‘The first 24 hours are crucial’ in responding to a data breach, warn Cyber Security experts

The Chair of the Yorkshire Cyber Security Cluster advised businesses to be “suspicious by default” when considering potential cyber threats and that the first 24 hours after a data breach are crucial.

Melanie Oldham, who also founded Bob’s Business, has been working in her remit for around 12 years and said the biggest problem with cyber security was related to human related errors – which she said accounted for around 90% of information security breaches.

She works with organisations to minimise risk and enable employees to be the “frontline defenders” of cyber attacks.

At TheBusinessDesk.com’s Cyber Security seminar, sponsored by CMS and Cloud Kickers, Oldham told delegates: “It’s about helping organisations deliver information security to its workforce in a way it’s simple, easy to understand and actually doesn’t make it too technical. It’s about technology, processes and people combined; but ultimately people are responsible ultimately for those problems.

“The biggest thing in responding to a breach is people; and those first 24 hours are crucial. It’s really important that your team, your staff, your employees have the strength and belief to report the breach. The reality is that because of a lack of understanding and lack of communication – the barriers that exist typically between IT, compliance and end users – that doesn’t typically happen as quickly as it should.”

More than 80 delegates attended the morning session, held at the Crowne Plaza in Leeds.  Oldham advised businesses of all sizes to break down communication barriers and get people “to be suspicious by default.”

“People want to trust by default and it’s making people go against their human nature to be a little bit more suspicious. Communication is absolutely the key,” she explained.

Michael Lea-Smith, a fraud expert at CYBG, said there was a danger that people weren’t interested in fraud until they became a victim and therefore they needed practical, straight forward ways to defend a business.

He said: “It’s all about putting barriers in place to make you the least attractive target. Unfortunately, people will be targeted by criminals and will be defrauded but if you can put enough obstacles in the way, they will ‘go next door.’ While that’s a really harsh way to put it, it’d rather you defend yourselves than not.”

He said communication was essential too as he had been disappointed that after training individuals from a wide range of business sectors, it had been disheartening to learn some had returned to their businesses and not communicated what they had learnt about cyber security to their colleagues. “Fraudsters are out there and will use different tactics – mainly cyber enabled ones,” Lea-Smith warned.

“If you don’t train your staff to look out for these things, then you are potentially at risk. You are more at risk than the guy next door.”

Ian Mann, whose listed firm ECSC is a cyber security specialist and runs a lot of incident responses in this remit, said:  “In doing this for more than 20 years, I have never come across or heard of a breach that wasn’t preventable. One of the myths is that ‘they will always get in somehow’ and that is just nonsense. ”

Amy De-Balsi, Head of Partnerships and Innovation at Bruntwood, urged people to think about cyber security in whatever size of businesses they worked within; as she runs her own small business too.

She said: “Don’t think you are too small. It can happen you. I have had DDOS attacks on my business and I have had to make sure that my website is up-to-date, it’s got all the latest code, and that when something does happen I am getting the right advice.”

Oldham added that businesses should also apply due diligence that suppliers or contractors, to make sure that they have the right standards in place and therefore security isn’t compromised by a third party.

Amit Tyagi, Senior Associate at CMS, said: “It is great to be as prepared as you can be but from a legal standpoint, there is explicit recognition in the GDPR that the necessary security controls and measures that you have in place need to be appropriate.

“The ICO [Information Commissioners Office] is not expecting all small businesses to have the world’s greatest technology in place because it’s just not commercially viable for every business to spend all of their money to prevent an attack that might happen.

“When something goes wrong, they will recognise whether you have taken appropriate levels of steps for a business of your size. There has to be a balance here. There is a commercial reality of how much you can possibly spend on this and how much time you can, and what the ICO expect you to do.They will recognise that when they are evaluating when something goes wrong and when they are deciding whether to impose a fine on you or not.

“It’s about taking a holistic appraisal of your business and how secure you can be.”

Mann concluded that cyber security – away from incident management which involved “putting out fires” – was actually “dull and boring” because it it required the basics being done “really well and consistently”. Basics such as firewalls being configured correctly, patching systems looked at, he added; along with continually checking logs to detect breaches.

‘Top tips’ on being cyber secure

Amit Tyagi, Senior Associate at CMS, said: “Something as simple as multi-factor authentication for logins can probably reduce about 80% of the type of cyber attacks that we see.

“Business email compromise is probably the number one attack facing businesses. That comes in very different forms and the best way to mitigate that – because I don’t think you can necessarily prevent it – is to have some kind of multi-factor authentication set up.”

Mann said his top tip was for people to stop changing their passwords so regularly because “it is a complete waste of your time and has no tangible effect on your security.”

Mann added that what a lot of people do for cyber security currently  was “pretty useless” – focusing on the aspects “that are not really very important.” He added: “A lot of my job is to get people to focus on the important things that really effect their security.”

Oldham said standards could help businesses to prepare, including getting ISO27001 accreditation. She said her business undertook this when it started out because she wanted to ensure the business was seen as a secure provider to “bring credibility to the business.”

She said this had “massively helped,” as the business has grown from five to 30 employees. She said: “The ISO27001 gives values like making sure that you are validating supply chains, doing employee checks, making sure that you are restricting access. While it seems overkill to do this to start off with, it helps with controls.”

Oldham also recommended the G-Suite suite of controls because “information security was put in my hands” and could switch off access for people as well as have full transparency of what was happening across the firm.

She added that it was also essential to make sure the firm wasn’t reliant upon one individual, to ensure business continuity.

Simon Kenworthy, founder and CTO of Cloud Kickers, said: “The hacker is being scientific. It’s very important that organisations are also being scientific. The hacker is also being robotic and automated. It’s important how we consider being scientific, automated and robotic in our defence. Identifying of risks, exposure and happening of such attacks.”

He said internal experts needed to be supported with the right budgets and tools to be both proactive and reactive.

Access to skills in a fast-moving sector 

The panel agreed that because of continual changes in cyber security and technology generally, there was a need to invest in and have the right skills to keep ahead of changes; whether internally or externally. They debated whether the future of businesses upholding securing could be threatened by the skills shortage.

De-Balsi said: “Across Leeds and the whole of the UK, we don’t have enough tech skills at all. In Bruntwood, there are coding bootcamps. We have seen people starting to diversify into cyber security bootcamps now because they know there aren’t enough people out there to fulfil the needs of big businesses, particularly. From talking to the likes of BAE systems, they say that 80 cyber security people were employed there last year alone – so it’s a big growth area for employment and a very lucrative part of the economy.”

Oldham added: “We are surrounded by some really great universities with switched on youngster with innovation and technology inside and out. What we have done is promote relationship with the universities. We take on two cyber security graduates each year.”

She advised the businesses look to university graduates, who can implement and check processes well, to address cyber security elements.

Mann warned that sometimes it wasn’t about the number of cyber security personnel in a business. He added: “We often see when there has been a breach that there wasn’t a shortage of cyber security expertise but it was that the experts had their head in the clouds looking at the esoterical, unusual an irrelevant – rather than the basics.

“People don’t tend to get hacked because they haven’t done something really clever. They get hacked because they have made mistakes.”

A second Cyber Security seminar will take place this week. Places are free to the event, which will be on Thursday in Manchester. Further details available online.