanted to hack into networks knew nothing about operational technology. They are starting to get the idea now as you can see from various attacks, such as the American Colonial pipeline attack. They now understand that attacking OT is good for two reasons. Firstly, it is vulnerable because organisations have not secured it. Secondly, if you can hack into OT, it is not just a case of stealing data, you can cause disruption. From a ransomware point of view, it becomes even more powerful. What if I stop the lift? Tamper with security-controlled doors? There is a considerable health and safety element too.”

Dane Clackworthy, Head of Business Development and Sales at CyberPrism, encouraged local authorities to take stock of their OT and look at how to protect it. “Every organisation knows that they need to secure their IT but not everyone knows about OT. There is a real gap in understanding what OT is and how we can protect it. One of the first steps is knowing what OT the organisation has. If you don’t know what you have, you can’t protect it and that is an inherent vulnerability.”

There is little doubt numbers of OT attacks are increasing. According to a report, OT Security Incidents: 2021 Trends and Analyses, the number of attacks with physical consequences in process and discrete manufacturing industries more than doubled in 2021 compared with 2020. The authors of the report predicted that ransomware-induced OT outages would triple in 2022 over 2021, stating that due to production outages and other physical consequences, attackers are realising that there is a likelihood ransoms would be paid. Stateon-state attacks are also increasing. In 2022, for example, a sophisticated malware attack attempted to destroy the Ukrainian national grid as part of the Russian and Ukraine conflict. One of the key strategies organisations can take is to segregate OT and IT and introduce software which will shut parts of the network off when a threat is detected without stopping the processes from taking place. “Networks are becoming ever more connected together which means that if malware gets into one area it could pass into everything. What you need is a more closed system where you know exactly where the gateway is, and you can segregate the systems effectively,” explained Major General Smith.

Also important are systems for monitoring activity and alerting to threats, while OT cyber security training is essential for staff and board members. One thing is clear, doing nothing is not a safe strategy. “While we might not yet quite be at the point where local authorities are being targeted through OT, attackers don’t have to attack the OT specifically to cause an effect. It could be an IT attack which could filter through to OT and have serious consequences. We know these types of attack will become more prevalent,” Clackworthy warned.

Both Major General Smith and Dane Clackworthy from CyberPrism are part of the Cyber Centre of Excellence (CCOE) Advisory Forum. The company provides consultancy services, such as OT audits, and access to specialised softwareas-a-service to protect OT.

Find out more about Cyberprism: cyberprism.net

South

Staffs aims to be most protected cyber region

Operational Technology (OT) refers to technology used to monitor and control processes. While its applications frequently exist in the manufacturing sector and processes for industries such as oil and gas, it increasingly applies to any physical technology linked to software. An attack on OT can have a direct physical impact on the victim organisation, its staff or its customers. This could result in service failure but could also have related health and safety implications. Here is a brief list of just some OT a local authority may have which should be protected from direct or indirect cyber-attack:

• CCTV

• traffic light systems

• recycling plant processes

• lifts in real estate

• security-controlled doors

• fire control systems

• heating and lighting systems

• air conditioning systems

South Staffs aims to be most protected cyber region

South Staffordshire District Council is moving further towards its goal of making its geographical area the most protected in the country from cyber-attack.

South Staffordshire implemented AppGuard in 2020 through iESE and its relationship with Assurity Systems, the European distributor of the product. Peter Shakespear, Corporate Director Finance & Resources at South Staffordshire Council, explained that the pilot would subsidise the implementation of AppGuard in one or two of its local parishes for a period. He said he was confident AppGuard would demonstrate its ability to prevent security breaches.

South Staffordshire Council is convinced by the technology having seen many other local authorities hit the headlines in recent years due to attacks which have caused high levels of damage to operations, resulting in high spend in recovery costs and untold reputational damage with customers. “Other local authorities have not had this protection and it has cost them millions of pounds,” said Shakespear, “For our parishes, this gives a solution that is integrated and matched with the district. After the trial we will hopefully have 27 parishes asking: Where do we sign?”

In addition to showing that AppGuard can prevent cyber-attacks, Shakespear said the trial should also demonstrate that the parishes taking part could potentially scale back some of their other protection, allowing some savings to be made.

As part of its objective to make South Staffordshire the geographical area most protected in the country from cyber-attack, the district council is also offering local businesses access to AppGuard at preferential rates through its business place partnership. “It is great to be able to go to a small parish council or a small business and tell them they can have a level of cyber security they never imagined and that we can make that accessible through iESE. Signing up is common sense. For me this isn’t a nice-to-have, this is the reality of the 21st Century. Cyber-attacks are increasing by the day, and we have to be one step ahead. Other solutions on the market are one step behind. It is an absolute essential,” he added.

Brad Collier, an iESE Associate who has been working with South Staffordshire on its implementation of AppGuard, praised the council for its foresight. “iESE set a mission five years ago to make the UK the safest place to live and work in Europe one local authority at a time. South Staffordshire are an innovative council making this a reality. The pilot is going to open the eyes of the parish councils as to how simple it is to protect themselves and their organisation. It is not complicated or expensive. New customers need to spend a short amount of time doing a survey and then installing the licence is a 20- minute process. In less than an hour it is possible to take away the pain that might occur from a targeted cyber-attack that could disrupt your whole business.”

What is AppGuard?

AppGuard is an endpoint cyber security solution which will protect your systems from all threats –even the never-seen-before attack known as ‘zeroday’. Developed in the US defence environment, it has recently become commercially available in the UK and is being offered to local authorities by iESE through a partnership with its European distributors, Assurity Systems Ltd.

AppGuard offers the required step-change in endpoint and server defence because it operates in an entirely different way to traditional solutions. The patented technology monitors everything and trusts nothing, meaning it offers full protection without the need to detect previously known exploits.

iESE has teamed up with Assurity Systems Ltd to bring this exciting, transformational technology to the UK’s local government environment. We have secured highly preferential rates (discounts exceeding 50 per cent) meaning you can benefit from this technology for around £45 per annum per endpoint for a fully-managed solution, including licence fees. A server version is also available and if you need extra monitoring and support, we have also secured preferential rates on Security Operation Centre (SOC) services.

Bringing AppGuard to schools

Another organisation set to trial AppGuard is Gloverspice School, an independent special school situated on a care farm in the Midlands. Headteacher, Lynne Duffy, has become concerned about the risk of cybercrime and the potential impact on students following an attack on a nearby local authority maintained secondary school.

Although her school isn’t large, the headteacher realises cyber-attacks are indiscriminate, highlighting that the school would not be able to afford to pay a ransom. Although the organisation has existing protection, she believes schools are vulnerable due to lack of expertise, time and budgets. “Taking part in a trial is a really good opportunity. I think cybercrime is quite frightening and that local authorities need to do more training with headteachers on cyber security. A lot of the information available is not specific for schools,” she said.

She would like local authorities which subscribe to AppGuard to offer their preferential rates to schools too, including special schools such as her own. “Hopefully local authorities signing up to AppGuard will allow schools in their area to buy into it as well, including those they use for specialist placements. My students’ fees are paid by the local authority so they should be supporting schools like ours as well as those which are local authority maintained,” she added.

TheCyber Centre of Excellence (CCOE) has teamed up with UK Government-certified cyber security and awareness training provider OSP Cyber Academy to provide access to a wide range of cyber security and data protection training programmes.

Through the CCOE, local authorities and other public sector bodies can access OSP Cyber Academy’s Cyber/Information Security and Data Protection training, which is National Cyber Security Centre (NCSC) certified. Training days, such as the Cyber Risk & Resilience Board & Executive Awareness Course, will be offered in person for executives, while an online system will also be available to allow an organisation’s wider employee population to access various online courses. These will include: OSP’s GDPR Staff Awareness Course, Cyber Security Staff Awareness Course, Phishing and Social Engineering Course and Mobile Device Security Course and the newly developed Supply Chain Cyber Awareness Course.

These courses will help reduce risk, improve cyber resilience and demonstrate compliance

CCOE provides access to NCSC-accredited training

Local authorities are being urged to consider operational technology (OT) as part of their cyber security risk landscape, attacks on which could potentially result in serious health and safety incidents.

with legal requirements. Thomas McCarthy, Managing Director at OSP Cyber Academy, said training and awareness must start at the top of the organisation but that it was also vital this filtered down to the wider employee population for maximum benefit.

One reason is that cyber risk is greatly increased by employee error, such as unwittingly clicking on an unsecure link. Irene Coyle, Chief Operating Officer at OSP Cyber Academy who is one of the company’s training leaders, said education and awareness were important and that this must be continuous due to the rapid and ever-changing nature of cyber threat. “Public authorities are a real target. Cyber attackers are looking to be disruptive and to cause chaos. Having strong policies and training in place can greatly reduce risk exposure.”

However, she said it was vital cyber security and data protection were not viewed as ‘box-ticking’ exercises. Even where senior management can demonstrate compliance, such as by having a data protection policy in place, Coyle highlights that this is not enough – staff have to be aware

Increase diversity to fight cyber crime

Local authorities are being encouraged to look at the diversity of their workforce to help tackle cyber-crime against their organisations.

While there is a moral case for diversity and equality in the workplace, a more diverse and inclusive workforce can also help strengthen your cyber security defences, experts believe.

Sandip Patel KC is a Barrister who is part of the CCOE Advisory Forum. He hopes the CCOE can help local authorities diversify their teams with cyber responsibilities to help give broader insight into cyber-crime in their organisations: “When you go along to cyber conferences the attendees and speakers are 98 per cent male and white and the industry is heavily dominated by ex-military and ex-M15 personnel and law enforcement. There are 7000,000 vacancies in the United States alone in cybersecurity –they can’t all be filled with men with a certain background,” he said.

Patel is optimistic things are starting to change, noting greater evidence women of in key roles. He also believes neurodiversity within cyber teams is important when thinking about the adversary you are facing. “In my experience of prosecuting, those conducting cyber-crime tended to be young men, but they don’t fall into the classical category of a criminal. These are often sophisticated individuals who are often brighter than you –often on a genius level,” he noted.

Irene Coyle, Chief Operating Officer at OSP Cyber Academy, is also on the CCOE Advisory Forum. When working in police recruitment she launched the Positive Action for Women programme which aimed to uncover barriers for women. The programme was successful in

of such policies and why they are important too. “When you can show the relevant policies are in place, that is great and it has ticked the box, but is that policy known by the users of company devices, do they follow it and how do you know that they follow it?,” she asks. “The key thing is education and awareness and that must be continuous. You can have any certification you want but that doesn’t mean you are reducing the vulnerabilities your people may create.”

McCarthy said OSP Cyber Academy was providing training at the highest standard: “We are a NCSC-certified training provider, which is not something any organisation can say. We are the leaders in what we do in cyber protection training and data protection training. We also know the other organisations involved in the CCOE are all equally credible which is what makes it so exciting to be a part of.”

To find out more about OSP Cyber Academy visit: www.ospcyberacademy.com

To book cyber training at discounted rates for local public services, please go to: www.ccoe.org.uk

increasing numbers of female employees, later becoming a programme for all minority groups. Coyle now advocates for diversity in cyber through giving talks and actively challenging companies to tackle the issue.

Coyle believes increasing the talent pool of young people through apprenticeship schemes and work placements is something local authorities should consider. “This might sound ageist, but young people can be more attuned to the cyber landscape. Having a much more diverse workforce in cyber security will allow you to learn from them and try to build your defences better. You don’t know who is behind the mask because cyber- crime is a faceless crime but having a more diverse workforce will help meet the challenges you face.”

A recent report by the National Cyber Security Centre (NCSC) and KPMG, Decrypting Diversity: Diversity and Inclusion in Cyber Security, painted a mixed picture of the cyber security industry. An area where the report calls for further diversity is age, with only one in twenty respondents’ categorising themselves at between 18 and 24 years old. Jonathan Gill, a Partner at KPMG, said the UK needs a thriving cyber security sector to remain safe and prosperous. “Diversity and inclusion are fundamental to this because we need to attract and retain the best talent and foster diversity of thought,” he said.

Security Service Edge (SSE)

Endpoint Detection and Response (EDR)

Zero Trust Network Access (ZTNA)

Malware and Ransomware Protection

Secure Web Gateway (SWG)

Cloud Backup (AWS, Azure, M365)

Cloud Security Posture Management (CSPM)

WORK FROM ANYWHERE. SECURELY. www.everycloud.co.uk

Email Security

HUMAN-CENTRED SECU R ITY

Welcome

As technology continues to advance, and the number of cyber threats continues to grow, a new approach is clearly required; one that helps organisations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behaviour in mind. In this series, we will explore such a concept and discuss in detail the benefits of adopting this approach.

The conventional method of security focuses on technology and infrastructure, and has been successful in combating certain threats, like viruses and malware. However, its limitations are becoming more evident. Increasingly, security measures are being bypassed by sophisticated cybercriminals that seek to not only exploit vulnerabilities in systems, but also vulnerabilities in human psychology. Human-centred security tackles these limitations by emphasising human factors that cause security risks. By understanding user behaviour and decisions regarding security risks organisations can create solutions that align with user needs and behaviours, reducing potential risks.

Human-centred security also emphasises designing security into solutions, making them ‘secure by design’. This concept emphasises the integration of security measures into the development and design of products, systems, and services, from the earliest stages of planning through to deployment and ongoing maintenance. The goal of security by design is to prevent security risks and vulnerabilities from being introduced in the first place, rather than trying to fix them after the fact. This approach is important because it can help ensure that security is built into the product from the ground up, reducing the likelihood of security breaches and increasing the overall security of the system. Additionally, security by design can

help organisations comply with regulations and standards and reduce the cost and effort of fixing security issues down the line.

A human-centred security approach also requires solutions to be both intuitive and user-friendly to ensure correct and secure usage. User feedback should be considered in the design process, tailoring solutions to meet user needs and preferences. In addition, organisations should equip users with the knowledge and training necessary to make informed security decisions. This involves educating users on potential risks and best practices to embed a “security culture” in the organisation. In this context, a security culture refers to the attitudes, beliefs, and user behaviours that impact an organisation’s security approach. A strong security culture promotes a secure environment and reduces the risk of breaches but requires a commitment from all levels of an organisation, from top management to front-line employees. Additionally, organisations should establish clear policies and procedures for handling security incidents and hold employees accountable for their actions. Furthermore, it’s important to communicate and make security a part of the daily work routine. Regular security training, testing, and drills can help to identify and address potential vulnerabilities, and it can help employees to become more familiar with security best practices. Finally, organisations should establish a reporting mechanism to allow employees to report security incidents and address any concerns they may have.

Human-centred security offers many benefits, including improved security outcomes and user satisfaction. When security solutions align with user behaviour and needs, users are more likely to use them correctly. Additionally, user-

Dr McDermott is an author, educator and researcher in the field of human-centred security. His research focuses on the role of human behaviour in cybersecurity, with a particular emphasis on understanding psychological vulnerabilities leveraged by attackers to influence and exploit humans, and how psychological-related errors can lead to security incidents.

He has published widely on the subject, and is a regular speaker at conferences and other industry events. His teaching focuses on social and human factors in security, security by design, and network security. In addition to his research and teaching, Dr McDermott is a passionate advocate for digital well-being and privacy, regularly writing and giving talks about strategies for leading healthy, safe, and authentic digital lives.

friendly, and understandable security solutions will increase user satisfaction.

In future articles in this series, we will delve deeper into human-centred security, examining some of the concepts discussed above. We will also explore the challenges that organisations may face when adopting a human-centred approach to security, and the strategies they can use to overcome them. Ultimately, the goal of this series is to provide organisations with the knowledge and tools they need to adopt a human-centred approach to security and better protect individuals and businesses in today’s digital landscape.

to the first article in a series on human-centred security; an approach to cybersecurity that focuses on understanding and addressing the human factors that contribute to security risks. Historically, organisations have relied solely on the effectiveness of technical security controls, instead of trying to also understand why people are susceptible to mistakes and manipulation.

OPERATIONAL TECHNOLOGY (OT)

CYBER SECURITY STAFF AWARENESS COURSE

Digitisation relies on secure communications to ensure a protected exchange of data between Operational Technology (OT) and Information Technology (IT).

The aim of this course is to provide you with a introduction to Operational Technology (OT) Security and to reduce the likelihood of a cyber attack through reprogramming or training the wetware (us).

The average user struggles to understand the difference between OT and IT and their importance OSP Cyber Academy has worked hard to seek the advice of the very best proven practitioners and partners at Cyberprism to provide some first hand experience of baseline cyber awareness.

I recommend this course to all who want to protect themselves and others, in a practical and realistic way.

ATTENDING ADIPEC 2023?

JOIN OGV ENERGY’S EVENTS TO KICKSTART YOUR NETWORKING AND MEET TOP ENERGY INDUSTRY PROFESSIONALS

SCOTSOFT2023

28.09.2023 Edinburgh create. innovate. collaborate.

For more than 30 years, leadership and technology have combined at ScotSoft.

Over 1000 guests join us from around the world, not just to learn during the day, but celebrate the incredible young talent emerging from Scotland’s universities.

The day is jam packed with more than 40 speakers across our Developer Conference and Leadership Forum, and topped off with our Young Software Engineer of the Year Awards dinner in the evening.

join us

We’re packed full of visionaries, technologists, business leaders and managers working in digital companies and end user businesses.

Join us and get inspired by our great line up of speakers at the longest running tech focussed conference in Scotland.

scotsoft.scot