For most of us, we have probably never thought about how Cyber Security can affect Supply Chains – Stuart has a great story to share on just how critical this can be…
We have a 3-step plan to assess your risk appetite around cyber security, understanding your value – and how criminals see that value too, along with the biggest threat that individuals and businesses face and how it can be rectified.
The buck doesn’t stop here as we offer some legislative guidance on how you as an individual or business are responsible in the eyes of the law, for any hacking activity which comes from your accounts and cause damage to others – the only criminal offense where you as the victim become liable for consequences!!!
And a few more nuggets – so why not dive in!
We are here again at the Fairfield Enterprise centre in Louth and I would like to welcome Stuart Green from the Armour Group to the insight4business podcast show – thank you for joining us Stuart Thank you for having me Brilliant stuff we’ll get straight in so i’m not fishing for any personal information on this one Stuart and I hope you don’t mind sharing uh but what was the first job you were ever paid for well the first job I was paid for I was a paper lad so I did walk the streets before school with my bag of papers in the Northeast but the first sort of proper job I had I worked mountain equipment store in South Shields called McRed’s Rambling McRed’s Rambling yeah and it was this tiny tiny tiny tiny shop it was like a Tardis when you went inside it there’s room for two people in the shop but it was just packed with kit and you know it was brilliant loved it I know south shields quite well spent a lot of time up there visiting family I was at Marsden Cliffs with my two boys in the summer yeah a fantastic place.
At insight for business we help businesses increase revenue by removing wasteful practices and leveraging value creation to do this I have a tried and tested process and systematic approach what is the approach you take when analyzing cyber security threats well you you made your approach sound really difficult and cyber security’s far far far far easier than that uh it’s dead easy, 1. Understand the threat, 2. Assess the risk 3. Do the right thing it doesn’t need to be any harder than that if you understand the threat you can accurately assess the risk if you accurately assess the risk doing the right thing is far far easier simple as that that does sound quite straightforward I expect there’s a little more to it when you dig into each of those you know from a sort of high overview you don’t have to think about what sort of firewall do I need or what sort of antivirus do I need you’ve got to understand the threat as soon as you understand that threat you can put the measures in place you might not need an all singing old dance and firewall with blue LEDs that flash you know you could probably get away with an entry-level one it depends on what your risk is what your risk appetite is and what the threat is to your particular business is that something that the Armour Group help help companies absolutely absolutely yes as as I see it it’s very new to me it’s very new to new to the businesses it’s it’s new it’s a new technology almost and the technology plays a part in the cyber threats and because technology moves so quickly it can be difficult for business owners to have the right person there who can can can help it does but I mean you know we’re the right people the simplest but you know look at everything that we’ve done I mean you you were in the training session that we were on this this morning where we we went through the whole cyber threat environment without even talking about technology you know we the the Armor Group is a particular theme we don’t put any flashy computers or anything like that on what we push out there we’ve got like knights and dragons and castles because all the principles are exactly the same they’re around in medieval times we understand about locking doors shutting windows building high walls you know having turrets with people who shoot arrows out of it I mean you can’t really do that these days but you know in the olden days that’s what they did that was their defence you know we understand defence you know getting right back to castles so you know we can look at things in a very very simple way and and make the cyber security thing far far easier it doesn’t have to be in the realm of the geek and that did really shine through it did feel very natural on that workshop taking us through leading us through with the practical examples of how to start making actionable differences which I can take away from my business yeah I mean that’s it you know from today you’ll go away and you might do one or two things but instantly you’re going to become stronger as a result and you know you don’t have to do everything all in a while but as long as it’s a positive part of your culture to to get better and stronger and more resilient as you go you you’re going to get everything nailed I can start it now it can become part of the governance structure and policies I have in place it’s one of the missing links so yeah that’s been very useful to go on the workshop and and start that from today thank you that’s right you’re welcome it’s good to have you aboard.
Which is the biggest threat that individuals and businesses face phishing email and how cool how can that be rectified accept that it’s a problem you know just because people get phishing emails doesn’t mean you have to settle for getting phishing emails you know you can put defences in place that stop it you can put defences in place that protect your stuff so even if one does make it through the filters that you’ve put in place and the defence in-depth strategy that you’ve put in place if one makes it through you’ve got a protective layer in place for your staff so if they click on that link it goes to a portal and says did you really want to click on this because this looks a little bit dodgy oh actually no I didn’t well that’s all right then so you know having that measure in place that looks after the staff protects the staff you know allows them to do things safely allowing people to do things safely is key because as soon as you start blocking things and stopping people from doing it, the human mind wants to find a way around that so let them do things safely that’s by far the best strategy rather than just blocking everything because then you get people who want to work around you’ve just got to keep helping them to do their job safely securely easily it sounds like education is clearly part of massive fact yeah I mean every business should get people on workshops you know just run some sort of training you know show them what bad guys can get up to you know predominantly it is criminals but you do get different categories of threat you know like we went through this morning so there’s lots of different ways that you know businesses can be attacked but understand the threat the more people that understand the threat means that you can assess the risks and do the right thing it’s just that simple the more you understand the threat the better you are.
I learned that a company or person is liable for hacking activity which then leads to criminal activity causing monetary loss or damage yeah so cyber-crime it’s the only crime in in the uk where the victims liable for the consequences because if your email account for argent’s sake gets taken over and then your email account is used to send out something malicious to thousands of people which you know and then an email was generated from your account the recipients would probably go I have an email from matthew I’ll open that so they’ll open it and then that’s when they get infected but because it’s come from your account and if they suffer harm damage monetary loss as a result of it it’s come from your accounts you’re liable the eyes of the law you didn’t protect it and this this was astounding that the liability lies with me and it if there’s one single reason to look to try and secure my digital security that that’s a that’s a massive it’s huge you know this is why you know cyber-crime works so well because very few people cutting onto the fact that they’ve got to protect their stuff you know there are some business owners who frankly shouldn’t be in business because they see the fact that the fact that being hacked is just some sort of rite of passage and that’s just what happens these days no it’s crime don’t accept it you can’t accept it you can’t let the criminals get away with it you’ve got to get onto it and get it nailed it’s it was you know think of when we were growing up I’m sort of putting in the same age as me you know one of the big things was car stereo’s getting nicked yeah I remember that yeah so you know how did we get around the fact that car stereo’s got nicked well manufacturers cottoned on to it and sort of built them into the dash so that you couldn’t really take them from one car to another so you know we’ve got to get on top of this whole crime thing to get rid of it you know push the crime somewhere else away from our businesses.
What is the easiest way to compromise my business? Yeah so you know there’s a number of different ways we can do it now we’ve got some of them on the on the desk here in front of us so the easiest way I think is probably this one because this is the one that we looked at this morning so you know we’ve got here what looks like a standard charging lead yeah you can charge your phone with that quite happily but if you plug it into a computer that becomes a keyboard which can type some keystrokes as though I was sitting at your computer so if I wanted to get in touch with you I could drop this down maybe just leave it on your doorstep so as you come out in the morning you think drop that last night you’ll pick it up you’ll put in your rucksack you might go at the office you might plug it in your computer I’m a criminal I’ve got all the time in the world to wait for you to do that but once you do it it just pops up download something because I’ve told it too you just see something strange flicker on the screen you think it’s just been an update but that’s you being infected so that then is the first stage of me getting into you and that’s just because you’ve plugged in what looks like it’s one thing that looks like another thing yeah so you know that that’s one way of doing it another way of taking your business out this this one stays in a silver box for a reason because it looks like well you tell me don’t go so you have a look you feel that yes whatever you do don’t plug it in your computer don’t no no don’t!! It’s a USB dongle? It looks like that yeah but I mean drop one of these out and it’s one of these really bizarre things that you plug that into a computer and what you hear is CLICK, CLICK, CLICK and then that’ll be it the computer will be dead! Lots of computers don’t have any sort of in-built power surge protection in the USB port so you can plug this in and it just puts minus 50 volts straight under the motherboard and fries the motherboard so that computer becomes useless so that’s why it stays in this metal box because it’s it’s pretty destructive it breaks computers it’ll break anything with a USB port so it’s not it’s not a single use either no no this will just happily go around you know we’ve taken out air conditioning units with this there’s videos of people on YouTube actually plugging it into a USB port in a car while they’re driving it which is insane because that but they’re Americans but they there you go, so that you know is a particularly lethal but that’s a piece of paper that’s lethal that could have lethal consequences yeah as a weapon a lethal consequence it’s a USB stick that’s been weaponized and you can get them quite easily out on the internet I’m not going to say what it is but I’ll get them on the internet yeah that easy cost you about £12.50, it’s that easy. You can make them yourself, there’s instructions out to make them as well so another way I noticed this morning there are a number of people who are quite keen to join the Wi-Fi and I love this because you know communications and radar and things like that were my bread and butter for a number of years this one here this is a cracking little thing which you know looks like a access point and it is it’s a wireless access point this is a particular sort of access point which is called a rug access point so this will just sort of sit there and it will impersonate any Wi-Fi network that you’ve connected to so you could quite happily come into Fairfield and you could be sitting in reception and we could have one of these running and it would just eventually attract your phone and any other Wi-Fi devices onto it and then as soon as you’re on that we can control pretty much where you go so we can give you a page that looks like google isn’t google but says it’s google we can give you a a strange login page we can intercept some of your traffic we can do lots of strange and weird and wonderful things just because we control your experience right from the very start so there’s three different ways here that we can disrupt you and your business without really trying very hard so yeah so we’ll attack you that’s what we’re doing that’s the way to do it that’s the approach that the criminals take you look for the soft pink sticky thing that you know is mostly water and has a little bit of a brain and there we go that that’s what we’re going to compromise me yeah yeah yeah it’s a cheery subject! I have the pleasure the learning experience of these items before and the yeah they’re scary to be honest but this is how easy it is.
I mean if you look at the way the world is at the minute where we’re in this post COVID world, you know new normal way of working where all of a sudden it’s really sort of quite trendy to work from home we’ve got a big big big problem because people aren’t switching from home mode in the work mode you know we haven’t got this drive to work we haven’t got this commute to the office so we’re not switching fully back into work mode you know people think it’s great for the work-life balance but actually from a business point of view it’s fraught with risk you know we’ve got people who normally you know might have done an hour and a half commute so they were really getting psyched up and stressed and going in into work but when they were in work they were performing or performing well and they were in work mode now they’re just going from the kitchen to the study and they’re not actually making that transition so on a lot of the fishing campaigns that we’ve run you know over the past 18 months the the amount of people who are clicking on things that come into their work email which normally wouldn’t never would but because they’re at home they haven’t made that separation they’re not actually thinking why have I had an email from Holland and Barrett in my work email you know that that that they’re not asking that question oh I didn’t order that click and and that’s how easy it is to sort of compromise because people aren’t thinking they haven’t got that separation in place now I’ve had chance to go on the workshop and understand more start looking at these risks as soon as you mention that switch from the office the work office to the home office the home office environment it makes perfect sense that there’s a lack of security here’s a lack of planning that’s gone that’s happened there’s the eyes off the ball cast your mind back to march last year when you know Boris got on telly and said you must work from home you know there’s a massive knee-jerk reaction across the uk right every every business opened up branch offices and there was no planning that gone into the branch offices very few had a business continuity plan very few had a disaster recovery plan you know just buy a laptop go and work from home you know let’s move everything into the cloud all of these things there was digital transformation that happened on a grand scale but there was no planning there was no sort of risk assessment done around it there was no sort of security concerns nothing was done slightly worrying having been on the workshop for just this morning again as soon as you bring that as soon as you say that it it makes it well why was the risk assessment not though why didn’t it take place well we didn’t have time you know the lockdown was coming no it’s not coming yes it’s coming no it’s not coming no it’s not going no it’s not locked down you know we were in that ridiculous year where nothing made sense and there was there was no sort of coherent plan the government didn’t see that this that the risk assessment needed to happen well did they or didn’t they or was it just incompetent I mean you know this will come out in an enquiry somewhere down the line when Boris isn’t prime minister anymore but you know it’s this sort of problem that we’ve all been faced with we’ve all adapted we’ve improvised we’ve overcome but we’ve got to go back and retrospectively do that risk assessment and think actually is our workforce right working from home really we should get them back in the office because if they caused the problem how are they going to feel at the end of it you know if they cause the breach yeah we’re going to be liable but they’re going to be liable because it’s their home network you know it puts lots of people in very strange positions that haven’t even been considered yeah and again taking my learning it starts with some training some cyber aware some cyber awareness it it’s not it’s not rocket science no understand the threat assess the risk do the right thing as simple as that all the way through it is simple for us yes it’s straightforward yeah.
Jjust one last question regarding the tech – the Wi-Fi signal again I have some prior experience with this I understand that the device that the cheat device or the spy device can make itself more favourable to be connected to than where you’re expecting it to be absolutely is it a way that I can actively go away and control how my phone does or doesn’t access these points yeah switch Wi-Fi as soon as you leave the house that easy that usually switch whatever they are yeah soon as I leave the house yeah I mean that you know that’s the simplest way you know if you’re going to risk assess it how can you remove that risk well as soon as I you know as soon as I leave the house if I get in the habit of switching Wi-Fi off as soon as I leave the house bargain I’m sorted you know there are still other threats they can get you know it’s not the end but against this particular threat you know if you if you don’t connect to other people’s Wi-Fi because you’re using your data plan most of the time use your data plan most of the time you don’t even need to worry about Wi-Fi but it’s convenient you know to have Wi-Fi on it it’s convenient but a lot of the time our device just wants to get connectivity and provide us with the notifications that it wants to deliver did I want to download our email when we need it you know all of those sorts of things that it wants to do it needs the connectivity for so if the opportunity is there to join a Wi-Fi oh I can join this Wi-Fi it’s on it’s doing what it’s serving you with and that’s its job so switch Wi-Fi obviously leave the house easiest way to do it we do have some control still yeah yeah of course you have every for every cyber-attack there is always some defence that you can put in place but the best bet is put number of defences in place so you know if you’re working from a mobile device all the time use a VPN connect back to a VPN that VPN might be your home security appliance if you’re connecting back to your home security appliance and you’ve got a VPN connection whenever you’re away from the house that’s bargain because it means that even if you do join one of these rogue access points your communication is going to be encrypted between your device and your home security appliance so yeah user VPN can be helpful in that defence but don’t use a freebie VPN to come from China because that then is fraught with lots of other risks so you know you’ve got to do that risk assessment you know what it is you’re connecting to all that sort of stuff so yeah oh thanks for those pointers thank you Stuart Welcome!
I’ve heard you talk about influence previously and how this can disrupt businesses security can you elaborate for our viewers and listeners on this topic please yeah I mean we’ve all been subject to influence haven’t we you know cast your mind back over the last 18 months you know we complied religiously with the most ridiculous of requests from the government you know when you’re in a restaurant you must wear a mask when you stood open up when you sit down okay that makes sense you know our belief system and our value system have been completely altered over the past 18 months because of covert so look at how we’ve been influenced around fuel as soon as a politician gets on television and says there is definitely no fuel problem everyone straight the garage filling the car up and the cans that they’ve got and any sort of Tupperware that they’ve got just in case they might run out of fuel for the lawnmower of the car so you know we’re now in this position where we’ve been influenced on a very very grand scale and we’ve just got to look at how susceptible we were to what happened in the past 18 months and then we’ve really got to get back to grips of being normal and having normal reasoning processes and think actually is what I’m hearing just legitimate it sounds like just taking that there’s a book by is it Daniel Kahneman, Thinking fast and slow yeah it’s taking stop thinking so fast take a moment to think absolutely yeah engage your brain yeah just take five minutes you know it’s like I suppose it’s not help helpful in the modern society of the society which we find ourselves living in now where everything is this is true but this is what criminals capitalize on as well so if you look at the CEO fraud CEO fraud where somebody in accounts gets an email that purports to be from the CEO apparently is in a meeting I’m in this meeting just now quickly can you just transfer ten thousand pound of this account really important deal I’m doing can you just do that now most people what if they get some sort of request like that they will comply straight away yes I’ll do that but just sit on your hands five minutes just think about that has it come from the right email address is that how my boss would speak to me is he actually in a meeting you know just asking three questions like that and no boss is gonna complain if somebody rings up and says do you really want me to transfer 10 grand to this account and if he goes yeah I do yeah yeah all right then but if he says what on earth do you want about it’s probably a good thing that you did just take five minutes and just check I recall several several such episodes in my corporate career large manufacturing companies where the those exact things have been attempted and we’ve had the you know the global email sent out just to review and one again that that seems to be not quite after the horse has bolted but it’s yeah it’s not it’s not quite proactive is it still not quite proactive that we’re doing it it’s oh we’ve got a problem right okay yeah it’s always reactive you know most organizations will do something after an event because they don’t want it to happen again but criminals are getting good criminals are getting very, very good at what they do there’s a reason it’s called organized crime because it’s very organized and they’re always one step ahead look we know they’re always one step ahead here they’re always one step ahead and businesses always be reactive we want to be reactive so what would you do to change that to be proactive what would be understand assess the risk do the right thing as simple as that straightforward yeah just think about what what’s the worst that could happen have that Dr Pepper moment you know what’s the worst that can happen well someone in accounts could transfer 10 grand okay well let’s get two signatures on the account so make sure that we’ve got to get two signatures before that can actually happen you know make sure that there’s some sort of process procedure in place we have the hierarchies in in my background in manufacturing where we’re controlling control of hazard the substances are controlling health and safety risks risk of accidents happening it’s there we as you said we know how we know how to defend ourselves it’s just a new environment and a new set to consider it in it is I mean we hear a lot of a lot of excuses when we go into organizations I mean some of the best ones are always given by the people who are the biggest risks and quite often they’ll be somebody in an organization and they’ll be that person that says I don’t understand any of this computer crap so immediately as soon as they say that you know that they don’t value that computer so they don’t value anything that’s been told around that computer yet that computer is going to be the thing that’s going to trip the business up because it’s that idiot that hasn’t got some sort of open mind to think well actually I don’t understand any of it so can I learn a little bit more because if I can learn a little bit more then I might understand it I might understand how it can be a tool in my toolbox I might understand where the threat is because if I understand the threat I can assess the risk and I can do the right thing by the company so it’s that mindset you know we’ve got to get that sort of Eeyore out of the business yeah a great point the fixed mindset closes everything off it closes all the opportunity for development and we need the open up mindset absolutely thank you Stuart that’s right very well fantastic well that wraps up my questions for today good stuff unless there’s anything pressing to add oh there’s loads of stuff but we want to go a certain amount of time get in touch yeah one of the uh the workshops it was fantastic
Great learning for me and some great actions to take away thank you very much! No problem 😊