Meeting Notes 19/02/20

Yorkshire Cyber Security Cluster Meeting Notes
Location: Sheffield Hallam University
Date: 19th February 2020
 

Introduction

  • The Yorkshire Cyber Security Cluster is a collaborative group of experts within the cyber security industry that are committed to reducing cyber crime in the Yorkshire region
  • The cluster brings together SMEs, Governing bodies, Universities, Yorkshire Police and regional CISOs and those with a vested interest in cyber
  • Collaboration, sharing of best practices and offer expert advice and guidance to one another and the local community

Visions of the Cluster:

  • Make the best use of Yorkshire talent & skills
  • Provide members with reputational and financial benefits
  • Make Yorkshire more cyber resilient and reduce the impact of cybercrime within the region
  • Share knowledge, best practices and learn from one another

The aims of the Cluster are two-fold:

  • To support the members of the cluster by communicating National and International initiatives and trade opportunities, providing a networking platform to share ideas and best practice, encouraging collaboration and identifying partnership opportunities so that small cyber security specialist businesses in Yorkshire can find new ways to grow.
  • To support the British Government’s commitment to Cyber Security (and UK Government’s Cyber Security Strategy) by building cyber security knowledge, skills and capabilities in the Region, to make businesses more resilient to cyber attacks and make the Yorkshire region one of the most secure places in the world to do business.

 

Questionnaire – Tom Hubbard 

The Effects of Phishing and Cyber Security Training on Business Enterprises. 
Tom, from Sheffield Hallam University and a former placement student at Bob’s Business, is currently in his 3rd year preparing for his dissertation.
His questionnaire is completely anonymous but will gather a small amount of data about you and your business, to gauge where you and your organisation stand from a cyber security point of view, and your opinion on certain training methods.
Please spare 5 minutes to fill out his questionnaire!
 

News Segment

Microsoft killed Windows 7 Support

  • Microsoft no longer supports the 11-year-old operating system. For users, that means Microsoft will stop providing updates and security patches for Windows 7.
  • The changes will affect hundreds of millions of people because more than one-third of PCs use Windows 7.
  • The company is encouraging people to upgrade to Windows 10 or buy a new device running Windows 10 if their computer is more than three years old. 

 
Facebook’s Social Media Hacked

  • Facebook’s social media accounts were temporarily taken over by a group of hackers on 8th Feb 2020.
  • The hacking group OurMine posted on the Twitter and Instagram accounts for Facebook and Messenger, writing “Even Facebook is hackable”.
  • Twitter confirmed that the hacking occurred via a third-party and that accounts were locked once it was alerted to the issue.
  • Facebook’s own website was not hacked.

 
Critical WordPress Plugin Bug Afflicts 700K Sites

  • WordPress has issued fixes for a critical flaw.
  • The plugin, GDPR Cookie Consent, helps businesses display cookie banners to show that they are compliant with EU’s privacy regulation. It has 700,000 active installations – making it a ripe target for attackers. 
  • If exploited, the vulnerability could enable attackers to modify the content or inject malicious JavaScript code into victim websites.
  • After the developer was notified of the critical flaw, the plugin was removed “pending a full review” according to the plugin’s directory page. The new version, 1.8.3, was released on Feb. 10.

Joseph Sukhbir – Cyber Reference Architecture

  • “Security is often seen as the biggest obstacle in business and is often the last thing to be considered”
  • Security teams should think beyond being technology focused. The problem is they tend to focus on technical and operational aspects of the business, relying on standards and cyber approaches. 
  • Most organization are struggling to keep up with:

 

  • Security budgets are increasing, but the security posture gap is getting wider
  • Lack of integration, no understanding of the cyber security risk posture throughout the business making it difficult to reduce the business risk
  • Lack of prioritization, Security investment is allocated to implement the latest security trend/tech, without addressing first the security foundations
  • Bottom-up technical siloes results in a lack of alignment between security solutions deployed and business objectives
  • Lack of optimization – Overlap of security controls, not taking advantage of virtualization or new functionality in existing security tools 
  • Reinventing the wheel – increases time, cost and risk

 

  • Know your Business Risks. A risk means an increase likelihood of a threat (agent) exploiting a vulnerability and cause an impact (loss/brand). Treat your business risks and monitor & communicate on your Risk Posture.
  • Business Growth has a dark side. New products/services, new markets, new partners, mergers acquisitions, digitalisation etc. can lead to business risks, such as IT security risks, third party risks, operational risks and regulatory risks.
  • There is a need for a holistic tactical and strategic approach, which can be shown below using a Cyber Security Reference Architecture (CRA)

 

Neil Frost – ‘Changing Security Practices at Scale in HMG’

 

  • Measure where you are and where you want to go to create a plan.
  • Identify topics with greatest impact and focuses on key topics.
  • Go beyond single use or annual training by including continual reinforcement.
  • Content is engaging and positive that encourages a behaviour change at work and at home.
  • As a result staff understand and follow organisational policies, and actively recognise, prevent and report incidents.

 

  • Leadership/Management Support
  • Regularly update leaders on progress, including metrics collected and highlight success stories.
  • Leverage senior leaders or a rep, on a stakeholders working group. Don’t expect them to be active but their presence provides support.
  • If you have an incident, public mishap, known near-miss that was human-related, use it to help drive the justification. These events draw leadership’s attention.
  • Secure leaders to communicate the value of your program, the impact of this is massive.

 

  • Promoting Awareness & Behaviour Change
  • Identify stakeholders, build a plan using risk surveys, awareness assessments, incident or industry reports and cost benefit analysis.
  • Create baselines to track progress and measure impact.
  • Project plan, set expectations, identify staff resource, costs, programme scope, goals, milestones and assumptions.
  • Establish business stakeholders/advisors across departments and involve them with planning & execution.
  • Work with the business to ensure delivery has maximum impact with minimal effect on operations.

 

  • Creating an engaging and memorable program
  • Material must be non-technical; use terms the audience know.
  • Security is too often about “NO”. Keep the message positive and focus on security enabling staff (address blockers to the campaigns).
  • Primary training, such as new content or annual training must be supplemented by reinforcement training.
  • Reinforcement training, such as newsletters, posters, blogs, is key to changing behaviours and addresses different learning styles.
  • Build a relationship with Comms partners to help your messaging land

 

  • How you present information matters
  • Tangible
  • Personalised content
  • Interaction

 

  • Myths:
  • Education & awareness is enough to change behaviours – Information is not enough
  • You need to change attitudes to change behaviour – Attitudes follow behaviour – Set behavioral expectations, connect to people’s values, what do people really care about? Frugality (costs and resources) *just don’t waste, time, money, resources, energy
  • People know what motivates them to take action

 

Next YCSC Dates

  • 18th March,  2pm – 4pm Huddersfield Rugby Union Club. Sign-up here
  • 15th April, 2pm – 4pm TBC