In a interconnected and digital world, cybersecurity plays a pivotal role in protecting the safety of data and information. John Davies MBE, Co-Founder and Board Director of Cyber Wales and Professor Pete Burnap, Professor of Data Science & Cybersecurity, at Cardiff University share their thoughts about the future of the cybersecurity industry.
Q: The word “cyber” is used in all sorts of scenarios and seems to mean different things to different people. Do you have a simple definition of what cyber is?
According to John Davies, the short answer is no but there is a good reason for that. “Cyber” is not actually a word in its own right. It’s an affix, like the word “pseudo-” or “quasi-”, an adjective that changes the context of the word it’s fixed to. Cyber-space, cyber-security, cyber-warfare, cyber-attack and even cybermen [Dr Who] are real terms but it’s the other word that makes sense of what aspect of cyber people are talking about. The trick is to listen out for that other word. If the person uses cyber as a noun, such as “What are you doing about cyber?”, feel free to ask them to clarify.
Q: According to you, what fundamentals can help mitigate the risks of a potential cyber-attack?
“Cyber-security is actually all about “risk” and we use a fiendishly simple equation to calculate it: Risk = Threat + Vulnerability,” says Davies. “If serious threats to a particular application are discovered but you don’t use that app, then you have no vulnerability to it, so the risk is low. If you have a serious vulnerability in one of your servers but that server is sandboxed, then the risk is low. So the key to understanding your cyber risk is to monitor what threats are hitting you and do regular vulnerability scans – if you identify a threat that matches a vulnerability in your systems, then focus your time, effort and money on fixing that, because it’s a serious risk.”
Professor Burnap adds that a holistic top-down plan for cybersecurity is key to staying one step ahead of cyber attackers.
“By all means follow NCSC guidelines and seek compliance with cybersecurity standards to provide certain levels of assurance. However, cybersecurity is a daily process, and people are one of the major points of entry for a cyber attacker. That could be through email, or phone call. Cyber awareness and education is key to ensure your workforce is always risk-aware and thinking about a potential cyber attack as they go about their day-to-day jobs. Seek out quality cyber CPD for your teams – from the office admin to the CEO – particularly CPD where there is an experiential element, rather than tick-box training.”
Q: What are the priority tools a business can deploy to minimise ransomware threats?
“Backup & recovery!” says Davies. “Implement tools and processes that take regular backups of entire systems and store them individually and offline. If ransomware encrypts your systems and devices, the only sure-fire way to recover from it is to wipe everything and restore it from backups but you can’t do that if you haven’t got clean, relatively current backups that you can restore. Despite backups being a true anti-dote to ransomware (and a lot of other attacks) too many people still make little or no effort to do them properly.”
Q: How can organisations implement cybersecurity measures in a cost-effective manner?
“The trick is to make informed decisions about what to spend your money on,” says Davies. “The market is full of the latest, new-fangled tools and services but how do you know if you really need them or not? Go back to basics – monitor for threats and scan for vulnerabilities – spend money on threat intelligence and spend money on vulnerability analysis then you can spend money on remediating real vulnerabilities that correspond to real threats as soon as they are identified. You cannot catch everything in time so keep some money for mitigating the effects of successful attacks (like backing up). Trying to buy products and services that cover every threat and every vulnerability is extremely expensive and still doesn’t catch everything.”
Q: If you had to prioritise three areas when it comes to cyber security in 2023 and beyond, what would these be? And why?
“The importance of awareness, skills and compliance: lack of awareness of cyber threats among people in non-cyber-related roles is one of the biggest cyber threats that organisations face,” says Davies. “We have been trying for years to make people take cyber threats more seriously by running face-to-face sessions that try to scare them and it clearly hasn’t worked.
“Rather than run time-consuming sessions that cost a fortune, organisations are having better results with online gamified learning platforms that people can do in their own time. They make learning more enjoyable and gamification accelerates learning; More targeted skills training is needed for specific staff who will be required to use the tools that can monitor, scan and remediate cyber-threats; And becoming compliant with a recognised standard such as Cyber Essentials, IASME, ISO27001 etc., will help an organisation to improve their reputation and win more business.
“More importantly, it also serves as a ‘best practice framework’, so instead of having to work out what cyber-security measures to take, just implement the controls demanded by the standard. They are written by industry experts so adopting a standard is just like getting advice from a very experienced consultant.”
Professor Burnap adds that cyber security awareness and education for all members of the organisation – to ensure they are constantly aware of the latest cyber threats and ways in which attackers are working their way into digital systems through people.
“IT estate awareness and testing – the development of digital twins – virtual representations of IT networks, makes it easier than ever to penetration and vulnerability test software, systems and devices in a safe and secure environment – rather than in operational mode. Consider developing a digital twin of your IT network so you can study vulnerabilities and test different failure mode scenarios.
“Understand your interdependencies – in an era of digital transformation, there is more connectivity than ever before. There is also a lack of understanding of what is connected and how a failure of any of the various components and subsystems on the IT network would affect the business. Take some time to understand what you have on your network and how it is connected, and work with risk specialists who can help you understand how to model the impact of failure, so you can build a plan for resilience in the face of failure.”
