Posted on 3/10/2017 by Gary Fay
Established in 2015 as a joint venture between the Mayor of London, the Metropolitan Police, and the City of London Police, The London Digital Security Centre is at the coalface of protecting SME’s from the real and growing threat of cyber crime. At a time when computer misuse offences are estimated to be around two million a year, the Centre’s mission is to educate business owners and employees about the real implications of cyber crime and give them practical tips on how best to protect their organisation.
Offering free membership and impartial advice, they are the first port of call for the capital’s one million SME’s, many of which are targeted by cyber criminals.
An expert in financial and cyber crime, John Unsworth, Chief Executive of London Digital Security Centre, has led national intelligence activities and previously worked with the Global Cyber Alliance. We caught up with John to get the lowdown on his organisation, what businesses can do to help themselves and why it’s not all doom and gloom...
Identifi Global: Could you give us the official line about the Centre? Who are you, why do you exist and how do you help?
John Unsworth: We were set up by the Mayor of London in 2015, as a joint venture with the Met police and the City of London police. The whole point of it was to give small and medium-sized businesses in London somewhere to go to for advice and guidance on how to be better protected against cyber crime. We also offer support in finding the right products that can help them be more secure. Really, we were set up because SMEs were struggling with cyber crime threats and they needed someone they could trust to give them some advice.
IG: Why is it specifically SME-focused?
JU: Because there are a million of them in London, so they’re the backbone of the economy. Big organisations have the financial resources, personnel resources etc, to be able to dedicate energy into cyber security, but some of the smaller ones don’t.
We are an organisation that you can come to and say, ‘This is how we work, this is what we do, what do I need to have in place?’
IG: So aside from the cost of cyber security people, what are some of the biggest challenges that SMEs have when it comes to cyber security?
JU: Every organisation, every business, has been forced online. Many people want to be there, but there are also many organisations that don’t want to be there. Lots of businesses have grown from being purely in the physical space to now being virtual as well, which is fantastic, it brings lots of business benefits. But we live in a world where we’re unaware of how dangerous it is to operate online and we’re unaware of how criminals actually target us, and we’re not conscious of the different methods in which they do it.
A good way to illustrate it is to compare the physical space with the digital one. If you run a shop on a high street and you’re locking up at the end of the day, you’ll pull the shutters down, you’ll put the alarm on, you’ll have a master lock and so on and so forth. But online, what people have tended to do in the last few years is buy in someone to do the website, so they’re taking custom via the website but they don’t know what level of security is on there, they don’t know the vulnerabilities.
A lot of the crimes that we see come from very simple things, like phishing emails or emails that come in pretending to be from a supplier saying ‘we’ve changed our bank details, so can you just pay your invoice now and send it to our new details’. These types of things, while they might not be massive in terms of financial losses, for a small or medium-sized business, it could be enough to go under. The impact can be really incredible. We’re not talking about just losing a bit of money and getting insurance payouts, we’re talking about businesses not being able to operate, we’re talking about employees not being able to be paid. The challenges that people have are firstly understanding why and how they are at risk, and secondly, understanding what they can do about it and what the business benefits of it are.
It was recently announced that Yellow Pages is shutting down and that’s because no one ever flicks through those books anymore. But in the past if you were looking for a plumber or an electrician, you’d go to the Yellow Pages, you’d flick through, find someone local, get them out for a quote and then you’d get the job done, wouldn’t you?
When it comes to cyber security what do you look for? What do you type into Google? How do you know which organisations are trusted ones? How do you know it’s the right solution for you? How do you know that the cost is fair? That’s part of what we’re trying to do — cut through the noise and the nonsense. We look at how organisations work and operate and determine which measures they should have in place.
IG: You talked about how there are a million SMEs in London. How hands-on is the London Digital Security Centre? Are you available to all these one million SMEs for them to get in touch? What’s the process if they have questions, do they go on the website or is it a personal kind of consultation?
JU: We engage with them in two ways. On scale, we engage through the website, so we encourage businesses to come to our website to join up as a member. As part of the membership we get them to complete a digital security assessment. We ask them questions about how they operate online: Do they have a website? Do they have social media? If they do, do they manage it themselves? How many devices do they have that connect to the internet? Do they use their own devices or are they company issued devices? Questions like that.
From those assessments we’re able to send each organisation an action plan, highlighting where we believe there are areas that they could improve on their security and pointing them in the direction of some of the services that are free of charge for them - that’s on scale.
The way we do face-to-face is through a programme called ‘In the Community’. We work with the Met police and the City of London police and go to every borough across London with a uniformed officer, visiting SMEs and taking them through the risk assessment that I’ve just described. On a one-to-one we spend 15 minutes with them and go through a basic assessment of their current security and then give them some protection advice, but obviously it’s just not possible to deal with a million businesses in that way.
The majority of businesses that need the most help are the ones who wouldn’t find us on a website because they wouldn’t be looking for us. The difference, again, with some of the smaller businesses compared to bigger businesses is they’re busy people and they’re busy doing the job that they’ve set up in the organisation that they’ve setup. Often security is put on the back burner and we’re trying to teach people to get ahead of it and see it as a real business enabler, because once it goes wrong, it’s a nightmare to fix.
IG: There have been some quite high profile cyber-security attacks recently - are more people becoming aware of the issue and the need to get on top of cyber-security, in your opinion?
JU: In general I would say yes. It’s all over the media, like you say, and we’re seeing more of it. But to give the example of WannaCry: a week after that happened we were in a room with a number of SMEs and they hadn’t heard of it. They hadn’t heard of the NHS attack.
It’s perhaps because they don’t go home and watch BBC News or Sky News or they’re not looking on the mobile apps to see what the latest cyber security stories are - they just bypass them. We in the industry think incidents like that might be a tipping point, but they’re not. There have been many, many incidents and many large-scale cyberattacks, but it only really becomes personal to the majority of people when it hits them personally.
IG: Would you say a lot of SMEs are online because they need to be rather than they want to be?
JU: Yes, and it is amazing that you can buy something from a shop up in the North of Scotland and have it delivered to you a couple of days later. The fact that it’s opened up the market is incredible but it does come with risks and what we’re trying to do is get businesses to understand those risks and deal with them.
IG: Do you think cyber security is a tech challenge or a human challenge? Is it about engendering a culture of cyber security in a business or is it a case of just getting the right security in place?
JU: It’s both. Technology can eradicate a lot of the threat. You can block phishing emails and emails when you don’t know the sender. But you also need people to understand that they shouldn’t be clicking on links and you need them to understand that when they’ve finished using a laptop, they should turn the whole machine off so it can do its updates. The reason WannaCry was so rampant was because it affected unpatched machines.
If we can get people to be more secure at home then we’ll get them to be more secure at work - because the likelihood is there are lots of people using the same passwords for their home online accounts as they are for their work one. If someone buys something from an online retailer and that retailer gets breached and they’ve used the same credentials, then that puts the business at risk.
I think we need to shift the narrative. I was at an event last week and it got a bit frustrating, to be honest, because we talked about all these kind of issues and they said, ‘Come in and talk to my IT team.’ I thought ‘I don’t want to come and talk to your IT team. Your IT team know what they’re doing. I want to come in and talk to the senior executive, of which you’re one, who doesn’t get what we’re trying to talk about here and you’re just lumping the responsibility onto technical folk.’ That’s not the right way of doing it — security is everybody’s responsibility but it’s got to be led by senior officials or senior persons in each business.
IG: The new GDPR rulings are coming in next year and part of that is how you handle and protect your data. Is it just another layer that people are going to ignore or is it going to be the catalyst to make people sit up and think about cyber security?
JU: I think GDPR is a very good thing. I think what the Information Commissioner’s Office are doing about marketing it and getting it out there at the minute is really good as well, but I don’t think it’s hitting home with the businesses we’re talking about. I think the bigger organisations are preparing themselves for it. There are a lot of people setting themselves up as a GDPR specialist and, actually, creating a bit of a web of distrust and scaremongering about it.
All GDPR is saying to a business is, ‘Do you know what data you’ve got? Do you know why you’ve got it? And do you know where it is stored?’ If you can say yes to those then you’re not too bad. It talks about doing all you can to protect it and if you can demonstrate that you are taking your security seriously then that’s good. GDPR is actually an enabler, I think, to good security. The stick, obviously, is that for some organisations who are in breach and haven’t taken notice of it, there can be massive fines.
I think it’s a welcome shift because I’m of the belief that the thing that’ll make a difference is consumers having more knowledge about, and interest in, what organisations do with their data. One of the analogies I use a lot in presentations is that I have a young daughter and I’m looking around for nurseries to put her into. The first thing I look at is how safe the place is, and what ratings they have, as opposed to how much it costs. That’s because I value the safety of my daughter.
We now need to get to the point where consumers are thinking ‘I’m giving away all my identity details to you just for the sake of buying something, are you going to look after that? Or are you going to put me at risk? If you put me at risk are you going to tell me if something goes wrong? Because you haven’t in the past.’ This is why there are so many email addresses and passwords that are out there that have been compromised and folk don’t know about it.
IG: Talking more broadly — not just about SMEs — you’ve worked in cyber security for a fair while with the police and beyond. Do you think, as a country, we’re well prepared?
JU: Yes, I think we’re doing a lot. The creation of the National Cyber Security Centre is a big step forward. That sets the standards and gives all the relevant information that people need, so I think that’s great. The problem is getting people to know about it!.
From a crime perspective, the City of London police does a great job in terms of running Action Fraud, which is the national fraud and cyber reporting centre, and the police do what they can in terms of investigations. But there are just so many - more than half of all crime now is cyber related. When you look across the country it’s something like 0.01% of all police resources are dedicated to investigating crimes that are actually constituting more than half of policing demand, so there does need to be a shift in that sense, but it is happening.
Back in the day, people used to leave their doors open, didn’t they? Because it was a safe thing to do. That changed because crime increased. I think this will happen in the cyber world — the public and businesses need to take far more ownership of their own security in order to help prevent it. We can’t be expecting others to come along afterwards and sort the issue out for us.
Where there’s been a serious cyber attack committed by sophisticated, organised crime groups, then the police, the National Crime Agency, the NCSC, they’re there for that but they can’t respond to every single loss of data — it would just be a ridiculous use of resources. We’ve got to take more ownership of what we’re doing and, again, bringing it back to why the London Digital Security Centre exist, that’s really where we try and come into it. We’re here to tell people that a lot of this isn’t hard, it’s just about actually taking ownership yourself.
And so often it’s little things that can make a big difference. Turning on two factor authentication your devices, for instance. One of the things we say to people is create an admin account, never ever use that to open email addresses and never go on the internet with that, just have that simply as the admin account. Add yourself as a user and then you can browse and do anything you want to do. If you download something bad, it’s not as impactful as if you were the admin on the computer because not being the admin means that you can’t make changes to the infrastructure.
So it’s little things like that, that can make a difference for businesses, just separating things. The recent Ransomware problem is a good example. Ransomware is a computer virus that threatens to delete your files unless you pay a monetary ransom.
A few weeks back there was a major attack throughout Europe, affecting all sorts of industries, including banks and airlines, and we got asked the question a lot, “Oh, should I pay?” And the advice is, well, you shouldn’t really pay because it’s blackmail. If you’ve backed up all your data and you’ve got all that saved on a memory stick or external hard drive, just switch the machine off, wipe it and start again. But if you haven’t backed all your data up and you are at risk of losing something, then we would still advocate you don’t pay but you’ve got a difficult decision to make, haven’t you? You might have your whole work catalogue on there, you might have all your personal contacts on there, your recordings etc — things which are of value to you.
IG: What’s next for the London Digital Security Centre?
JU: The main plans are to continue as we’ve been doing: to get out across every borough in London to make sure that we are engaging with businesses in their place of work. We want to use relationships with people like Identifi Global, Federation of Small Businesses, some of the banks and the police, to reach more businesses online and to get them to join up to the membership scheme.
We do lots of events, workshops and master classes where we take people through the specifics and help them implement some of the controls — and they’re all advertised through our website. Giving information out is good but action is far better. The way we do that is by giving people actions and suggestions after the initial assessment about things that they can do. Then we bring them along to workshops and after that we reassess them. What we should start to see is that actually they are more safe and secure online.
IG: Are there any plans for this to be rolled out nationally?
JU: There’s suggestions it could be. I think it would be a good thing to roll it out nationally using the same model through the policing network and so on. But at the minute, all our focus is on ensuring we are making the Centre work for the SMEs operating in London
IG: Is there anything else we haven’t covered that you think is essential?
JU: The only thing I would say is there’s a lot of scaremongering about cyber security, and fear doesn’t change the world. We try to take responsibility by showing businesses the benefits of being a more secure organisation, rather than just scaring them with the prospect of losing money or getting fined. Security’s a great business enabler but we’ve got to stop scaring people into change and just help them make the change because it’s a good thing to do and it will make a big difference to their future.
A huge thanks to John for taking his time to speak to us. If you’re interested in finding out more about the London Digital Security Centre, head here.
If you’re looking for your next career step in cyber security, business IT or Digital you can search our latest jobs here. Or why not book a 121 session with one of our consultants to discuss the market, your own situation and whether or not this is a good time for you to be considering a move. Sometimes it’s the ‘not knowing’ that stops us making a change - get in touch for a consultation. We don't simply collect CVs, we always try to advise. Call us on 01908 886 048.