In May, the UK Cyber Security community gathered at the National Cyber Security Centre’s (NCSC) CyberUK event. In the second plenary session attendees heard a range of views from people and organisations who rely on digital connectivity for their life and work. They discussed the things that worry them the most and explored the most effective ways to tackle them.
Nelson Ody, Product Manager for Cyber Security at RM was on the panel too. Other panellists included representatives from the National Crime Agency, Scottish Business Resilience Centre and Impact Innovation. After the event, I caught up with him to talk about some of the highlights.
The session’s theme was a “whole society approach” to cyber security. Did the panel discussion reveal any areas where the threats faced by schools are similar to those faced by other organisations and where they’re different?
Definitely! It’s obvious that schools and small businesses face very similar challenges, namely lack of IT staff, lack of budget, lack of awareness and time limitations for their primary function.
In my view, the most significant difference between schools and businesses is the consequence of losing time. So if you lose a lesson with students, it’s nearly impossible to get it back. In a business you can retrieve lost time by working overtime if you need to, or even by moving other projects around. We can’t do that in education.
This is where guidance from an organisation that really understands education is so valuable. In schools, IT has traditionally been a tool to enable the main job of educating students. This means it is often set up with convenience for users in mind, rather than security. However, that can build in vulnerabilities.
Another way education establishments differ from businesses is that most IT users are the students and pupils, rather than staff. This brings specific challenges regarding cyber security in schools that a company specialising in education knows how to manage.
What more do you think could be done to help protect schools and other organisations from cyber threats?
Besides the specific actions individual organisations can take, there are some actions which apply across the board.
- Educating children about cyber threats and encouraging them to think about what they do online in school and at home. This also means that parents, teachers and others have to upskill, so it’s a win/win situation.
- Practise by simulation or games, as I said in the plenary session. We have fire drills to practise staying safe in a fire; we should do the same for security. There are techniques for individuals and organisations to practise spotting threats and practising responses. One of RM’s partners, Trend Micro, has a great tool called Phish Insight. We can help schools deploy it for their specific circumstances and empower their people to recognise threats.
- Sharing knowledge between organisations. One of the first talks I ever heard about cyber security explained that the threat actors are very good at sharing intelligence and knowledge. By contrast, the good guys don’t do the same. We must encourage the sharing of information.
Did the panel distinguish between risks faced at home and in a work environment?
My fellow panellists are, because of their roles, very business security focussed. They were somewhat surprised when I explained how I increased engagement and interest in my audiences by removing that distinction between work and home.
However, they absolutely saw the value in it. We need to encourage good practices and behaviours across the board. Techniques we use to protect our personal data in a home environment can apply just as well to our professional lives, and vice versa.
Our aim is to keep people safe, exactly as we do with fire safety, driving, or other aspects of our work lives. Those skills are equally as important on a Saturday out with our family or friends as they are on a Wednesday in the office. And that applies whether your office is your kitchen table or a more traditional working arrangement.
One of the hidden benefits of the pandemic and lockdowns is that people are paying more attention to work-life balance and this type of “skill sharing” is an excellent way to demonstrate it.
All types of skills go both ways. Many employers don’t know about their employees’ hobbies or out of work activities and miss out on skills, experience and contacts that could be invaluable.
Is there a tendency to hide or avoid talking about falling victim to cyber attacks? If so, what impact does this have?
I’d say there are two parts to this. Firstly, there’s an ignorance/lack of understanding element where people either don’t know they’ve been attacked or don’t know they are supposed to report it.
People may not know they’ve been attacked as the attack has been mitigated. For example, their various protective measures may have seen the threat and dealt with it. On the surface, that looks like a good outcome. However, if it’s triggered repeatedly by the behaviour of the same user, then the opportunity to help that person is missed. When people don’t know they should report it, it can cause problems later with disclosure and the Information Commissioner’s Office and any subsequent investigations.
Secondly, it’s understandable that organisations do not want to publicise it if they’ve been victims of a cyber attack. However, as I said before, that plays into the hands of the threat actors because it misses the opportunity to share useful information that could help others.
You can watch the discussion in full on the NCSC CyberUK Online YouTube channel.