I’d like to introduce you to Raj Kundalia from Cybione. He will talk about what you can do if you get a cyber security threats for small businesses.
Just a reminder, cybercrime affects more and more organisations every year with criminals looking to steal your most valuable business assets from sensitive data to finances.
We monitor websites and the amount of people attacking websites you think why would they take my little Sports Therapy Clinic website? Well, they do. They can use you to hack other computers. And it doesn’t really matter where that is.
So today, I’m delighted to be joined by my guest speaker, Raj Kundalia, who’s the founder of cybersecurity training platform, cyber one, he’s going to take us through what you need to know to keep your business safe. So over to you, Raj.
Hi all, I’m just going to share my screen. So thank you, Peter, for the kind introduction as well.
So before we start so how did I come up with the word cyber one, like Obi Wan Kenobi, I’m the only hope. A huge stars wars fan. But when it comes to cybersecurity, I found when you work with a partner it’s trust which is really important for me, working with an ethical organisation, I’m very ethical with my approach. And I do loads of presentations for schools, I do a lot of help on like cyber helplines and various other means to help the public as well to give back.
So just a bit about myself and how I got into cyber security. To be honest, it was one of those scenarios where I was involved with a project. And this project involved controlling a vehicle. And I had to get something called a penetration test, a pen test, which is known as an ethical hack where someone comes in and hacks new applications for your website or anything that’s connected to a network or the internet that somebody can access.
So within 30 minutes, they were able to hack this app that I created and drove this car off the road. And that was the first real shock to me thinking, well, I could have designed something and didn’t test it. And it could have gone out to the market. This could have, you know, this could have been, you know, caused harm to a family member, it could cause a lot of disasters on the road or even globally.
So when I started to research a bit more into this, why more of my projects, because previously I was a digital project manager, why aren’t more of these projects having some kind of security testing awareness done?
And the more I dug deeper, I realised, actually, even some of the big companies went during these tests. And this was back in 2015. It’s matured a lot since then. But there are still a lot of companies that don’t do this security testing.
So I’ve got just over 10 years of experience now. So I’ve worked on various projects. I’ve worked in the cybersecurity space for over 10 years. And I work with various companies from actually understanding what the business is, depending on what they provide from different services. It determines what kind of cyber risk they’re involved in, or you know, what they’re impacted by so it’s very important to understand which industry you operate in, based on the industry you operate in, there are cybersecurity standards that you need to follow.
So just to go through, so over this presentation today, I’m just gonna go over what is cybersecurity? Because when you think about cybersecurity, it’s a bit it’s a negative word, as well as when we try to flip that as well we some of you that it’s actually an enabler for your business, because if you’ve got a lot of big corporate organisations are now looking at, have you got your cybersecurity in place? Have you got your house in order? How do you do that? So it also becomes attractive to investors, also other large companies to work with you as well, especially if you’re trying to work with the likes in the public sector, with NHS, the government and trying to maybe work with those big corporate organisations because this is what they’re looking at.
Why would a cybercriminal target you? And Peter mentioned you know, the Health Clinic website. I’ll tell you the reason why. Why would someone you? Understanding your digital footprint, what’s coming out there, we’re all on social media and various applications now, and how do you reduce this risk? And how do you keep yourself safe?
So I’m a firm believer in not only keeping yourself safe but also, your employees, your staff, your family, your children, your grandparents, anyone that you connect to because they have a direct link into you, which, if any of those links are compromised, that’s the link into you or your business that can obviously have an impact as well.
So right now, I just want you to picture your house, so you lock that door, at night, you probably close that window, as well. You may even have a CCTV camera that you add in, this is probably a reactive buy when you buy a CCTV camera, usually fear-related or maybe you’ve been burgled previously or in the area, you’ve been asked to get some kind of CCTV. So you feel safe, you may leave your house and flick it on. So overall you’re responsible for that.
So most of us have the internet at home. So we have a router that router then connects to the internet service provider, which is the ISP could be BT Sky whoever and connects to the internet. That’s the way into your network. And this could also be related to your business. Also to bash your front door – someone can get into that they can get into your network.
But also, we have all these beautiful devices, these IoT devices, like laptops, and like your window, that’s a window into your house in your business. So now picture your business online as a house. All these are entry points a cybercriminal can enter from.
Yes, washing machines and fridges are smart now, they’re known as the Internet of Things, IoT devices, if they’re not regularly updated, or secure, that’s a way in. So there’s been loads of incidents previously that I’ve been involved with, where a company has installed a new CCTV camera, but they haven’t tested it if it had any security holes in them, or they’ve got an old CCTV camera and they haven’t updated the software. That’s also a way where cybercriminals can come in and compromise your network.
I’ll give you examples of different attacks they can use. But it’s when you picture that that one thing I want to take away from this is to make sure you update your devices – devices actually release software security updates, which is very important that will close that door in that window from letting somebody in. So you may have that front door locked, the back window might be open, or you might not have updated your laptop for many years. Or you may be running an old operating system like Windows seven, which is no longer supported by Microsoft is also a way in.
So the reality is I see this a lot when I go into a lot of businesses like you don’t have a front door don’t have a roof. There are loads of entry points that you can be compromised. And the shock usually seen on the faces is quite traumatising because I can run a scan in half an hour and I can see all your holes within your network. It’s pretty crazy.
And the same tools that I have cybercriminals use as well. So it’s very important that you understand the concept of locking your doors. And I’ll go into that a bit more detail on how you can keep yourself better secured.
So what is cybersecurity? I break cybersecurity into three areas: there are people you need to educate, your business, you need to educate yourself, and you need to then build the right processes for you and your company. And you need to test your technology. If you cover those three areas, you are not only educating yourself, you’re educating the business you’re becoming more cyber resilient, but you’re also understanding the technology that exposes risk to your organisation. I’ll explain how to them by these technologies.
So right now if you’re in an office space or at home, look around. Look at the lighting system, the AC system, and the cameras. You might have shutters for your windows, there might be automated blinds or your Smart TV. Again, they’re all entry points which need to be updated, secure and vetted by a cybersecurity professional I would say just to ensure that they’re, they’re secure.
You may have heard advanced IT pride I can also pride that as well. But I always say your IT pride is a bit of like your builder. Your cybersecurity specialist is more of your electrician, so they come in and make sure that they’re qualified, they have to get several badges before they can even perform an ethical hack, just to ensure that you are secure.
So, just to throw some interesting facts out there. So IBM mention this as well last month. 95% of cyber breaches are caused by human error. This could be as simple as, you know, sending an email to one person to download your link, and not updating your devices could be also another entry point for cybercriminals.
So just want that to sink in. So if you’ve got a large workforce, you’re obviously going to be more exposed to risk because of the chances for human error. This is a global stat. So imagine every minute is costing the global economy 11 million every second that’s 190,000.
In the UK, though, about every 20 seconds, a company’s been hacked successfully. So we’ve been talking for about over 10 minutes. So that’s like 30 companies right now in the UK, that small to medium size companies. So micro-companies, SMEs, and small-medium enterprises have been compromised.
So if you think that’s 30 companies have already been compromised right now. So it is a growing threat as well, due to COVID. Cyber Crime has increased by 300%.
Why would a criminal target me? Why would they target you? Well, as I said, if you let your front door open, or leave your windows open, and told everyone that you’re going on holiday, on Facebook or Instagram taking pictures of it, and they know you’re not in and your front doors open then maybe somebody’s going to come in and maybe steal. Or if you left your keys in your car and left it on do you think your car’s gonna be there in a week’s time?
So as I mentioned, the educational path, a lot of cybercriminals can just scan a network on IP address the IP addresses where the domain sits behind, as well. So like, Google has IP addresses underneath it. But cybercriminals will scan a network or an area, and they’ll get a ping. And that ping is oh, that windows open that back doors open, I can compromise that. Or I’m going to put an ad out there. And hopefully some answers, it’ll fill in my question on Facebook, about what a spartan warrior I am, which a lot of us do on Facebook. There are cyber criminals working behind that.
So people will be surprised what information they’ll give away, they might be asking you for information about your boss where you work and trying to say what kind of person you are. And that’s what information is trying to gain to try and gain some kind of personal identifying information about your organisation.
So why you’ll be targeted – well the fact is, if you make it easy for them to walk in and out of your business or your house, and make it easy for him to compromise you, you fill out that questionnaire, or download that link, which can be malicious software. And I’ll go through those examples later. But you can simply download a document where your network is compromised. And cybercriminals are backdoor into your network and your organisation where they could compromise you even further. So if you make it easy for him, why wouldn’t you?
And you’re probably thinking, Oh, they’re probably going to target these big companies out there. But the reason why these big companies aren’t easy is that they’re big companies. But no one’s going to talk about my company being compromised on the news, because it’s a small company. A large company that holds a lot of data. It makes a better news story.
So how do your attack happen? Phishing, I’m sure we all receive those HMRC emails, TV licence emails that we get. But also this is probably 90% of the preferred method for cybercriminals is probably 90% of all intrusions happening with a phishing email.
So it’s very important to know what to look out for. Thinking previously, there use to be a lot of bad grammar mistakes on there, again, they’re a lot more clever in the emails now. It might look like it’s coming from your CEO. I’ve seen a lot of usually phishing emails there’s some kind of urgency there. Or they’re asking you to log into something to provide your username and password.
So what I’d say but how to handle phishing emails, is just be mindful. Take a breather and read that email. If it’s from your director asking for something urgently, is there another way of contacting them? Can you ring them directly? Or can you go over if you’re in the office, go and speak to him? Because this is how cybercriminals will check your malware. This is where you get a malicious piece of software that might be attached to an email which you download, which infects your machine, which is the way in.
They could cause a ransomware attack and I know, back in 2017 where we had one, where then the NHS network got encrypted. So what a ransomware is, is that it’s literally is holding that organisation to ransom and asking you to pay in some kind of crypto currency to unlock your file.
It’s a method that cyber criminals use. There’s also what cyber criminals have, they have something called ransomware. This is a service that they can buy. So there’s a whole organisational body behind them to actually deploy these tools. Because they see it as a job, like a nine to five like we do.
So man in the middle attack, this regularly happens. This is when somebody is in. So I’ll give you example of this, so it basically means where somebody is already in your network, they can maybe see communication. So for example, if someone were to compromise, my emails, me and Peter exchange emails, they can see what those emails are. And what they might be able to do with those emails, is maybe changed some links and information or some attachments.
So if I’m providing the Zoom link to Peter, there might be a change from those links, or those documents, which can then lead to malware, which then, which is another way in to compromise someone’s network.
So what’s the motivation behind it? We mentioned ransom, could be somebody being paid inside to maybe, you know, plug in USB stick or download something. You know, not mentioning any presidents that looks like but there’s obviously political gains from it as well. We see that a lot more now in the space because it does happen.
Competition – it happens with different countries competing against each other. You can just let alone look on the other side of the world around Asia, how they duplicate a lot of stuff, like plans and blueprints as well cyberwar. So a lot of us are seeing a lot of this, I’m gonna be honest with you, this has always been happening, this has become a bit more of a highlight because of what currently has happened. But this has always been going on.
There’s maps out there, all I would say if you get a chance is type in DDoS attacks online happening, you get live cyber attacks on a lot of these websites to actually show you what’s currently happening right now.
Not to scare you, but it’s continuously happening. So where do you start? So we mentioned training. So coming on to live streams and training, you know, or doing some kind of online training, awareness training, it’s very important that you educate your organisation not only what threats look out for, but also understanding what processes and best practices that you can apply within your organisation.
So also understand your digital footprint. So understanding what social media accounts you use, what business social media accounts you use as well. If you’re a salesperson, you’re probably looking at what somebody is posting online, what event they’re going into maybe doing some bit of recon, learning about the history, cyber criminal has access to the same information. So I can find out where you went, where you live, I can find out maybe information about your family. It’s also about your business.
This is why I always say about your company, if you invest in a new CRM system, some people post about that, they may be posting about new partnership. Plus, also, there’s also opportunities for cybercriminals to get that information, and maybe create some fake profiles accounts or emails to compromise that deal, or because they’ve got that information they can go by.
So the other area that we’ll start is, if you look at your business right now and look at all the applications you use from CRM, Microsoft, new phone, what you use day to day in your business to carry out your operations, is put a level of risk towards it. What’s the likelihood of that being compromised? And if it did compromise, what’s the impact to you? So if your phone got stolen? Can you reset it? Can you lock it? Can you track it? Can you wipe it? With your laptop, if your laptop got lost, how quickly can you replace it? How quickly can you lock it?
There’s lots of different mechanisms out there at the moment where you can lock your laptop where some criminal won’t be able to enter it. But it’s just to understand these things. When you’ve got a CRM system, I always say go to something that’s cloud related, not built in house. If you do build it in house, i’m not saying don’t do it, you’re very responsible for that data and the security testing of it. So it can be a lot more costly for you to maintain that.
As well as if you do use a cloud service, ask yourself, have I done any security testing on it, do they have any security badges, I’ll go through example, what security budgets look out for. And where’s that data kept?
So UK Data still needs to be kept in Europe, because, you know, because we’re still governed by GDPR. Even though we’re no longer part of the EU, we still are following the guidelines for GDPR. If your data stored in the US, that means your client data is in the US and they’re not complying GDPR. So just be mindful of that, as well.
So three types of risks: human risk, we talk about 95% of all cyber breaches are down to human error. Natural disasters, that that’s a risk as well. But also that could also affect your business in other ways. You’ve got technical risks as well, like when you don’t update or you may have an iPhone, but if there’s a new vulnerability that has been released then Apple have patch downtime that exposes technical risk.
Also, what happens is, when there is a technical risk on a software, it gets published online, which cyber criminals have access to. So maybe there’s a vunerability on Windows 11 right now. And they’re saying they’re patching it, and they the patch is doing an update a security update. Once they do that security update, not everyone will update the laptop. So what cybercriminal will look out for look for that vulnerability in your laptop on that Windows 11 operating system which they can exploit.
So as soon as a software update does get released, I recommend trying to update the device straightaway, when you’re able to. I appreciate you’re busy you think I may be doing later, that’s fine time to update it. And then we’ve most insurance policies recommend that you do it within 14 days, I reckon you should do it within seven.
So benefits of having a good risk management, like I mentioned, is trying to build that habit. So when you look at investing in new technology, or anything that’s connected to your network interface with business decision.
It helps you decision making. You can also delegate throughout the organisation. Maybe you feel like you’re so busy with the running of the business or you maybe want to champion people within the organisation to help you with that decision making process.
Also you basically build a culture and a foundation of when something does happen, a threat, how to better respond to it, because you’ve had that training.
Remember, I mentioned the processes earlier. So when you do get compromised, you get breached, there needs to be a process internally, how do you handle that? Because under GDPR, if you do you suffer breach, you need to report it within 72 hours to the ICO.
I also recommend I don’t have a link here. But I also recommend you go to the ICO website.org It has guidelines on there as well. And the ICO is there to help don’t feel like they’re there to just hand out fines as well.
So I just want to emphasise this cyber risk assessment is not a separate to what your company wants to achieve, but should support your company’s objectives. So build that in with all your decision making when you make a business decision.
Asset management so I always say make a list – I spoke about risk earlier, I said, it’s very important that you make a list of what you have in your organisation. So you know, I made a quick list here. Also, it’s very important to understand when that device is no longer going to be updated or supported.
So a perfect example is iPads, they have an expiry date. So they’re gonna have a point where you can no longer update that software. What happens if you can’t update software, they won’t be able to get the latest security updates, which a cyber criminal can compromise. And what I mean by cyber criminal gangs compromised it can actually get in there and steal data off you. Maybe try to get some more financial information from you which they can use to maybe, you know, steal some money off you or some kind of financial gain, or there’s information when they can sell on the darkweb.
So, the importance of asset management is to list everything that you have from cloud applications as well. It helps you identify what technology and information is within your organisation as well. So what A to D hold, do, you need to hold that data as well, you need to really know where someone lives or their address, their date of birth? So just be a bit mindful, the more data you hold. And if that data gets leaked, I think it’s a fine per database, but you lose from the ICO.
You’re also able to identify where your vulnerabilities lie, because you know, laptops need to be regularly updated software devices, so you know, you need to have some kind of monitoring system in place, because as soon as a device ain’t updated, with the latest security updates, that basically opens up a backdoor for your organisation being exploited for cybercriminal getting in.
Then with that, we’ll be able to obviously apply appropriate cybersecurity controls. And then plan for future technology cycles. So remember, I mentioned about expiry dates of devices, so firewalls, routers, and laptops, they all have an expiry date. So having that in your business plan, because you already pre-planned it also has huge cost savings. So it’s because you know, that cost is coming up, you can basically feature revenue, you know, cash reserves that you need to bank to pay for that as well.
So the way into your Kingdom is obviously, your password, as well. So, always recommend creating strong passwords. I found this image which illustrates what you know how quickly a password can be compromised.
The rule of thumb now is create three different subjects that are not related to anything, you know, the password is not made up of you know, your anyone that they can any information they can find on your online, so maybe your child’s name, your grandchild’s name, your pet’s name, where he lived, where you’re born your favourite Football Club. Try and make it three random words, maybe just look at your desk and just come up with something that no one could guess.
I create the passphrase. So it’s, it’s more than it’s probably about 18 characters, but I only need to remember that password once because I use something called a password manager, which creates the secure passwords for me.
So I mentioned this, how I got into cybersecurity, which was that penetration test, which is an ethical hacking. So I want to explain to you what that is. So, right now, what cyber criminals do, they externally look for ways into the organisation? How can I exploit that router that firewall? Or even that cloud service? You know, how can I get into your organisation?
And that that’s why we perform external ethical hacks to actually test the external your business. Is it secure? Is that door locked? If I open up that door, what can I do once I’m inside? That’s when we also perform an internal pen test. So for cyber criminal, that is it from that malware? Or that man in the middle attack. If someone got into your network, what can they do once they’re in? If are sitting in your business right now connected to your network, what can I do?
So we talk about ring fencing in cybersecurity where we lock down users, so they only have access to what they need to. So if a cyber criminal does get in, you know, what can they do. So this is also very important, not only to test externally, but also internally. Because like I say, a simple download or simple not doing an update can be a way in where cyber criminal can do that internal attack.
That’s why I recommend that if you do have I know a lot of us work from home at the moment and hybrid but we still have a office location which we may VPN into, which is virtual private network, which is a secure way to connect to a network or a database. So that network, like I said, it’s your like that house is your business network, which a cyber criminal can get in and do an internal attack as well.
So importance, I would say it’s very important to backup your data. Microsoft also recommends in their T&Cs that you use a third party to backup your data, because depending on what level of licences you’ve got, they think that lower essence is probably the perfect base, the other licences for 90 days. I recommend someone that has actually a cloud storage somewhere that you can backup. And obviously, you’re more sensitive information, try to find, maybe have that as a another backup as well, just in case just ask yourself, what data is very important to you. And what data is very important that you do backup.
A backup is not same as disaster recovery plan, a disaster recovery plan is if, for example, a large organisation was compromised, and they couldn’t get access to the network, they could flip on to another server or another network, and they could still continue operating. So this is such a big thing. Back in the days, I remember working on my one on one newspaper clients, they base their whole new building, ready to go. So if that building was burned down, broken down, they could still continue working. But also, if they were attacked by cyber attack, they flip to another server, and work from there.
And it’s all backed up. It’s ready to go because it mirrors the existing live one so even though they have got backups because it sometimes takes longer to restore from your backups to get to business as usual. That’s why a lot of organisations, especially large ones, can’t afford to maybe lose out on a time period, maybe for more than an hour. They have a disaster recovery plan.
Supply chain assurance. So we mentioned, we talked about keeping you secure, but also earlier spoke about at this big corporate guys and NHS and local government wanting to make sure you’ve got the cyber security badges in place. So businesses that you connect with to also expose the risks.
So if I’m supplying services, to a digital agency, and I’m compromised, I could be sending a link or PDF or information. But when they download it, it’s malware, because I’ve been compromised, or is it me they’re talking to? Or has a cyber criminal got ahold of my emails, or my accounts? Or have they set up a number profile online to fake that it’s me. So just be mindful of your supplier and what controls can you have in place?
So a big thing at the moment, I should have mentioned that man in middle attack when the email is compromised is a lot of payments go missing. Like it’s being paid to one account. So every time when you’re paying a new supplier, ring them to confirm the bank details. And if you’re still not sure I’m supply, transfer one pound to them.
You may use different business apps like the starling Bank app, which I saw from one of my clients is they ask you a series of questions saying that is this, do you trust this person? Do you know this person have you paid this person previously, because they know from previous experience, a lot of funds have been paid into the wrong bank accounts.
So also, when you contact that person, make sure you contact them by another means because they not from the details from the email address because on that email address, a cyber crominal might put different numbers on there.
So these big corporate organisations, they have a vetting process for you to become a supplier. And this is the reason why the supply chain causes risk tier as well.
So something that I highly recommend that you go on. So the National Cybersecurity centre – our government have created 10 steps of cybersecurity. So everything I’ve covered this, this is free information, there are free guides out there on the internet right now, which you can go on, and it covers 10 areas.
I’m not gonna go through each of these 10 areas, but there’s a lot of information on there. So I recommend that if you want to know where to start, I would say you know, it is a good place to start because it works on the foundations, but also is aligned to all these big, international and national standards that the government are trying to push out there as well.
So a good badge to go for, especially if you’re starting. And you’re worried about cybersecurity. Cyber essentials, it was launched in 2014 because the government saw cyber threats increasing and businesses weren’t doing the bar basics. So everything I mentioned about updates, educating, it covers all of that within that badge.
And the first badge has about 8 questions so it covers certain areas about you and your business, which then is verified by a cybersecurity professional and then you get a badge and that lasts for about twelve months – you also get free cyber cover with it, as long as you’re compliant. There’s different levels, but the free version, they’ll pay up to 25,000 if you suffered a breach, but you have to stay compliant with that badge, which people don’t realise they go for that badge and and not stay compliant. So it’s very important that you adhere to those controls, as well as your IT provider, or you know, a cybersecurity expert can help you with that as well. Cyber essentials.
Plus, it’s once you achieve the stage one, which is also known as cyber essentials basic. You can, you can only achieve, you can only go for the plus once you have achieved that. And that’s actually a cyber security professional that will validate, see if that question is true. So they will scan you. So not an ethical hacker, what they do, they’ll do a scan, they’ll do a scan of your network. And they’ll do an internal scanning network, just to see if there’s any, if your doors and windows aren’t shut, and there’s nothing that’s been outdated, where a cybercriminal can compromise.
They also look at how they do some workstation builds as well. So your laptops making sure that they’re built to a certain standard. And they check for some policies and do some mail filtering. So they check your patch management policy, which is the updates that I mentioned, they also test for your password policy, I mentioned, you know, creating those three separate words. So it’s very important that you have that in place.
That’s why I just say that cyber essentials basic, a lot of people say may fill out the information, but make sure that you do have those policies in place and procedures in place that you mentioned on there. Because if you do get breached the insurance provider would ask.
So five steps to cyber essentials, which is controlling your data. The use of firewall, you have a firewall in place, how do you do about it. So there’s best practices involved in that? Do you use any kind of antivirus secure software?
Antivirus picks up probably only 33% of threats. But it doesn’t mean if you don’t update your device, the antivirus may not pick it up as well. So make sure that you still do update your device and keep the antivirus regularly updated as well.
There’s also something called advanced AV, which is the likes of there’s other ones out there like Sentinel one, reroute Bitdefender, they’re a bit more advanced, but you get cybersecurity professionals updating those regularly. And they come with guarantee as well, especially with some of the ones that if your device is compromised, and you have that installed, they have a warranty that will pay out probably about $1,000 per device that’s been compromised.
I mean, some of them are so like, can basically say that if you if you apply a software correctly, the chances of you getting compromised or breach is very, very highly unlikely. But I would never say there’s no such thing that you’ll never get compromised or breached. No cybersecurity professionals say that to you. I’d say it’s just a matter of when and when it does happen. Do you have the appropriate controls in place?
Keeping devices up to date, I can’t stress this enough. Please keep your devices up to date. My personally, my wife doesn’t so I have to go around and always update her phone. I update all the devices. And I’m glad she’s not in the house today. But that’s something that I have to always go and check. Make sure that I got the latest software updates, make sure she’s updated because she could be a way into my home network. For example, if she got compromised.
Protection from malware, so antivirus with advanced antivirus, making sure you’ve got something that can pick it up. Detecting it is very important. It might not be able to pick up all of them, but it’s better to have something than nothing.
So some of the badges I mentioned about – cyber essentials. Cyber Essentials is known as a national standard. (unlcear) is also known as a national standard, but as more of a works towards more of a Information Security Management System, building a process in place for your organisation. It’s also a stepping stone to ISO 27,001 which is the Information Security Management certification which is a fully built information security management system which is internationally recognised and those information security standards make up GDPR.
So that ISO standard is very powerful that people work towards they know organisations know especially big corporate organisations asked you to try to achieve ISO 27,000 or work towards it. This can be a costly excellent exercise because they know what processes See I’ve in place because it touches all the things I mentioned, my supply assurance, if a breach does happen, you have, you know, new validate risk.
You also have appropriate controls in place, and you have documents in place that would adhere to a lot of insurance policies, as well. So overall reducing insurance premium. So I would always hit know, most companies in the UK probably aren’t complying with GDPR. But if but I would say, work towards an ISO 27,001 standard.
But before you start that, I’d say cyber Essentials is crucial. Working to our Azmi governments, because it’s a lot cheaper to achieve IERS and governments in my second sort of hours, and one, but it’s a stepping stone, because when you do want to to ISO 27,001, it’s it’s it’s not as it’s not a big step as far as if you can find certain symbols. And right now, it’s a huge step, because at the moment has 142 controls, that’s gonna change to 97, I believe, because the standard has just recently been updated this year.
But there’s more going to be about and because ISO 27,001 is changing GDPR slightly is going to change because they make up the information security controls. So yeah, so that’s me ending now. So that’s just an overview of now cybersecurity, why would a cyber criminal target you? Why would you make it easy for him? Why wouldn’t they? They’ll walk into that front door, if you left the door wide open.
Understand your digital footprint was out there, what services you have, from cloud services, what you use, not even in your business, but also in your daily life. Understanding best practices, I mentioned some standards out there the National Cybersecurity 10 steps, five everyday steps make up cyber essentials. I don’t know if I mentioned that earlier. And how to keep your bubble safe as well. So yeah, does anyone have any questions?
I do Raj if that’s okay. Yeah. And you mentioned earlier on about the the VPN. But how safe is your VPN? Because I’m at home today, I was in the office yesterday, I log on via VPN, and you concerned me a little bit.
So the the VPN masks your network, so it’s encrypted. So they are pretty safe. But VPN is out that there’s a lot cheaper, you can VPNs out there, I always recommend going to one that’s well known in the market. But you only need a VPN, if you’re connecting to a corporate network, which you are, personally, if you’re not connecting to any networks, and you’re maybe using Office 365 In your standalone company, as long as when you visit your website, it needs to have the HTTPS, that padlock in the corner on the top. Because that also encrypts anything that you type into that website, as well. Does that answer your question?
It does. Thank you.
Yeah, thank you very much. For your for today. I think that was really useful, you covered a lot of areas very comprehensive. But just just so that I’m always very keen that people take actions away, you know, because there’s lots of actions in that in there and the presentation will be available in the next day or so in our watch the previous workshops on the website vision success.co. And we’ll also be putting this recording as well. But if there’s one thing you could take away from today, you know, that people take away from today and say Right, okay, this afternoon or tomorrow what what sort of thing would you would you suggest to them to do that?
So I would say to gonna post the link into the chat which I hopefully people can share might share my screen as well. I know. If you can share that link as well because it’s a free service. So if you’ve got your work email address and personal email address, or what I recommend is that if I share my screen quickly, you can type in your email address in there if I just type in which I know which one has everyone has access to this because it’s on my LinkedIn so if anyone I say He says this one has been by no one asked when. So what his website tells me if I’ve been part of any data breaches previously, where you may be secure, but the applications that you use may have a breaches like Google or here, and vocal preached in May 2019.
And my email address and my password was exposed then. So if I haven’t changed my password since then, and I’ve got the same password across all my other accounts that cybercriminal has access, could probably get access to my Google, my Facebook, and so on. So it’s very important that you don’t use the same password. But also, it’s very important that you try to monitor yourself some somehow, and where you can monitor yourself and here is a free service, you can notify me on top here.
That’s one, the other one I recommend is going on to this website. It’s National Cybersecurity centre, the NCSC website and look at the 10 steps to cyber security, there’s a lot of training on there.
Which will help a lot of businesses it’s a stepping stone, so at least you know what to look out from. For clown from, you know, antivirus how to, what technology to look for is quite a lot of useful information there, as welll. So highly recommend visiting this website. And if, if you do receive a phishing scam, it’s got information on there, how to report it. So, so one thing I’m a big fan of is the number 776 texts in that.
Because what that you know, when you receive a four phone call from HMRC is automating that message, or that call that you think and actually someone’s trying to get information from it, there’s usually don’t call that phishing called ambition, where someone’s trying to get information off you or trying to get you to do something, you can report them by texting that number 776. But also with the text messages, as well.
But you know, the one thing we’re getting those of fake information about delivery, you know, parcels and getting links on there. And also your bank payment, saying it’s from HSBC bank or Barclays, you forward those text messages to 776 your mobile for quite a war, or investigate, and they’ll block that number. But also people thinking, Oh, I just ignore it. But by you blocking them, it just saves someone else may falling victim to him. So I’m very firm, very, you know, very, you know, I like sharing that information, lot of people. Because I think last in April, they blocked 50,000 numbers just here in the UK. So that’s 50,000 people likely not to fall victim to normal.