Managing Cyber Risk With Dan Suttle

Podcast Transcript

Andrew: Hey, everyone. My name is Andrew Armitage, and welcome to another episode of The ClientSide podcast, I'm your host, and I'm also the founder of a web development and digital marketing agency called adigital based here in the UK. So this is our second podcast of 2022, and as we appeared to be emerging from the pandemic and things felt like they were returning to normal, we've seen the terrible news from Ukraine over recent days, which is confusing and heartbreaking at the same time. It just seems such an unnecessary destabilisation for people across Eastern Europe, and inevitably the impact is going to be felt much further afield. There's been breaking news around the conflict literally every hour, but the misinformation being posted across social media and even in some cases, mainstream media is one of the biggest challenges facing humanity right now. Now that's an entirely separate conversation. But on today's episode, we're going to talk about cybersecurity, which was a risk before the conflict started, but arguably the risk of cyber attacks, given the situation in Ukraine are expected to escalate and have been plenty of reports, plausible reports suggesting how the conflict on the ground could extend online. Now this episode was recorded back in January, so before the Ukraine conflict started. And that aside, since the start of the year, we've seen reports in the media of the log 4J vulnerability, which meant unfixed attackers could break into systems, steal passwords and logins, extract data and infect networks with malicious software.

Andrew: We've also heard of a cyber attack which affected fuel supplies in Germany at the start of February and then just this week, as the podcast has been published. Toyota has been forced to shut down their Japanese plants as a result of a supplier being hit by a cyberattack. So my guest on the show today is Dan Suttle, who is the founder of a company called Cyber Lens. Dan has a long history of working in the IT sector, covering everything from programming in COBOL to selling managed public cloud services for the biggest names in the industry. He's also an entrepreneur, having started his first business in his 20s, exiting in his 30s, and his latest venture offers UK SMEs everything they need to effectively manage their information and cybersecurity risk, including the protection of online assets such as websites. So in the episode, we talk about the role of the CSO, the chief information security officer, why maintaining software and applying patches is so important. But we also chat about the range of cyber threats and how companies should prioritise their defences to ensure their assets are well protected. So welcome to the show, Dan. It's great to have you on The ClientSide.

Dan: Thank you very much, Andrew. It's a pleasure to be here and thank you for having me.

Andrew: You're more than welcome. And this is quite special, actually, because this is our first episode that we've done actually in person. Now we're coming out of lockdown. It's great to be able to use this studio space that we have for recording podcasts and actually have people in in person rather than just on screen through Zoom. So. So it's great to be opposite the table with you.

Dan: It's a brilliant space. Yeah, yeah, absolutely fantastic.

Andrew: So Dan, introduce yourselves to our listeners. Obviously, you've you've got quite a bit of experience in the cyber security space, so tell us a little bit more about what got you into the sector.

Dan: Of course. Thank you. So, yes, my name is Dan Suttle, founder director of Cyber Lens. As you say, the journey to this point has certainly been an interesting one. Lots of different disciplines and giving me quite a broad set of experiences to call upon. And I just hope that that means I can do this opportunity justice and that your podcast listeners find our chat useful. As far as cyber lens is concerned, we are looking to disrupt the managed security services market a little by making our services available and cost effective to small to medium businesses acting as their outsourced information and cybersecurity partner.

Andrew: Great. Great. So lots of experience in the sector and I have little doubt that people will find it really helpful because it's a vast area, isn't it? I mean, cybersecurity covers so much. You talk about information security as well as cyber security, and you argue or it's widely known that one is a subset of the other, but perhaps not so widely known for our listeners.

Dan: Yeah, that's exactly right. When we talk about information security or information governance versus cyber security, you know, the cyber security element is the technical part of that work. The information governance or information security and governance is around. You know, how do we solve the problem of ensuring that our information is safe and our information assets are safe and it's everything that you do outside of the technical as well, and that can include everything from strategy, you know? Really important point there is aligning strategy for information and cyber security with the strategy of the business. So if as a business, you're going to be creating a new product line which which requires new IT services, then that means there's an information, a cyber security professional, you need to get your arms around that. It's also important to understand the type of business that you are working in. So, for example, if you're working in a business where there are a lot of customers, are connected to critical national infrastructure, for example, that has, you know, very, very important requirements from an information cybersecurity perspective, as I'm sure you're aware separately, if the business is, you know, holding a lot of personally identifiable information, there's certain aspects around that that we need to be conscious of.

Dan: Potentially, neither of those are true. And therefore, you know, you've got a different set of requirements for each different business. So understanding the business you're working in is very, very important. And then we move on to things like framework selection. So those things allow us to turn around and say, Well, perhaps we need to align ourselves with ISO 27001 or we need to align ourselves with the different framework, whether it's cyber essentials or SoC2. You know, there's lots of different frameworks out there for different types of businesses and requirements. So that then moves us on to other elements of information governance, such as risk management, which is a really important part every, every cybersecurity professional should be working in a risk based approach, and we we start to then work on standards and policies, you know, and the the less technical controls that we put in place to to manage that risk.

Andrew: Yeah, sure. And you talk about risk, you talk about size of companies is fundamentally is risk the defining factor in terms of what governs an approach rather than the size of a company, because ultimately, I suppose, you know, that risk leads to an impact, and that impact obviously has different scales depending on how that company is operating. But fundamentally, it's risk that companies should be focusing on.

Dan: It is. Information security Management is effectively a form of risk management, and risk can be described as an intersection of, if you like, likelihood of an event combined with the financial impact. And you know, impact may not immediately be financial, it might be in other areas. But ultimately it comes down to the financials and so you can always measure the likelihood of. Excuse me, of an event occurring, you know, and the cost that that's going to give you. And you can say, right, well, that is the risk that I face as a business.

Andrew: Yeah. Yeah, because obviously we've seen, you know, incredible examples of companies, global companies with huge resources, you would think to sort of safeguard their risk. And yet they still get hit by these sorts of attacks. I think there was there was an oil pipeline in Germany just this week. We've heard of the gas pipeline. I think it was in the US a couple of years ago, perhaps more local examples to the UK. Talk Talk, an internet service provider, British Airways, was another one that had a huge vulnerability. So, you know, clearly these attacks are happening on a large scale with these large companies who presumably have the right sort of culture. They've got the right people in the right places. They're following these kinds of frameworks. How does that start sort of scale down as you get to smaller companies, SMEs, which baring in mind can still be quite big companies, you know they could still have up to, I think the official definition is up to about 250 employees and probably about 25 million turnover, so that's still fairly sizeable. But but those kinds of companies don't necessarily have the same level of resource. They maybe don't have the same level of knowledge. So how can I suppose those smaller companies compete or maintain the right sort of standards compared to the big, the bigger companies like the British Airways, like your TalkTalk and so on? Do they do they pick a framework that's perhaps more relevant to them? Is cyber essentials something more suited to smaller companies compared to ISO 27001, which might be better for bigger companies? How do they determine what that approach should be? Is it fundamentally still down to risk?

Dan: It is down to risk. Cyber essentials is a really good example because the marketing behind cyber essentials, if you like, is that it stops, you know, the majority of threats to a business from becoming, you know, real, from being exploited. And, you know, it's a set of technical controls plus some administrative controls. If you like non-technical that ensure that you are as a business are able to mitigate the vast majority of threats that are out there and what we need to do to understand how that is look at the threat actors. So if you take the spectrum of threat actors that are facing any organisation, you get everything from nation state all the way down to very innocuous threat vectors. If you like things like...

Andrew: Almost opportunistic.

Dan: Opportunistic when you're talking about, you know, young people that are starting out in information and cybersecurity, doing a lot of learning and are, you know, perhaps not operating within the same boundaries as they might 10 years later, right?

Andrew: Yes, yeah sure.

Dan: Then, you know, that's one end of the spectrum. But also you can go further than that in a sort of downward trajectory if you like and you're looking at things like administrative errors in IT administration or you're looking at insider threats, which can be you and that could be malicious and non-malicious, you know, somebody might just make a mistake. And so you've got those kind of challenges to deal with as well. And information in cybersecurity is all about integrity, confidentiality and availability of information. It's not just the sort of preventing malicious actors from from outside, from getting it.

Andrew: Right,Yeah. So so there's a certain technical element that you can put in place things like network protection, firewalls and so on. But of course, we're all human. We can make those mistakes. Sometimes these these emails that we get, the phishing emails, you know, they they sometimes have these more obvious mistakes that can highlight them as phishing emails, but sometimes they get, you know, they're pretty accurate.

Dan: Yeh, yep

Andrew: And therefore, I suppose every individual is you know, fallible to a certain extent to potentially click on one of those. Perhaps we're just under pressure when we create an account, so we set a weaker password or we write it down somewhere. So it's as much about the sort of human interaction around cybersecurity. And I guess that's where cultural role in terms of driving cybersecurity in an organisation starts to come in, and that has to sort of sit alongside the risk measurement.

Dan: Yeah, it does. It's all of these things that you can do to drive good culture are all part of the information in cybersecurity management. So security awareness training is really important and making sure that the staff in your business are well briefed on the types of threats that are out there. But ultimately, you know, it comes down to if an organisation wants to get access to your information, then they will, you know, there's to give your listeners, if you like a bit of a reality check, there are circumstances that are out there at play, which means, you know you are somewhat at the mercy of the people that that have availability of these tools.

Andrew: Is it almost a question of when, rather than if?

Dan: It's a question of when, if somebody wants to access your information so you've got to look at that threat actor and what they're trying to get access to. There's, I can point your listeners to a really good book, actually. So I recently read it myself. My wife bought it for me for Christmas. The book won the FT Financial Times and McKinsey's Business Book of the Year award last year, and it's by a lady called Nicole. Excuse me, Perlroth, I think, is how her name is pronounced. She's a New York Times journalist who has spent a great deal of her career researching. What we know now is the zero day exploit marketplace. So this is where I kind of come to my point. If you know, if somebody wants to get access to your information, then they will. The book describes the development of what is a very real and current cyber weapons arms race, and this is the real sharp end of the industry that we work in. And it explains this in some great detail against the backdrop of the geopolitical landscape that we all live in day to day. And it shines a really bright light on how this arms race is affecting us all as businesses and individuals around the world. So really great example and a somewhat pertinent given the current geopolitical situation. A really great example of this is the 2017, NotPetya cyber attack. So this was an attack originally targeted organisations within Ukraine was attributed to a cyber military unit of the GRU, for which I think the Wikipedia definition is the Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation

Andrew: That rolls off the tongue. It does.

Dan: So you know that, you know, the Russian Federation, basically so NotPetya, was what we called a supply chain attack. It was malicious code downloaded on to victims computers through a software update distributed somewhat unknowingly by a vendor of a piece of tax accounting software called MeDoc, the use of which was really ubiquitous in companies that do business in the Ukraine. And the vendor of this software had been hacked, not too dissimilar from some of the recent hacks that we've seen on companies like SolarWinds and kaseya, who are two vendors of software products commonly used within the IT industry. But the malicious code didn't just impact the computers that downloaded these updates. What the malware then did was to use either a well known exploit tool called Mimi Cats, which has been around a long time, or if that didn't work. Another exploit called EternalBlue to replicate itself to as many computers as it possibly could and systematically render any data on those computers unusable through irrecoverable encryption. So it's basically what we call wipe away and deleted everything.

Andrew: Is that similar because the NHS had a bit of a challenge around that? I seem to remember probably two or three years ago. Was that related?

Dan: A similar timeframe. I think the NHS was heavily impacted by WannaCry.

Andrew: That's right. Yeah.

Dan: So but what was really interesting about NotPetya and this particular hack is that the NSA had already known about this exploit for several years. For most of that time, it kept it a secret, and the details of the exploit had only recently become public knowledge by way of a separate hack on the NSA itself by a group called the Shadow Brokers, who released details of EternalBlue and made it public. So what then happened is, you know, other malicious actor got hold of it and started using it.

Andrew: They all jump in and it's party time almost isn't it?

Dan: Yeah, incredible situation. And the attack successfully impacted businesses worldwide, including huge companies that had connections in Ukraine, such as Maersk, Cadbury, Reckitt Benckiser and also somewhat erroneously, perhaps some major institutions in Russia itself, which was, you know, a bit of.

Andrew: A bit of a bit of backfiring.

Dan: Yeah a bit of backfire yeah including the state owned company, sorry, state owned oil company and a major steal maker. So, yeah, really interesting attack. And as an opening salvo, if you like to your listeners, this is why our National Cyber Security Centre has recently taken steps to encourage all organisations to bolster their security defences.

Andrew: Yeah, so so in effect, yeah, we're all vulnerable to it, but it's really how proactive we can be. But even, you know, with the most proactive leadership, the proactive, the most proactive technical teams yet, we're still not completely watertight, right?

Dan: Yeah. And you know what? This what this example, what the book doesn't then go into. So, you know, the book covers really high end stuff that I've just described, but what it doesn't go into is that beneath that, you have a whole load of other threat actors. So you've got your traditional cyber crime groups who are out there to make money. And there's a whole industry behind behind that, you know, organised cybercrime gangs that will use tactics such as information theft combined with the threat of its release or similarly, the denial of service attack, which you know, renders your systems unavailable. And again, unless a ransom is paid or even more common, just the. The ransomware, you know, not too dissimilar to to NotPetya, but they suggest that there's a key available that if you pay a lot of money, then you know you get your data back.

Andrew: Sure. But you know, it's probably Rarely happens anyway.

Dan: Yeah, the advice there is don't pay the ransom, but at some point, sometimes companies get to the point where they literally feel got no choice.

Andrew: Yeah they buckle. But even then, the data's probably still out there. They might get their data back, but it'll still be in the public domain because I suspect, you know, once it goes online, it stays online.

Dan: Yeah. Well, in those scenarios, it's more around the encryption of that data. So whether the data has been exfiltrated or not, yeah, yes, potentially it has. And then you've got a double risk double, double whammy, if you like of the situation. But you know, moving on from those, you've got cyber activists, so individuals or groups focused on bringing awareness to their cause and are driven by some form of ideological activism. Moving on from their cyber terrorists are very similar, but with perhaps a slightly different idealism and also with a slightly different agenda. Sure, they want to achieve. And then you move into the sort of the, you know, people call them script kiddies. I like to not use that term, but

Andrew: They're pretty sophisticated.

Dan: Yeah, they're pretty clever people. And interestingly, they've got access to the same tools as these Nation-States. You know, Mimi Katz is something that somebody that's learning out in the industry can go and pick up themselves and use. So it's not like they're using a different set of tools to to some of the really, really advanced hackers.

Andrew: And I imagine like we often turn to YouTube and start typing in how to do something the same kind of resources must exist out there, whether it's on the dark web or or elsewhere. You know, everyone's got the same learning opportunity if that's really the direction they want to pursue.

Dan: Absolutely.

Andrew: Right. And you know, so we talk about nation state actors, you know, arguably your China is North Korea, Russia, potentially ilad. But what about how are they targeting companies? Is it purely based on vulnerabilities that they find? Are they crawling the web? And they're sort of finding these opportunities and the sort of find that open door? It might just be ever so slightly ajar, but actually, if you push hard enough, you can break it down and you break in where potentially then you've got a number of doors inside the house. Let's say let's use that analogy and you could go left right down upstairs and and if they're all slightly ajar or potentially locked, but there's a key that's lying on the front door mat. Once you've pushed through the front door, then they can go any which way they like.

Dan: Yeah, that's that's certainly one way. But also you do need to be very, very conscious of, you know, what you described there is a network based attack on a public facing assets. So, you know, knock down the front door the protection of that of that public facing asset and then see where you can get to from there. But you've got other ways in as well. So you know, phishing emails is the most commonly used.

Andrew: Yeah of course we have probably all seen those

Dan: Yeah, exactly. Phishing,phishing is the most commonly used threat vector for successful attacks last year. So you know that's a huge, huge thing that businesses need to mitigate the risk of, and there are ways in which you can do that. You know, security and awareness training is really, really important. Putting in a system whereby users can if you like, send a potential phishing email to a central body and the NCSC actually provide this service. So sending that phishing email for it to be examined and you can be told whether or not it's benign or malicious.

Andrew: Okay, so the NCSE...

Dan: Yeah, sorry. National Cyber Security Centre, part of GCHQ. Yeah. And GCHQ being, you know, what was traditionally Bletchley Park effectively. Yeah, I have a lot of interest in that area. So. Yeah, that those types of ways of managing the risks and the potential threats to your organisation, it's really important to understand what you can do and how to go about managing them.

Andrew: Mm-hmm. A lot of a lot of the attacks that we, we think of are targeting servers. Websites sit on servers, but they're not necessarily the only way in to to sort of breach your company's defences, let's say. One of the phrases that I'll often use is saying that digital is never done. Clearly, you would argue, cyber security is never done because you're always trying to stay one step ahead in this arguably a game of cat and mouse with , with those who are trying to exploit these vulnerabilities. Do you think there is a certain element of complacency among companies because they think that it's not going to happen to them? You know, there are companies, obviously, with websites of all sorts of different sizes. Some may hold customer information. Some may not. Some might be transactional. Some may not. And again, clearly you can bring that risk element in there. If you've got an e-commerce site that is taken offline and for whatever reason, it can't be restored straight away. You're going to take a number of hits there. You've got the loss of sales, you've potentially got the brand damage and you've got the cost of recovery as well.

Andrew: And as I say, that may not happen overnight. It might be a sort of a fairly protracted process. One of the things that I think companies sometimes struggle with is they they hear of cost of upgrades and you need to apply this update and that update is due. But it can be seen as a cost because they don't necessarily get new features and functionality in those upgrades. Yes, granted, sometimes the will be, but because they don't see anything new, are they a little bit "Well, it's not going to happen to me, What are the chances?" You know, 'We did an upgrade last month, so we'll pass this month. We'll go on to the next month." Or you then risk the next month, becoming 6 months, becoming 12 months, 18 months and so on. And before you know it, you're several steps behind. And while it might not be an immediate vulnerability, you are starting to open up the risk of something potentially coming along your way.

Dan: Yeah. So. It comes down to having a structured approach, and I think some of the decisions that you described are being made there are being made without all of perhaps the evidence or the knowledge or the understanding as to what the risk is and the threats that the organisation is facing. So it's patching websites, patching plug ins, patching the base software, the CMS, if you like. It's absolutely critical that businesses do this weekly. You know, if you if you look at plug-ins in WordPress, they're being updated at such a rate. And you know, a large number of those updates can be security related. So it's really key to understand what those patches are providing you with and to make an educated decision on whether or not you need to take action in relation to your website. And that same approach applies to all types of information assets you know, have a structured approach to the management of information and cybersecurity. Don't leave it to chance is the key message. I think to answer your question is, is there complacency? I think complacency is probably the wrong word, but ultimately that's what it boils down to.

Dan: And, you know, it's not like they're intentionally being complacent at all whatsoever, but it's a big problem around around keeping these information assets up to date in the systems hosting this information up to date. And there's a whole load of other work that you need to do as well. You know, understand how you should protect those assets in other ways. There are plenty of controls that you can put in place to help protect websites against the spectrum of threat actors that we went through before. You know, if you talk about plug-in updates and things like that, you're really talking about the young actors who are out there and learning and trying to exploit things as quickly as possible. You know, if an exploit is or a vulnerability is announced in a particular piece of software, one day you will see people trying to exploit that vulnerability very, very quickly, especially in the area of websites. So, so it's key to get those updates done pretty promptly.

Andrew: Yeah. And plug-ins, you know, are are often a critical part of a website, but they're invariably not developed by the primary vendor. So you talk about WordPress. Wordpress, we don't tend to work with, partly because of the security vulnerabilities that it faces. Wordpress itself can be perfectly secure, but quite often when you start and look at plug-ins, you know they're not necessarily built for purpose. And by that, I mean, you know, clearly you've got some really popular plug-ins, HostSEO, for example, on WordPress. That's used I don't know what the usage stats will be, but on on pretty much every professionally built WordPress site, I imagine that exist and therefore that's probably a pretty safe one. But what I've seen from my experience is a lot of plug-ins are built to satisfy a particular need, and a developer might be going through the process of writing that plug and think, Well, if I've got this need, someone else might have this need and therefore they think, Well, I'll release this plug-in, I'll make it public. And they put it on a public repository, something like GitHub, where it's there for the world to see if you know where to look. And developers, that's a very common place to go and hold code. But once it's once it's been used on that first project and it's rolled out to anybody who wants to make use of it. It's probably unsupported at that point, and who knows what sort of quality of code went into the original plug in. If you haven't checked that, then that code you could be basically introducing a vulnerability into WordPress itself, which might be perfectly secure. But all of a sudden you put that plug in because you wanted to serve this particular purpose and you've left the door open, the front doors wide open in effect.

Dan: Yeah, absolutely. The important thing and there's an element of cyber essentials that is really good about this and the software that you use within your environment, whether that be a website or a back office information asset needs to be supported by the vendor. So, so if you're using software that ultimately doesn't give you the ability to go back to the person that wrote the code and say, Hey, I need an update for this element that isn't quite right, whether that's a security vulnerability or otherwise, that's that's a key thing for cyber essentials. You must have software that is supported for which security updates are available. So, yeah, absolutely critical.

Andrew: And you know, it's fair to say that security updates are often available for a plug-in, but I always think it's interesting when, you know, sometimes for government departments, you see a tender document to submit a bid for a website and they might specify WordPress, and that's fine. But actually, as you add plug-ins in, who's responsible for those. You know, ultimately it becomes the person who has installed those plug-ins, but fundamentally they didn't write it. And I think you have companies that sort of are in their tender documents. They say, No, we've got to have approved software or WordPress is, but all of a sudden you introduce those plug ins and who knows who's responsible for them and the sort of the back story. And it's not just security, actually, either. With some of those plug-ins, it can be performance as well, and that can have a really detrimental impact on how a site will run on an ongoing basis.

Dan: Then you're talking about the availability element of information in cyber security and performance is a sort of part of that.

Andrew: Right

Dan: Yes. It might be available, but it takes you six hours to get through the process that is available on that website. Is that really available?

Andrew: Not really, is it? No, not in today's day and age where we expect things emails back within five minutes and things like that.

Dan: Five seconds, yes.

Andrew: Well, that's right. So if I'm if I'm a website owner and perhaps I'm maybe I'm running WordPress, maybe I'm running some other sort of content management systems. Maybe I'm aware that I've got some plug-ins that are installed on the site. Sometimes depending on the quality of those plug-ins, there might be notification that says there's an update available for those plug-ins. But is there anything, any sort of testing the the companies ought to be doing around their systems and service that might flag up the risk around not just plug-ins, but more general vulnerabilities in their systems?

Dan: Absolutely. It comes back to this risk based approach, so understanding the asset that you are trying to protect and when it comes to websites looking at static websites, very static websites that perhaps are not integrating with other systems and not delivering any kind of financial payment gateway.

Andrew: Fairly dormant or passive brochure type sites.

Dan: Yes, exactly. Then, you know, does it need anything more than what we've described in? And there are a number of things that you can do to protect those types of websites updating the software. You know, in the process of updating the software, you might want to consider doing that on a test or staging site first, then pulling that into your live site. You can leverage web application firewalls quite cost effectively.

Andrew: So services like Cloudflare, which basically put an extra barrier in front of traffic hitting your website?

Dan: Exactly.And the malicious actors would be effectively trying to target Cloudflare, but they're trying to target you. Obviously, that's not strictly true. But ultimately, it prevents a certain number of attacks. You know what we call application layer attacks, cross-site scripting, sequel injection. Those types of attacks will be prevented by web application firewalls.

Andrew: So that's an extra line of defence, basically.

Dan: Exactly.Then you talk about, you know, similarly, you might pay those vendors, such as Cloudflare will provide distributed denial of service protection. So if somebody is trying to send so much traffic to your website to knock it offline that they will effectively black hole that traffic and just let the good stuff through.

Andrew: Right. Ok, and we've heard of plenty of those actually in the news as well. Quite commonly, if there's a major website that's taken offline, chances are it's a Ddos attack that is probably triggered that , maybe it was part of a sequence of trying to do something else. But you know, very often when we hear of sort of the wash up in the news of why a site went offline, it's quite often referred to as a Ddos attack.

Dan: They can also often be used, you know, at the sharp end of their industry, those types of attacks can be used, maybe not so much on websites, but on other services to, if you like, shift attention away from a separate attack that's going on somewhere else.

Andrew: Right Okay, interesting, yes.

Dan: It can be quite a big thing as well. You know, backups are , running back to sort of static websites that we were talking about. Backups are really key. So if something does go wrong on your website, make sure that you can restore that

Andrew: Worst case scenario you could just completely start with the way servers are set up now. You could just basically delete the server, set up a new server, restore the backup. Obviously, you've got to be mindful that the backup could have the vulnerability in it as well.

Dan: Yeah. So you've got to understand when a breach occurred right to ensure that you can go back far enough to make sure there's no breaches and you know you're not reintroducing the scenario in which that breach was allowed to occur. So and the other thing that you've got to do with backups or customers should do with backups is ensure that they are (and I'm going to use a technical term) air gapped.

Andrew: Okay

Dan: So malicious actors will employ a tactic of not just disrupting the website in this scenario, but actually preventing the owner of that website from restoring because they've also infiltrated the systems that actually has the backup. And therefore, you know, you can't get that backup.

Andrew: Yeah. You can't get that either.

Dan: To restore the site. So you need to make sure that those backups are somewhere where malicious actors absolutely cannot get to from your from having breached your original site.

Andrew: Sure. So off site not on the same machine in. As a first.

Dan: Yeah, put it, put it a you know, AWS3 bucket with wight once read many, you know.

Andrew: Well, I'm pleased to hear you say that because that's exactly what we do.

Dan: Right okay, good. Good. However, when it comes to more transactional websites, you know, websites that provide a service and potentially store, you know, personally identifiable information, you might be registering on the site as a customer.

Andrew: Transactional element to the data.

Dan: It might integrate with other systems, then actually you start to see that the risk element of what we're talking about goes up because, you know, the value of that website or the impacts from a value perspective of that website becoming unavailable or the potential reputational damage or the loss of PII and the fines from the the ICO. All of these things start to then add to the potential cost of an incident in relation to that website. And so it becomes much more important to take further action. And penetration testing would be a really good way to go. Have somebody that is, you know, thinks like a hacker acts like a hacker. Effectively, to all intensive purposes is a hacker. But what we call a white hat.

Andrew: Yeah doing it legitimately.

Dan: Yeah doing it legitimately, ethical hacking. Have those guys come in and try and breach the defences. Because that's going to tell you if there's anything you've missed that's going to tell you if you've introduced vulnerabilities through specific code, you know, perhaps use of an outline plug-in if you really have to go down that road. You know, those are the things that it's going to is going to uncover.

Andrew: Do you find that, you know, because as far as websites go, we ourselves, we use open source software. So we're hosting on Linux servers. Do you find that the open source areas has any more vulnerabilities compared to sort of more proprietary platforms like Microsoft Azure and things like that?

Dan: That's that's actually quite a difficult question for me to answer. You know you, you would need to be in quite a lot of detail there to be able to sort of give a credible answer to that question. Such a huge playing field, a massive playing field. And so, you know, having that is is a bit of a specialist role.

Andrew: So, so whose role then is it, talking about roles, who is the lead role in a typical organisation? Let's take, you know, a larger SME that again, I think the definition takes companies up to sort of 20/25 million. Arguably, you might want a security role before you get to that point, you know, maybe even at the one million or the five million level, possibly again, that's going to come down to risk, as you were saying earlier. But but what's the title? What's the role that that sits within an organisation responsible for overseeing this that may overflow into sort of technical roles, cultural leadership roles and so on? Is there is there a specific role that sits at the top?

Dan: The role that you describe there Andrew is the chief information security officer. It is, you know, winding back to our previous conversation around how do small businesses approach information and cybersecurity and tackle the problem of information in cyber security. The role of the chief information security officer is key. Yet it's difficult for businesses to you know, perhaps put a dedicated person in place or even a part time person in place.

Andrew: I imagine they don't come cheap.

Dan: They certainly don't. But that's really what's necessary. And as a business, cyber lens is trying to make that possible for small businesses out there to have that objective external viewpoint from an information and cybersecurity angle. The other thing that small businesses sometimes do is rely on their IT team so their IT team might be internal, it might be external, but that's a difficult area as well, because as an IT business, yes, your IT supplier might be great in year one and year two, but year three, they go through some changes in their business, which mean actually, you know, their ability to execute on those security elements is impacted and you end up in a situation where perhaps they're not doing the job where they should be. And that's that's potentially harsh to those IT suppliers. But it does happen. I've seen it happen. I've run my own IT businesses in the past.

Andrew: Yes, exactly.

Dan: I've kind of got an inside track. And it's really key to have that objective external view of what's going on in your business from an information in cybersecurity perspective. And that, you know, whether it's a dedicated role, whether it's a part time role, whether it's you as the leader of the business and the owner of a business that's taking that, that that function on somebody needs to do it and they need to be properly trained and properly empowered to deliver that role as well. So if you're acting as the chief information security officer, you can call it what you like doesn't it doesn't have to be that, you know.

Speaker3: But. the role is fundamentally the same. The title...

Dan: It is totally irrelevant. So if you're acting in that role, you need to have the training and the ability to turn around and say, No, we're going to do this this way because. And as long as you give that because and you give good rationale for why a business should invest some money in taking some certain precautions, implementing certain controls or putting forward certain procedures, you know, acceptable use, phishing management, all of these good things, then that person will succeed in helping you to protect your business. And it's really key that business leaders take that view and say, "You know what, I need, even at one person, I need somebody to take that role on and I need somebody to take on with with my business in mind and protection of my business in mind."

Andrew: Yeah, it's interesting how you tie your cybersecurity strategy to your business strategy, because if your business strategy potentially is to create products with high intellectual property value, then that potentially has an impact on your approach to cybersecurity. Because if that IP gets out, then potentially it's worthless.

Dan: Yeah. So security incidents will impact a business in one of four ways.Generally speaking, it's slightly different for some other types of businesses those connected with the critical national infrastructure, for example. But for a traditional business, if you like, you'll be impacted in one of four ways and they are impacted reputation, loss of IP or reduction in value of IP direct financial costs. So that could be the cost of remediation could be the cost of fines from the ICO, PII is involved and then you have an operational cost as well. So when you're not able to do what it is you wanted to do because you don't have access to the information or you don't have trust in the information, so the integrity of that information has been compromised, then that's impacting your business in financial terms. And as I said before, all of those things come back to money.

Andrew: We'll wrap up shortly. But another question which I was going to ask, which isn't web related, but what about services like Google Workspace and Office 365? There's a lot of small companies have obviously gone down the cloud route in many cases that's allowed them to shift their data off site they're no longer responsible for for buying servers or maintaining those servers. Are they protected in the same way? Or are they still have certain proactive things that they should be doing or need to do to make sure that data is protected?

Dan: They do. Great question. So when we talk about cloud services, Microsoft Azure, Office 365, the ones you mentioned, they will go a long way. Those vendors will go a long way to protecting

Andrew: It is their business model fundamentally, isn't it? If they get that wrong, then confidence is shot straight away.

Dan: Absolutely. And the saying is that the the vendor will protect the cloud environment. The customer has to protect the information that's within that cloud environment. So there are, there is a line and we call it the shared security model. There is a line where the vendor will go so far. The customer then has to take a view and say, right, okay, these are the risks that I face within that cloud environment. I need to do these other three things put a web application firewall in place, you know, make sure my backups are running properly and, you know, doing what they should be doing day in, day out so that I can recover from any incidents, all of those types of elements that they need to take a view and say, Right, this is my risk. These are the right actions to take as a result of that risk and implement those.

Andrew: Goes to show that we all need to be on our guard, you know, just as individuals, as much as companies with that wider agenda.

Dan: Yes, we absolutely do. Be on guard. Make sure your anti-malware is up to date. Make sure you've got two factor authentication across all your accounts. Make sure that you use strong passwords. The NCSE recommends three random words. There are other ways of doing it use a password manager. Make sure that you use a really, really secure password for the sort of root account of that. Yeah, there are a number of things that we all need to be doing day to day to make sure that we don't come a cropper.

Andrew: Well, that's been a fascinating conversation. And as as listeners will no doubt hear, it's a pretty broad area and there's lots of different avenues that we could take. But Dan, thank you so much for taking the time not only to join me just to come into the studio and go through this conversation as well. I've really enjoyed it. Where can people follow up with you? You talk about your business cyber lens providing this sort of affordable approach for smaller companies. Tell us a bit about cyber lens and where people can get in contact with you.

Dan: Yes. Thank you, Andrew. So absolutely, the ethos for the business is bringing good information and cybersecurity and making it available to the SME marketplace, and we want to help businesses manage their information and cybersecurity risk in the way that large corporates do. And we're bringing that experience from the corporate space. So to get ahold of us please visit the website, which is CyberLens.com. There are telephone numbers on there and contact forms which you're welcome to use. And we look forward to speaking to you.

Andrew: So thank you. It's been a fascinating conversation. We will make sure that we put those links up on our website with the show notes, which can be found at adigital.agency/podcast. Really appreciate you taking the time. Thanks for joining me today, Dan.

Dan: Thank you, Andrew. It's been a pleasure.

Andrew: So my thanks again to Dan for joining me today on the Clientside podcast, chatting about information and cybersecurity. It was a really fascinating conversation that I hope you'll have taken plenty away from at whatever stage or size your business is at. The threat is real and ever present, so I encourage you to take action to check your website, your firewalls, your network security and of course, your data management policies as well. As usual, we'll add the show notes and links to Dan's profile and website on the Show Notes page for the podcast, which you can find adigital.agency/podcast. Thank you to you for tuning in today! Don't forget you can leave us a rating and review on your favorite podcast platform. We'd love to hear from you and get your views. We'd also be hugely grateful if you can share the podcast with your friends and colleagues. Give us a mention on social media or get in touch with us. Just drop me an email to hello@clientside.show. Finally, a quick plug for my book, which is available to buy on Amazon Holistic website planning positioning your website at the centre of your digital transformation. If you're planning a new website project in 2022, then this is a great place to start. The book talks about a process that I came up with called Going the Distance, which is an eight step approach to researching and planning your website to ensure it's fit for purpose, more sustainable to build and manage. If you want to check out a free chapter, then head across to gothedistance.website where you can learn more. So that's all for today. I'll be back with another episode in the next few weeks, so I hope you'll be able to join me then.