By Miss Kiran Bhagotra, CEO & Founder, ProtectBox – www.protectbox.com
I was fortunate enough to be asked to moderate a panel discussion on the above topic at this year’s World Cyber Security Congress in London – a gathering of the brightest minds and cutting edge discussions centered around the governance, security and safety of today’s digital world.
We all concluded (as resonated throughout the Congress), that we haven’t learned real lessons from past experiences in tackling cyber security for small businesses and the population at large. Yet cyber security is a key focus of most countries’ National Security Strategies.
Small and medium businesses (over 99% of the UK business community and contributing to 50% of the UK economy) have the potential to drive economic growth through e-commerce but cybercrime is eating away at this potential.
IS THIS NEW?
During the cold war in 1982, the CIA found a way to disrupt the operation of a Siberian gas pipeline of Russia without using traditional explosive devices such as missiles or bombs. Instead, they caused the Siberian gas pipeline to explode using a portion of a code in the computer system that controlled its operation in what they tagged as ‘logic bomb’. The chaos that ensued was so monumental that the resulting fire was seen from space.
In 1988, the Morris worm – one of the first recognised worms to affect the world’s nascent cyber infrastructure – spread around computers largely in the US. The worm used weaknesses in the UNIX system Noun 1 and replicated itself regularly. It slowed down computers to the point of being unusable.
And in May 1998, the Federation of Small Businesses (FSB) first briefed the UK Government on the upcoming perils of cyber-attacks on small businesses summarizing: “For some years, the average UK small business has been an unlikely target for a sophisticated digital attack. Fewer financial resources and a relatively unknown brand have worked in favour to ward off hackers in the past. Not anymore for small businesses.”
What we learn from history is that although continual security has been practised since the 1990s, the choice taken in those early days was usage over security. Users focused on learning how the Internet worked, rather than whether it should be protected. And little effort was put into defence collaboration, training and lessons learned.
Now in 2017 we may be in crisis. In 2016, the FSB cyber report suggested smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion. The UK government Department for Culture, Media and Sport’s Cyber Breaches Report said that smaller firms could do more to train their staff.
We need to accept that we haven’t learned from our mistakes. We need to move from a culture which promotes large corporate technology approaches to capturing the experience of and tailoring the solution for the whole community.
To quote Sir Winston Churchill: “Sure I am this day we are masters of our fate, that the task which has been set before us is not above our strength, that its pangs and toils are not beyond our endurance. As long as we have faith in our own cause and an unconquerable will to win, victory will not be denied us.”
WHAT IS CONTINUAL SECURITY?
The ‘dark web’ and the ‘deep web’ have long been a petri dish for cyber criminals. Steeped in mystery, the dark web is the part of the internet that cannot be indexed by search engines such as Google. The ‘deep web’ is a subset of the dark web and is the pages that can only be accessed by the Tor browser (or the ‘onion router’). As such, it is hard to know how many networks may be down there on the deep and dark webs. But what we do know is that the searchable internet (all 4.5 billion pages of it) may only be the tip of a much larger, more ominous iceberg.
The dark and deep webs pose threats to our society which we should have predicted. Many experts now feel that since we can never ‘get ahead of the threat’ we need to react faster to what’s happening, which requires shortening the window of exposure with extensive security monitoring. Hats off to PCI Council for requiring monitoring as a key aspect of their mandates. The US government pushed it a step further by including ‘continuous’ in its definition. The UK Government has added ‘Feedback’ to the Lexicon and in Scotland, the term ‘Survivability’ is being used to home in on what the civil population should do to protect themselves.
Many solutions claim to offer ‘continuous monitoring’, but all too many simply scan or otherwise assess devices every couple of days – if that often. This would seem to be acceptable, given some of the official definitions… Or would it? Implicit within the term is the fact that the monitoring should be uninterrupted; or always active. The constructionist definition of continuous security monitoring (CSM) should be that all devices in question are monitored at all times – there is no window during which attackers (or internal operations personnel) can make changes adversely impacting security posture without it being immediately detected.
However, reality doesn’t allow us to be either constructionist or religious – a realistic and pragmatic approach means accepting that not every organisation can or should monitor all devices at all times.
HOW TO BUILD A PRAGMATIC CAPABILITY FOR SMALL AND MEDIUM BUSINESSES
To quote an international government expert from the Congress, cyber security is about risk management which is emotive and personalised. The new National Cyber Security Centre (NCSC) considers practised, all-embracing risk management should be a starting point for all stakeholders. The NCSC strategy also promotes using technology to automate defences against unsophisticated but high-volume cyber-attacks. The NCSC describes this as ‘active cyber-defence’, distinguishing it from the US use of the term, which relates to pursuing hackers into their networks.
The NCSC will also take over incident response ranging from covert detection to a stronger, more visible role in providing public advice and reassurance in a crisis. And a cross cutting element is to focus on information sharing, assurance and verified feedback. To this end, I think the NCSC’s infographic in which they summarise the UK cyber strategy (see Figure 1 below) is a fantastic way of showing that despite the problem’s complexity it can be broken down into manageable chunks.
So how do small businesses benefit from this? I think lessons learnt from a SIMLAB simulation1 (that I participated in Israel) help frame the answer to this question well. One of the lessons was a (Star Wars) ‘jedi knights’ analogy.
The ‘jedis’ would be multi-skilled first responders to provide the basic level of cyber defence capability, then releasing specialists to deal with post-catastrophe situations and long-term solutions.
The ‘jedis’ would seek full visibility and collaboration between the technical and non-technical parts of the business and look for the weak links. To repeat the analogy below used at the Congress, as shown in Figure 2 each person is partially right, based on their view of the ‘problem’ but ultimately they are all are wrong.
The ‘jedis’ would have access to transnational cyber threat and intelligence databases including (for example):
- Federation of Small Businesses (FSB) providing business advice, finance & support: www.fsb.org.uk/standing-up-for-you/policy-issues/business-crime/ cyber-security
- National Cyber Security Centre (part of the UK government’s Government Communications Headquarters (GCHQ)) providing advice and consultancy to government and business: www.ncsc.gov.uk, www.cyberaware.gov.uk & www.cyberaware.gov.uk/cyberessentials/
- Action Fraud for reporting cybercrime: http://www.actionfraud.police.uk/
- Cyber Security Information Sharing Partnership (CiSP) for sharing info on attacks: https://www.ncsc.gov.uk/cisp
- Europol for sharing info & reporting attacks: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
- ProtectBox comparison website for cyber & data protection www.protectbox.com
But their main task would be to take a ‘holistic’ (or layered defence) approach to their business’ cyber security. ProtectBox automates such an approach by enabling small- and medium businesses to profile their hardware, software, people and processes. It takes them through a quick and easy questionnaire that then selects the right cyber solutions at the right price for them. Recommending not only how to fill the gaps but also how to satisfy standards. Businesses can then filter recommendations for their preferred suppliers or solution types. Businesses are finally transferred to the suppliers to buy solutions from them. So referring back to Figure 1 of the NCSC’s overview of the UK cyber strategy, ProtectBox is supporting the work being done in the ‘We Reduce’ strand in the top right corner, part of the ‘clunk click’ solution.
Unfamiliarity, weak links and regulation are some of the most common and significant causes of cyber-attack. All of these are perpetuated by the cyber skills’ gap. It is not just about training people but also empowering them.
CYBER SKILLS GAP
A report from Cisco put the global cybersecurity job openings figure at one million last year. Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million. From my previous roles internationally for the Cabinet Office, FCO and National Archives in cybercrime, resilience, CNI, digital and data, there are a number of best practices that can be drawn upon to reduce this gap. These include the many free or partially-funded courses (including Massive Open Online Courses/ MOOCs) to help up-skill or re-skill. These can help candidates who may not have a college or university education still get employed in cyber security. In addition to pay, cyber offers many other factors that can be considered key parts of overall ‘happiness’ and job satisfaction. Better promotion of these, as well as through the media (such as TV shows like Asia’s CSI Cyber) would entice more into the area.
WOMEN & OTHER UNDER-REPRESENTED GROUPS IN CYBER
Many women (young and old) are still put off by the traditional stereotype of cyber. This is despite there being many role models for women and lots of policy, customer service and networking skills’ based roles. The NCSC’s Cyber First competition is a great way to reach out early. The US promotes cyber early through the broader prism of science, technology, engineering and mathematics (STEM), sometimes adding arts and physics into that mix. A wonderful example of this is The Limitless Academy in South Los Angeles whose Showcase I was kindly invited to.
Although women are making great strides in the workforce, women are still majorly under-represented in leadership positions. At the Women in STEM conference (WiSTEM) last year, encouraging senior men (as well as senior women) to champion (or ‘pay forward’ or mentor) young women for leadership roles resonated with many of the women in the room.
More than ever before, women are embracing the path of the entrepreneur in their hunt for flexible working to better juggle their lives. In 2016, there were approximately 11.3 million women-owned businesses in the US – a number that has increased a whopping 45-percent in just 10 years. At WiSTEM, I was inspired to see so many from across the Middle East, Asia and the US whose first job had been setting up their own high-tech start-up whilst juggling family and studies.
But it’s a path strewn with obstacles, notably when it comes to funding. Banks and venture capitalists have been shown to shortchange female-led startups. As evidenced again most recently in the report ‘Untapped Unicorns’ produced by the Female Founders Forum (FFF) and (sad to say) reinforced by my own experiences. The fundraising ‘circus’ of incubators, accelerators, angel investors and venture capitalists (VCs) is technology, gender and age biased. I say this having worked in investments previously. To quote the FFF report, young male technical founders are seen as more bankable (despite evidence being to the contrary) which has fueled a bloated cyber security solutions market.
I agree with the recommendations from the FFF report (audiences they’re suggested to are shown in brackets) to overcome the above biases (to accelerators), hire successful female founders (to VCs), cover more women-led businesses especially in male-dominated industries (to media) and track/promote data of higher returns from women-led start-ups (to government).
I would also suggest increasing investment focus towards services that facilitate co-operation, a trend I hear repeatedly as the way forward for the cyber industry to reduce/manage risk. As well as giving emotional intelligence, sales skills and the confidence borne of ‘failing’ the prominence it’s due in the current funding ‘sausage factory’. I’m intrigued as to whether a Steve Jobs, Richard Branson, Anita Roddick and Karen Brady would be selected for these today.
Best practices in police/military/security re-training, late returners, diversity including neuro-diversity (challenging pervasive social norms and stigmas, frame autism, ADHD/ADD, dyslexia, bipolarity and other neurotypes as a natural human variation rather than a pathology or disorder), graduates, technology as a customer service skill for non-techies and empowering entrepreneurship are also being considered by ProtectBox as part of its recruitment.
REGULATION – GDPR
The impact of the new General Data Protection Regulations (GDPR) is the most immediate and significant for small medium businesses. In much the same way, the new ‘Health & Safety’ regulatory introductions impacted small medium businesses, so will GDPR. GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Like its forerunner, the Data Protection Act (DPA), the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed, e.g. information such as an online identifier – e.g. an IP address – can be personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible. This is wider than the DPA’s definition and could include chronologically ordered manual records containing personal data. Other differences include:
- Shorter time-frames for subject access requests (SARs) and breach reporting biggest changes
- Controllers must comply with a SAR within one month of receipt
- A fee is no longer chargeable by SMB to answer SAR request
- Response needs to be in same format as request (reply electronically if requested electronically)
- Data Protection Officer (DPO) appointment
- Data processors include Archivers
HELP US HELP YOU
So we need to accept we haven’t learned from past mistakes. We need to harness the knowledge and experience of small- and medium businesses. We need to accept that cyber protection can only be effective if it is personalised for the recipient. ProtectBox want to be the ‘go-to’ platform for small- and medium businesses to source their cyber protection packages and for suppliers to market their products. Collaboration is the way forward, sign up and help us do that! ■
- Organised by McCain Institute and SIMLAB (Simulations Laboratory & Strategic War-Games), The Yuval Ne’eman Workshop for Science, Technology and Security, Tel Aviv University in association with the Technion – Israel Institute of Technology).
Introductions & Opening Scenario: *
Main Assembly/Discussion (minutes 9-15 & 22):
- https://m.youtube.com/watch?list=PLNiWLB_wsOg7mXb-7qS3bdEcJxAtWKYdz¶ms=OAFIAVgC &v=xlDrXV_lGLE&mode=NORMAL
Summary & Conclusions (minutes 5–9 & 36 – 38):
- https://m.youtube.com/watch?list=PLNiWLB_wsOg7mXb-7qS3bdEcJxAtWKYdz¶ms=OAFIAVgD &v=EHbJ5oCYTSw&mode=NORMAL
ABOUT THE AUTHOR
Kiran Bhagotra is a former freelance consultant within the UK government, investment, industry and not-for-profit/social enterprise sector in security, resilience, data and digital amongst others.