When I wrote my last blog in January, I outlined the work that we were aiming to deliver through the London Digital Security Centre. I now want to update you on what we have done, and what we are doing – as there has been a lot going on!
The first couple of months of this year was spent developing our ‘in the community’ work, whereby we go to businesses, with officers from the Metropolitan Police and City of London Police, and meet with business owners in their place of work and help them to conduct a risk assessment of their digital security.
The idea behind this is fairly straightforward:
- it is a nod to the old-fashioned way of working whereby we try to engage with people on a personal level
- it is also due to recognising that solely trying to engage with businesses through speaking at conferences or sending information via social media is not working. We can claim success through outlining how many attendees came to the conference, or visited a webpage but we leave none the wiser about whether anyone makes any changes to their security based on what they have heard, and that has to be the aim of any engagement.
Being able to evidence the difference we have made to a business is a key priority for the Centre. Personal engagement allows us to conduct an assessment on a one to one basis. This assessment allows us to then target specific areas of a businesses Security that can be enhanced. Our continued engagement with the businesses then allows us to track their progress in enhancing their Digital Security.
The second focus of our work in this time has been to ‘walk the talk’ and to ensure that the Centre is truly a partnership involving academia, public sector and private sector. My experiences of the support that is out there to help us achieve our objectives has been overwhelming. The amount of people and organisations who have gone out of their way to support our efforts has been incredible and it truly is, in my opinion, the only way that the Centre will be able to achieve our objectives.
So what have we delivered?
Alongside delivery of our ‘in the community’ work, we have now reached the point whereby we are just about to launch the final two of the three work strands I previously outlined. On 5 June 2017, we will officially launch our membership scheme, and at the same time we will also launch our marketplace.
The membership scheme enables every business we engage with, and register, to have access to a wide range of services and products that are known to make a positive difference to how resilient a business is to cybercrime, how secure a business is when operating online and their capability to embrace digital innovations.
Through working with a number of private sector partners, and academia, we are now able to bring products, that were previously the domain of big business due to their cost, into the financial reach of small businesses by making them free of charge to access. This includes GCHQ-approved training, it includes the creation of a security scorecard highlighting individual vulnerabilities to known cyber-attacks, it includes being able to test businesses security controls through conducting phishing attacks (all legal of course!) and helping them to practise for the worst-case scenario of suffering a data breach or cyber attack. The significance of which have been clearly highlighted through recent events.
A key part of our role in delivering the membership, is to ensure that we tailor our support to members and ensure that they receive the support they need in line with how they operate and any identified vulnerabilities.
The marketplace is a partnership between ourselves and 20+ market leading companies. The marketplace provides our members with access to appropriate products and services that will enrich their ability to work in a secure digital environment, without fear of being exploited and sold products that do not enhance their security or business needs. We work alongside our partners to ensure that new products and services are developed that enhance a business’ ability to be more secure, and to embrace digital commerce.
The point of launching the marketplace is to make life easier for businesses looking to source products that make them more secure. Our role in the marketplace is to ensure that businesses are receiving the right level of support for their business needs.
What have we found?
Our work to date, particularly through our ‘in the community’ outputs, where we have supported officers from the Metropolitan and City of London Police, as well as the Metropolitan Police Cadets, has resulted in us personally, face to face, engaging with more than 200 businesses in a six day period. Additionally, with the support of the Metropolitan and City of London Police we have engaged with a further 1000+ businesses that have suffered from online crime.
Each of the businesses we have engaged with face to face has conducted a risk assessment aimed at understanding their digital footprint and current security posture – our findings from these assessments are not particularly startling for anyone involved in security, or combating cybercrime.
This work has allowed us to evidence that the majority of businesses are using outdated software and operating systems, controls such as encryption, digital signatures and DMARC are not implemented, Cyber Essentials has not been adopted and staff aren’t having any form of training on how to protect the business (and themselves) against cybercrime.
No one currently working in cyber security or cybercrime will be surprised by the findings, and recent events that have placed the microscope on why cyber attacks are successful are always followed by what security controls would make a difference generally start with making sure that systems are updated and patched. What our work, and recent events highlight more than anything else, is the reality that the majority of awareness campaigns and the subsequent advice that is regularly pushed around social media platforms does not land with business owners. Our interactions find that ‘public advisories’ are not written in a language that businesses recognise and advice and guidance rarely articulate the business benefits of operating in a secure digital environment – most literature is using fear of crime/fines for noncompliance as the tactic to drive change which is not bringing about changes in action or attitude of the majority of businesses operating online.
If we are to truly make a difference, this needs to change quickly. We are dealing with intelligent professionals, some of whom have been running businesses for their entire life. Let’s make life easier for everyone and recognise that when talking to businesses, we are talking to adults who have a lot invested in the success of their business, and are after a bit of help and support to do the right thing. They don’t need patronising, they don’t want to be bombarded by sales people, they don’t want to be bombarded with advice using language that they don’t use in their day to day lives, they just want a bit of help and support to secure their livelihood in the simplest way possible.
What is very clear from our work so far is that there are a lot of small and medium sized businesses out there with the will to take their security more seriously, but they don’t have the financial ability to update legacy hardware and they are unaware of the free services that are out there to help them be better protected. Perhaps, in the same way we incentivised people to buy newer cars by offering a good price for scrapping older ones, do we need a similar scheme for businesses to upgrade hardware and software, with the settings installed as secure by default? It would strengthen businesses resilience and protection, and therefore also protect the wider public through them being less at risk of identity crime or fraud following a data compromise by a business. Just a thought.
So, what is next?
On a personal level, I am passionate about making the Centre a success and being able to evidence a positive shift in the security posture of small and medium sized businesses. On a professional level, I am up for working with anyone who can help us achieve this. The only blocker to saying yes to a partnership with any organisation is whether it adds value to the ability of businesses to operate in a secure environment and whether this value is measurable.
At the Centre, we have made a good start to our work, but the hard graft is ahead of us and we have a long, long way to go before we can start to claim any tangible successes. We are continuing with our ‘in the community’ work, we are commencing free Digital Security clinics for businesses to attend, we have workshops focusing on demonstrating where businesses security practices are susceptible to compromise and what can be done to protect themselves, we are committed to educating businesses on the great work that the National Cyber Security Centre produce, and are committed to evidencing whether our work is making a difference or not.
My next blog will focus entirely on that, fingers crossed!