Cyber security on a budget
hello everybody and welcome to today's webinar in partnership with the national cyber security Center my name is Lisa schmet I'm the head of partnership at charity digital and today I will be your host uh with an amazing uh panel uh of speaker um alongside me we will discuss today on uh basically share tips and insight on how your organizations can best protect itself against cyber attacks and how to achieve strong cyber security for those of you joining us for the first time a very warm welcome to you and we really hope that today's panel session and panel discussion will will have some info insights and while regular attendees is very good to have you back uh today's format will be very interactive uh the presentation is called um is currently on the platform called mentimeter it means that we will run a few polls about four polls during the the course of this presentation which you can answer straight away you can join uh thanks to the QR code that you can see on your screen now and you can also join on uh mentee.com and enter the code that starts with four um and and then join for to answer all the questions there we will uh regularly Post in a chat in case some of uh some of you join us late uh obviously all responses are Anonymous um we will be joined by speakers uh from the national cyber security Center um as well as um experts and and um um charity charity speakers from Wildlife trust um and uh say the children International um basically over the next 40 minutes I'd say um we will draw an experience from our speakers um and guidance from the national cyber security Center to explore uh some cyber security insights uh budget-friendly technology that you can start implementing considerations that you need when Outsourcing I.T and cyber security services um why we should prioritize cyber security even resources are stretched and tips on how to implement it and then plenty of other tools and guidance uh to protect organization um before I start and before I introduce our our panelist um a few house rules the session is recorded um so all the um slides and all the resources will be made available um in approximately a week's time to all of you closed captions are available on the bottom right of your screen that's right next to the record button if you need them we will leave some time to answer all of your questions so about 10 15 minutes at the end um so please pop them in the qns section at any time in the Q a button and you can upvote your favorite questions and then the chat function is for everything else tell us more about where you're joining from what experiences you've had with cyber security and some tips once you leave the session you will be prompt for quick feedback um so please do leave your comments um and help us produce content that is relevant to to you all now without further Ado um let me introduce our esteem panelist um we've got um Sophie who is a resilience officers and National cyber security Center uh her role is Charity focused obviously making sure that ncsc guidance considers the needs of the charity sector and obviously reaching out and amplifying uh the the cyber security message to help the sector uh safer online Sophie will be um joining us uh with camera off but we can we will be able to hear and hear all of our amazing insights um we're also joined by Richard Bartlett who is the Strategic lead cyber and data security Analyst at the Royal Society of whitelift trust Rich's role is to protect and Safeguard the organization in relation to cyber and data security ensuring compliance with all legislation he joined Wildlife trust in January 2022 and has extensive senior experience in information security mainly across higher education and charities and also joined by Gareth Packer who is the director of information security and data protection at save the charger save the children International and he is responsible for uh the delivery of the organization's I.T security and data protection he joined saber children in 2021 and he's held plenty of other senior I.T and management positions in higher educations and other Charities both of them have great work of experience um they're fully aware that many of our um our attendees today may not have the same budget and same team size as as say the children and and Wildlife trust but there are loads of insights that they can share with all of us today and that will help everyone be um you know be more cyber secure um so very warm welcome to you all and hello and then you can Gareth and uh and Richard you can get yourself hello hi everyone yes nice to join you today and uh look forward to spending the next hour or so with you talking about cyber security and how to manage that on the budget being fat brilliant as well um and uh and yeah well um without further Ado let's diving in um with this first question and obviously as you can all see um the Cyber threat report was released recently uh by the ncsc and that Identify some challenges that are quite unique to the charity sector um so Sophie um if you wouldn't mind giving us a bit more background to some of the findings yeah of course um so hello everyone um lovely to well kind of meet you uh meet your voices or my voice um so yeah the charity threat report um is an updated version of a threat report that we had in back in 2018 I think it was um so we're really pleased that we can produce this for the sector so this report is it was a consultation with experts um from both the national cyber security Center as well as other government departments and also some open source research and it was written with the support of the charity commission so it's really good that we've got the buy-in um from that angle and it kind of um builds together what the kind of threat landscape is to the charity sector and also um the kind of key mitigations that we would recommend um to help fight against those threats um the key issues the charity sector faces when it comes to cyber threat is partly um kind of exasperated by the financial crisis obviously Charities are already you know usually under-resourced underfunded um so the cost of living crisis is just making this worse um and there's also a huge increase in demand for services as well as a reduction in kind of government and local funding as well and because of this we're seeing that Charities are less likely to implement security controls than the private sector they're also a lot less likely to have cyber insurance which is obviously putting them at much greater risk if a Cyber attack was to happen and also due to the nature of Charities um there's more staff and volunteers that are likely to be using their own devices so this makes it really difficult for Charities to manage their security updates and it therefore increases the likelihood of things like phishing attacks um and again similar theme there's a very high turnover of volunteers and staff because of the nature of the work and so when we look at the culture of cyber security it makes it quite difficult to build a secure culture and a positive culture around type security and to train your staff and volunteers and make make everyone aware of the processes um And in regards to kind of the core principles it looks at it starts at the basic things so things that are included in our small charity guides such as password policies multi-factor authentication backups and software updates and then it also goes into things that you could use with your staff and volunteers across the board so top tips for staff and kind of free training resources some of our tools as well which I'm sure we'll talk about a bit more later on and also how to kind of get your board to buy into cyber um so yeah hopefully that's kind of an overview of the threat report for you super well thank you very much um and I think that is already available in in the chat section so if you want to to check it out um it's it makes for a very uh powerful reading um and obviously so I don't know whether we can already run run the polls because um basically we've identified a few risks and it'd be great to hear from you know from from our audience um whether there's been any anything that that particularly resonates um so yeah so basically our first poll is um have you experienced a Cyber attack data breach or near Miss in the past 12 months you can select more than one option um and it will be very interesting to um yeah to see what what what's happened in the sector I would also say that we've done a um a survey I think it was last year in partnership with the ncsc um where we also asked people if they're you know what their level was in in terms of cyber security um and um and yes we will also be able to share some of the findings um with you um later on um so okay good this is a a good start no no two of our respondents have had no cyber attacks you miss okay so that's that's already uh getting more more answers um Richard and and Gareth why is we we're waiting for uh people to to finish the answers um have you had a chance to read the uh the ncsc Cyber threat report I have actually and uh I I I think it's a very useful report I I sent it to uh all of my team within my information security team that saved the children and I also sent the link but I I produce my own summary for our management team and I see the eleniors team at save the children because I think it's often challenge for for individuals like myself and Richard is is making sure we don't go into too much technical language or jargon and I think that report did a fantastic job of making very real cyber security threats very sort of engageable on on a wide audience so yeah I thought it was a really really good report and um and a good way of summarizing the current threats and also putting people in the right direction of what they need to do to address that so yeah certainly used it myself brilliant and what what about you Richard yeah uh we actually uh sharing this with both kind of IIT contacts across the wildlife trust but also with trustees and Senior Management because it's it's digestible by anyone it's not really technical as Gareth was saying we we shouldn't be talking technical language to people who it's not part of our world um but the fact that it's got kind of the head of the ncsc and uh the Charities Commission in in at the beginning kind of sets the scene and it gives it some gravitas so yeah I found it it was very useful and it's it's a good communication tool absolutely um yeah yeah I really agree um and I think yeah we've got um we've got all our um responses so um yeah it's almost like 50 50 12 um 12 respondents have been lucky enough not to have any Cyber attack um but actually nine I've had a I've had a near Miss um I don't know if richard.gariff this this resonates with what maybe you've heard from from peers in uh in the sector as well yeah no it's it's really interesting to see the results actually and I appreciate everyone's honesty on this is I I probably say that uh having worked in information security in it for 15 20 years now I think it's very confident of people to say they haven't suffered once I think there's sometimes actually about the the unknowns within an organization I think perhaps we could have worded it around that you are aware of because I think there are there are things happening across networks of all sizes that actually are really difficult to detect and that's what we'll we'll come on to later but really interesting to see so many people recognizing they've got near misses actually yes yes I think being able to ident people reporting and being able to identify near misses are really really important because actually it's always far better to learn your lessons and make the appropriate changes from a near Miss than it is when you've had a Cyber attack or a data breach that's cost you money in terms of repairing systems or investigating or heaven forbid regulator reactions so yeah absolutely um and uh and what's also interesting interesting is that when nobody says they're not sure so it means that people are also um aware of what's going on within their their organization um which which is great um do we have access to the second poll I think we are to run a second one oh yes about actually um one key element of the Cyber threat report which was around multi-factor authentication um so the question is do you use multi-factor authentication on your work account um and I'm pretty sure Yaris and Richard this is uh you know an obvious yes for both of your organizations but you'd think it obvious yes no idea technical people it's an obvious yes um uh so I work across multiple charities in fact because the wildlife trust is a Federation of 47 Charities uh I'm employed by the Royal Society and there are another 46 spread across the UK and in some cases it hasn't been the top priority for some people in the past and we've done quite a lot of work to explain to people the value of it um effectively it is it is kind of probably the top control I would recommend to anyone um but for some people for trustees trustees you might be older who may not be so kind of digitally capable um uh it can be more of a struggle and it has to be more work done to kind of persuade them that this is necessary and and to try and help them through the barriers absolutely absolutely Richard and yeah well I mean we we've certainly implemented MFA and had that in place for a couple of years now but uh again sort of the cynic and me and it's interesting it's fantastic to see so many people have implemented in their faith but I think sometimes what what the challenge is in an organization that increasingly uses cloud services are all of the applications and services that you're in that your employees or your volunteers are using are they all using multi-factor authentication because actually yes it's fantastic most people probably use Office 365 or perhaps uh G suite for Enterprise in in this sector and yeah fantastic the multi-factor authentication switched on for that but if people are using Trello and they might be sharing sensitive information on there of people using monday.com
other services like that perhaps you're using a web-based CRM with quite sensitive information on your donors or your supporters and volunteers does that have multi-factor authentication enabled as well because not all organizations particularly in smaller Charities I've worked in have what we call single sign-on so that password and user account is used everywhere so certainly something I'll come on to again later would whether you're a trustee or whether you work on our team you're joining the school perhaps go back and challenge your it teams on actually how confident are we that all our cloud services that that could have got sensitive or critical information on are protected by MFA absolutely that's a very good point Gareth um yeah thank you um and thank you to everyone who took part in both in both our polls um that was really insightful and we'll obviously run out a couple more um later on um but then yeah essentially um based on based on on our pulse results and and what uh Sophie has shared from the from the Cyber threat report and perhaps uh Richard um you know what what are your main thoughts around obviously what could be seen as a daunting task especially with no dedicated cyber or I.T stuff like how could charity start implementing new processes and obviously we've seen that with with MFA but of the others at the beginning when you're looking at this the first thing you have to address is not a very technical issue it is what do you have you need to understand what are you protecting which is you know your personally personal identifiable information pii of donors and supporters um where is it and only when you know what you've got and where it is then you can start to think about the protections you've got in place you can you know know what you've got know where it is know where the most important stuff is and then say what do we already have that protects that which is a question you can ask your it team or your supplier and it's not a technical answer it's we have controls to prevent unauthorized access whatever it is um once you've done that you're effectively looked at the NCSU guidance which gives you information about what you can do um I don't no one can go wrong in my opinion and I do with Charities that range inside from like 10 to after 250 staff um can go wrong implementing multi-factor authentication which was a subject of the question earlier so the people in there who are saying no I would say without doubt make that your number one priority to address that lack address that um that control because it is it's it's it removes a significant amount I'll say potentially 90 of the risk for some Charities because unfortunately passwords are easy to guess they're relatively easy to steal um and having that verification that thing that forces someone to move away from just being able to steal or guess a password to having to physically have something in their hands which means the attacks which largely come from places outside the UK can stall um and if you can uh employ MFA on anything that's publicly accessible and you can keep all your software and your Hardware up to date you've probably dealt with the vast bulk of your information security risk and neither of those two things are a huge hurdle they're also not hugely expensive um the barriers here aren't Financial they're really kind of knowing what you can do they're an amazing charity discounts from Microsoft and Google so the issue here is knowing that you need to do those things and then getting them implemented yeah absolutely stop establishing your Baseline and and and probably practicing good good cyber hygiene as well but but more importantly like you were saying Richard is yeah there's there's no there's no butt star there's there's definitely you know if it's just about listing on on a Word document that all the processes you know what what's going on when it comes to cyber security within the organization that's that's already a great start um and and obviously once you you know the charity has assessed a current Baseline probably need to take action to to make Improvement um and and maybe Gareth you can maybe give us some examples or some insights into you know how to actually implement this yeah no of course so and and I agree with everything Richard said on that I think it's really important to actually work out what what you're looking to protect and I think actually probably one thing that is quite easy for everyone to implement is that kind of threat analysis or just sort of threat management of thinking what is actually important to our organization is is are our crown jewels our CRM is it actually a database with all our donor information on things like that and then and then plan accordingly I suppose from from my experience certainly it saved the children in other Charities MFA implementation is is really important and as we saw from the poll actually I'm not going to spend a lot of time on that because it sounds as though everyone has got that message and it's it's great to see so many organizations are now implementing multi-factor authentication on on their primary work accounts I think again what is it priority to you will depend on the type of organization you are so for for myself as the Chief Information Security Officer of saved the children we operate uh globally in some very difficult circumstances and things like that so one one threat for us was around device security we have people operating in situations where people are quite often robbed or may have to abandon computer hardware because of emergency situations so how do we protect devices when one way we've actually migrated everything to the cloud so generally people don't store any information on a laptop so even if that laptop is compromised then well you're not too worried because everything is in SharePoint everything is on teams and things like that but also what we've done is implemented device encryption through Microsoft using BitLocker on all of our laptops so that when a machine is lost or stolen and hopefully you don't get as many lost or stolen laptops as I do in your organization but because of the nature we do we don't have to worry about reporting that to the information commission's office we just check uh very quickly whether that device was encrypted and once we know that yes it's a financial loss which is obviously a challenge for any organization regardless of your size but it it no longer becomes a cyber security worry or a data protection worry because because you've got that you've got that assessed I think one thing I think certainly coming from as I said in my introduction obviously I'm I work at fairly large charity now but I have previously worked at smaller charities in it and information management roles and and the first thing I've always done about when starting a cyber security program is look at awareness and training actually because yes you can go out and spend a fortune you can get some snazzy Partners to come in and and build a platform or run some great webinars but you can do a lot I think the first round of cyber security training I ever did was was visiting our projects all across London and the southeast which is the lab laptop and I would do a half an hour 45 minute session talking about the basics of cyber security and information security with a PowerPoints line and try and get people engaged in that obviously progress and we've now got nicer infographics and online training courses but actually I think you can provide training and awareness regardless of of the budget and I think certainly one thing and I've just had the results actually through for my latest one that's been a real success for us is implementing uh fishing training for all our staff so we we have a mandatory information security training course that everyone does online annually but last year we introduced a specific module only takes five ten minutes for people to complete on how to spot phishing emails how to report them what to do on that and around the same time we started running a simulated fishing campaign so actually us doing it but sending people a link click on this link to reset your password I think most people are probably aware of what of what an ethical or a simulated fishing campaign is and and we monitor the results so we look at how many people are clicking on those links and we've seen a steady decrease over the last two three years of the number of people that are being fooled by that and I think partly that's because of the environment we're in and actually even outside of work people are more aware of scams and things like that the ncsc and the government do quite a lot of radio and TV and internet around that but also I do like to think the training we're doing and the awareness work that we're doing has made has made an impact on that and I suppose the final thing that we've we've done on that about trying to make everyone feel responsible for that we've we've appointed both data protection Champions and and information security champions in different business units across our organization and and really importantly they don't all work in I.T and all the in technical jobs and they're not cyber security experts but they know where the where the guidance is they know a little bit more about signposting people and also even if it's just often say to people well what can you do well when you have your weekly team meeting just talk to people about some recent threats just say actually we're seeing a lot of these types of email at the moment be really careful or or don't visit these sort of websites and things like that and it's just sometimes around just not just once a year running a single training course but keep keeping in people's minds keeping whether it's a bulletin in your Weekly Newsletter or your monthly newsletter just saying oh just reminding people about the risk of fishing or you might run they might just do a small article in your in your organization's newsletter on choosing a strong password listen and you don't need to be a cyber security expert to design this training because there's so much available online actually some really good guidance whether it's from the ncsc or or even vendor websites sometimes of how do you choose a strong how do you choose a great password so there's certainly things you don't you don't need to spend a fortune on on to do that yeah absolutely I I agree gather Gareth and it's uh it can be as simple as we usually do that chart a digital um because we have an amazing customer service team that deals with um unfortunately loads of uh frauding email and and uh and phishing emails um and they're really in Boston in our team's chat they say oh careful we've received that and that seemed to have circulated across different members of the team um just be you know just be be more aware um or you know I've received that he's a genuine so having just having that conversations uh going with with the rest of the organization can can already um you know keep people aware um and a question to to you Richard um obviously Gareth um outline some of some of the training is that something that um you've also implemented um or other parts of you know doing improving cyber security at what life yeah so we um it's one of the foundational measures that we put in so um we uh we prioritize multi-factor authentication for any publicly accessible service patching um known vulnerabilities in particular but just patch everything run your software plates automatically um and then the number three thing was training and awareness and it was trying to make sure that the training we did was easily digestible because everyone is working you know two or three jobs sometimes you know people have multiple roles and even the I.T people in some of the wildlife trusts are you know they're the it and operations manager so they have a limited amount of time to spend on it and we wanted to make sure that everyone got something that was really easily digestible and usable quickly rather than kind of you know 45 minute um in-depth training course you have to do once a year that talks about lots of different technical stuff that doesn't really help you as a user so we want to make it really usable information um and those yeah the awareness is the thing that saves us so you know there are technical defenses that we as technical people can put in place you know firewalls fishing protection stuff like that but ultimately something generally will get through you and if it gets through when someone looks at it and goes well the CEO doesn't normally want to buy gifts for everyone and he doesn't normally ask me to call him on WhatsApp then the person who spots that and flags it to it they are one of the defenses so that awareness is really key and I think it people like it you know if you say to someone if you get it wrong if you click on the link don't worry about it that's not your fault yeah there are criminals trying to con you and they're quite clever um always tell us if you have a problem and or if you worried about something and if you think something's a bit you know don't think oh I can't waste their time if you have a supplier or an internal team flag things to them um and that's part of our awareness programs to make sure people can do that yeah no absolutely yeah it's it's yeah about nurturing uh an environment where people um feel confident and and trusting to report anything that they see and that they know they'll be listened to and an action would be taken um I think we have a a a a following poll and and that's more you know that's quite related to to to what we were saying is is about you know how do you engage your teams and and more especially um your board so that's the following slide um if you can yeah brilliant um so so so yeah so we you know we're engaging staff but basically how about the rest of the team and maybe more senior and leaders so so another Paul for for our audience um people thinking about those people more senior in your organization how how engaged are they with cyber security as a whole um and whilst people um are answering maybe Gareth um you know you want to share a couple of tips on on how to engage them you know senior and leadership team yeah of course and I think we we touched on it earlier on it's about I think certainly for professionals like myself and Richard it's about when we do engage with Senior Management teams about making it personal to the organization so don't go in just I find sometimes cyber Security Professionals spout a lot of statistics about how many attacks in the last month or how many different types of ransomware strain there are and I think it's more around actually thinking about like I said earlier about your organization so speaking to people look we've got a CRM that's got 2 000 uh supporters personal information on we have an enabled MFA for it and we have the money to do that or we've got we've we've recently taken taken on 60 volunteers we've given them all laptops but we don't currently have any endpoint protection software something like that and I think it is making it more specific it's about using non-technical language making sure that you're asked with regard to cyber security or are tailored to your organization rather than just we need to spend money because everyone else seems to be spending money and I think if you've done that kind of work Richard spoke about at the start of what do we have in the organization what do we have that we're really worried about and what do we have that we're worried about and we don't feel we're doing enough and then using that as quite a solid business case because actually the business case effectively providing you have this you have the money there should should sell itself in that case because actually you've absolutely made it clear why we're doing this um and also what benefit also what benefit that's going to have but I think certainly from my experience in charities I've worked in the private sector as well and you'd often talk about shareholder value or how's this going to improve customer relations and I think it's really important when you speak to Sports in Charities who should be and I'm Trustee of other Charities it's about the work you do for your beneficiaries for the people that you're Charities helping and actually if you're the mission of your charity and if you if you position your business case as we're protecting those people by doing this I think you're then meeting both cyber security needs but also meeting the mission and aims of your organization so I think that's that's always been really important to me and it and it and it it generally works and I suppose actually don't throw the baby out with the bath water sometimes statistics can be quite useful about particularly if they're relevant to your sector so if you've got good statistics on the number of attacks against Charities and and that's why sending a report like the ncsc threat report and then two weeks later asking for some more money is a fantastic idea because actually you're then you're then showing people that there is a problem it's not just affecting Sony or Facebook or anything like that it affects organizations like us of all different sizes and I think that's really important yeah absolutely you're very right Alice um so Sophie do you also have obviously from maybe from from the threat report or from from speaking with other Charities do you also have other tips and insights that you'd like to to add to to Gareth yeah so I think this is this is often a big question that we get asked by um Charities um is how they can get that buying from the board I think Gareth is pretty holy hit the nail on the head in terms of how you engage them it's starting that conversation in in a language that they understand um so thinking about it in terms of risk as you would with your fire safety uh risk assessment is to kind of treat that cyber security um from that angle and like I say in a language that they can understand um so thinking about what's important to them and why you know make sure that you're you're reading the charity strategy so you understand the entire organization strategy because ultimately the trustees and the CEO have got oversight of the whole organization so they can make the decisions about about risk proportionately and also just to kind of reiterate what Gareth was saying about the beneficiaries and also this services on the ground because ultimately you know Charities are very very limited um with budgets and resources so the kind of the crown jewels are really important so identify what those crown jewels are is it a service that you're providing to a young person is it a um a helpline that you're running that people are relying on day in day out what are those crown jewels that your charity is um ultimately you know centered around and how you can best protect those and then what the impact is so you know if you're if you were hit by um an attack and you couldn't pay your staff how long realistically your staff gonna stay with you if they're not getting paid because your banking system isn't working um you know how long can you run without your Outlook calendars how are you managing your staff resources you know if you're scheduling one-to-one sessions for example how long can you do that on paper um and also you know another thing to consider is who you know who is aware of cyber on your board um and your senior members of staff so you know get yourself an ally talk about it together first look through things like we've got the toolkit for boards on the NCSE website and also the charity threat report have a read through that together and kind of think up your uh your methodology from that point and then open up that conversation with the board from there yeah absolutely you know I I completely agree and and actually um you know bouncing on on Sophie's response um uh Richard obviously many many of our um audience members here will have had a look at many tools out there to choose from um and it can be a bit confusing to to many many of us even even the most experienced um there are a few issues or technology that can pose some some headache for Charities I do a couple of myths you know that you would like to debunk or or reassure our audience about yeah then some and this is something I noticed when I first kind of moved into cyber security I previously worked in I.T uh you know General I.T provision and I.T service and there's a lot of
very much show and kind of militarized language around it it's all about the kill chain and threat actors and it sounds very intimidating and very daunting um but the bulk of the things that we're worried about um in the wildlife trust and probably most Charities unless you work in kind of conflict areas you know which Gareth does to some extent you're worried about not you know the Russian State or the Chinese government you're worried about um bog standard financially motivated cyber criminals it's just the kind of people who will walk down a street at 3am in the morning crying every door until they get into a house and make the keys or the person who you know smashes your car window to Nick their phone you left on your passenger seat they're not particularly Advanced people and sales people will try and scare you and kind of say oh yeah you need to deal with this Advanced persistence reactor well no you just need to stop the kind of the the dumb criminals who are who are putting out that most of them don't even know what they're using they're just just they're buying tools to do hacking and just using tools so they're not particularly well informed they're not all programmers um so I think if you can recognize that the threat to you isn't overwhelming it's actually quite mundane sometimes and you just need to put some fairly reasonable basic controls in place and you'll deal with a large amount of your risk um and I think that's that goes against kind of what vendors will try and do because they want you to spend as much money as possible you really don't need to um because a lot of these people are not particularly bright there was recently uh seven and a half thousand servers were compromised by a recent uh incident with VMware um and the people who wrote the ransomware so this is something that tries to get onto your system and encrypt everything they broke the encryption didn't work so seven and a half thousand systems you can buy if you get a free decrypter and it's just because they've got it wrong they didn't code it right so you know these people aren't masterminds and you don't have to be a mastermind to deal with that threat you just need to get the fundamentals right absolutely you know thank you Richard and and obviously we've talked about uh maybe complex tools but there there's probably three tools that can enable Charities to to strengthen the cyber security and to get started um maybe Gareth you have some some tips on that yeah of course so uh yeah I mean that there's hundreds of different open source and freely available tools for for different aspects of that I mean obviously always use caution if if you're gonna secure large parts of your infrastructure with within a free or an open source tool make sure you're aware of the limitations of that but uh the simple things if you've got people in it that are also dealing with information security incidents or they're being sent attachments from people that that say oh is is this fishing is is this got malware um you don't need to you can buy very expensive solutions for a malware analysis that cyber security professional reviews but something like virustotal website that's freely available for people to use and they can upload uh attachments onto there uh we use a tool called Joe sandbox for a similar type of purpose that um you can actually screen to see if the file is is malicious or is trying to leak data from that and that has a free version of I've been available I've long been a user have of the have I been pwned website for getting people to think about um what passwords have been compromised I know that sort of functionality is now built into quite a few different services that will automatically will automatically tell you there's some really good free password management tools so password Vault tools and that and uh I I personally use one password and uh and I I have a paid version for that but actually that's because I use some of the added functionality but the free version is very good and tools like key pass which are completely open source are really useful for implementing that kind of um password for type of functionality so there are some some really good tools out there I don't know Richard if um I think we were having a chat about this before what what free tools you've used that you think might be applicable to a wider audience yeah so I can uh and I'm not I'm not a vendor so this isn't a vendor plug but one of the things Charities should know is that you can get free stuff from vendors as well so you can get tools of the commercial tools that are widely used but you can get those either very heavily discounted or free so both Microsoft and Google will provide you certainly with the basic cloud services with multi-factor authentication enabled for free for a number of your staff I think Microsoft will provide What's called the E2 license for up to 300 staff all volunteers so they can all have word online Outlook online and all of those tools with multi-factor authentication for nothing um and then after that you can get more advanced tools also for free so um the kind of the top material Microsoft licensing which is either called an E5 if you're a big charity or Microsoft 365 business premium you can get 10 licenses of that for free and that has uh like not just multi-factor authentication but very good antivirus it also has the ability to manage your devices because a lot of people now aren't in offices so he has InTune built in um so always uh check with your vendor what are the charity discounts what's the free allocation available and push and put pressure on them because you know you work for societal good so you know and you have limited budget so you should always try and push that um and then there are things uh there is if you do have an IT team um and this won't work in a conversation with a vendor but if you've got your own team one of the things that I've developed um internally at uh Wildlife trust is we wanted to have some logging and Monitoring Solutions so it's looking all the logs because logs being generated all the time by all the systems but no one looks at them so we wanted a way of bringing it all together we did use in the Ender a Microsoft solution which was very low cost but you can find an open source Tool uh which is called the elastic stack or the elk stack because we like weird names in Tech but that's basically a set of free and open source tools that you can use to pull all your log data in and then you can kind of you can use out your it team can use that to kind of have a look at what's going on so something weird happens they go hang on a minute let me look at the elk stack and they go oh yeah looks like two and a half 1000 attempts to log on to accounts just happened in two minutes and that's not normal and then they can track it back from there and take steps as required so that's it's also worth looking at yeah and just just on that actually just made me think that uh probably not for some of the smaller Charities on the call but uh there's a security information event management solution called Splunk s-p-l-u-n-k that some people may have come across and they actually have Splunk for good and they will give they will give a free instance of that it's probably wouldn't if you're not doing anything around cyber security I probably wouldn't start by implementing a scene because it can get quite Technical and it can get quite all consuming but if you are at that next stage and you're looking at seam tools like Microsoft Sentinel or Q radar and things like that spunk for good is well worth a look and actually if you're not huge you may find that you never actually have to pay because you get a certain amount of data storage within that obviously there's a bit of configuration required and then just finally on this before we close on this on this question uh one thing I I found certainly in a charity I worked out before that was quite useful is if you approach some vendors for penetration tests or vulnerability assessments and say you're interested in is something you you've been told you need to do by your Auditors a lot of them will actually do an initial one because they want to win your work they'll do an initial might be 10 IP addresses or one web application absolutely free no questions asked you obviously then have to put up with numerous emails afterwards trying to sell you things but you you can get a professional top quality pen test for free off and on those so yeah well worth recommending on I actually met our compliance needs for over a year doing that for uh in a previous role getting free princess absolutely yeah so we we have a strategies to work with that with Splunk in the past so um that we've created some content uh together around that so uh so that's that's good to remind us of that um obviously you know in addition to to free tools and and to to easy tools um many many organizations would be Outsourcing uh some um of the cyber security activities um where where do you both see value in a managed service providers maybe Richard in in a few words um the wildlife trust as a movement relies a lot on third parties um I think almost every every trust uses and the Royal Society also uses third parties um I would say the one thing about a managed service provider is the quality of service you get is dependent upon the skills of the people in that company if they are employing good technical people and cyber security people you will get a good service and you can be assured that your security is taken care of but not all of them do cyber security skills are in short supply which means you know the demand exceeding the supply means that the salaries go up and some smaller msps struggle with that not all of them I've come across larger providers with bad security uh provision it and I've come up with smaller providers who are really good at it so but it is something to be aware of it's don't just assume that they're all created equally um try if you can and find a way of understanding their capability which might mean you need to kind of you need someone with a bit more expertise to maybe assess that supplier on your behalf or to ask a couple of questions um absolutely um and and Gareth you want to add to that yeah no I I'd agree with that I have used managed security service providers in the past both on a small scale for specific pieces of work and and larger scale and I think again it needs to be based on your threat assessment and that Gap analysis of what do you want to achieve can you achieve that using internal resource or actually because you sometimes do with an information security function and I've learned from better experience sometimes you do need to build a critical mass actually to achieve a lot because sometimes you bring in a single information security officer and they are swamped because they're trying to manage bits of data protection impact assessments they're managing um incidents as they come in and if you expect them to do development work around threat detection and implementing a c or endpoint detection response it can be really challenging for them so in certain situations on that you can probably get more bang for your buck so to speak by going to a managed security service provider I think sometimes it's you do need to use caution I I think most big names are quite ethical in terms of selling services that a charity genuinely needs but not always actually in my role so safety children International we have 30 fundraising members all across all across the globe from different countries and they they are of different sizes and quite recently one I was speaking to them about solution that someone was trying to sell for them that I probably wouldn't buy for an organization 10 times in terms of the functionality it's not fraudulent because it would work they just didn't need it they didn't need a lot of the functionality they were being told they did so I think if you can whether it's appear in another organization if it's this sort of group or or something like that if you're not sure just just reach out to any communities you're on uh just to say look we're thinking about getting a list of people use them or people think this is what we need um so yeah just absolutely it is an answer it's not the only answer but I certainly wouldn't say no because it is it is the right answer for some some organizations exactly exactly depending on what you need and obviously um and and as a Sophie can can probably um concur um Outsourcing Services doesn't mean Outsourcing responsibility yeah absolutely so you know look really carefully when you're Outsourcing what what exactly are you Outsourcing as the guys say what can you do internally um and who who you're Outsourcing it to look for those red flags and just consider things like your insurance have you got cyber Insurance have you got other insurance that would cover that and understand that if there was a data breach although your Outsourcing your services um ultimately if you got hit with a fine or if you got hit with any kind of penalty that's going to come back on the charity it won't come back to your cyber security provider so just bear that in mind whenever you're Outsourcing anything I guess so absolutely um yeah yeah yeah thank you very much for that um at charity digital we're we're also um launching a pilot program for for um as you know managed service provide providing um some some uh services for um um cyber security and Microsoft so we'll uh we'll put that in in a resources tab as well if people are interested it's a pilot program at the uh at the beginning but yeah we're very interested to see how you know what what charities are are actually needing and having that conversation with them rather than um you know having uh some offers that may not be that may not be suited uh for for what they need so um so yeah we'll we'll keep everyone updated about that um and actually Sophie um you know building building on on that Outsourcing Thing Once you know a charity has has done their Baseline they they know they're using free tools and and other tools to to be cyber secure is there anything additional that the ncsc would advise um people to to to add or to consider yeah so I think across the board when you're looking at your cyber security there's a few things to kind of have in the back of your head when you're going through this so firstly they make the most of what you've already got there's a lot of free tools out there there's a lot of cheap tools out there but just ensure that everything is configured in the most appropriate way for your organization um so consider how your organization is using these tools and don't assume that the relevant settings are automatically going to be switched on by default um so you might need to go in and just kind of reconsider how things are set up um and also create a response plan as well so when you've got everything in place or Azure as you're implementing all of these strategies look at creating a response plan where you'll have everything that you need to know should there be a crisis um there's some really useful information on this on our website so you're going to want to record things like your key contact your service providers your it support um so consider what information you're going to need to know so if for example you're hit by a ransomware attack um your seniors can look at this crisis plan and make quick decisions about for instance which services to switch off so that other parts of your network don't get infected um and you should also really be testing this plan so the same as you would with any risk assessment or you know as I referred to earlier like a fire evacuation plan you're going to be periodically testing your fire evacuation so do that with your cyber security as well we've got something called exercise in a box on the NCAA ncsc website which has loads of different exercises you can use to kind of help facilitate this depending on the size of your organization um and then I think finally just to reiterate that point around the culture of cyber security um and make sure it's a positive environment where people are feeling confident to report things um also if you can get people at the top you know if some of them have been victim or nearly Fallen victim to efficient attack get your CEO or your seniors to speak out about that and encourage other people to come forward if they've made a mistake um yeah yeah yeah yeah yeah absolutely it it happened to us uh uh a few a few years ago um we were victim of a Cyber attack and we did uh we actually did a a webinar about it and and shared our journey um but yeah well thank you very much to to all of you three um this this was a very interesting conversation um I know there's been loads of questions being being answered um already um but um yeah let's dive straight into into questions um we've got one uh from uh Simon and I think Richard would like to answer that one uh is Microsoft Defender a viable antivirus option for a medium-sized charity or is there an advantage of using a separate third-party product I'm happy I'm sure we both have a view oh yeah but uh yeah I mean if if you would have asked an information security professional 10 years ago around whether or not you should use Microsoft's endpoint protection they'd probably shake their head and go Oh No never they have invested a lot of time and money in improving and actually Defender for endpoint uh which comes as part of Microsoft E5 or E3 with security add-on is is is a good endpoint detection and response at all it is comparable which is why it has won a lot of market share from some of the more established uh endpoint protection and then point detection and response vendors so yeah I think it can be the right solution for organizations of all sides I don't know if Richard you're going to come in and completely disagree with me now but uh beard just to hear your view no I would um so over the last two or three years in particular so there's two Microsoft Defender products there's Microsoft Defender antivirus that comes with your windows Turner Windows 11 laptop or PC and that's the built-in one and that in itself is okay I wouldn't suggest that's the only protection you have Microsoft Defender for endpoint takes that initial product and just beefs it up a bit and it is an extremely good product um uh I was I've spoken to quite a few incident response people who work in cyber insurance so they're the people who get a phone call at three in the morning when it's all gone wrong and they basically said the difference between an organization having a you know having a breach but then closing it down quickly and evicting the attackers and a complete like trash fire has been good endpoint protection products and one of the products that they have mentioned to me is Defender for endpoint as and that's in the last two or three years so I would say if you can get that as part of either Microsoft 365 business premium for non-profit or E3 or E5 licensing yeah absolutely but saying that just just looking at your question actually ESET is a good is a good tweet as well he said it's good to be the one you're currently using but yeah if you if you're if you're moving to E5 licensing often it is it is a difficult decision not to use Defender for endpoint because you've got that included so exactly yeah thank you both um and and obviously going through um going through through a question we've already got uh you know quite a few but we've still got time to answer some more so so please um drop them in um I just wanted to to share um some of your answers to to some of the the previous questions uh some somebody was asking um obviously the ncsc whether there was some um of some words of encouragement and some some supports to to encourage big providers to provide SSO services for smaller subscriptions um actually maybe breacher.org Gareth could you just um quickly explain what SSO stands for because maybe it's something people are not familiar with yeah it stands for single sign-on so that's oh yeah so that's the ability to use one username and and password to log into multiple Services rather than having to keep entering your username and password for everything so absolutely so would OCTA be be uh yeah I'll OCTA or ping or examples of single sign-on Solutions and you can do it through Microsoft Azure as well absolutely no thank you thank you with that um and um Nicola was asking about um any um online training that is Affordable um obviously the ncsc has got very good uh resources uh and um Charities tool has has got quite a few uh different uh sort of pieces of content to to help um to help with that yeah and yeah and and I would say on that it depends on what you've got if you if your organization already has an LMS a learning management system that you can import something what's called a scorm file which is a way of uploading and a quite affordable way of doing online cyber security training is actually we I'm having to sort of discuss offline who who I actually use but there are some quite good small organizations that will produce bespoke content for you and that can add that can work out quite cheap compared to buying a whole platform with a lot of training you're never going to use there's some there's some big providers that will offer you 200 different cyber security modules on things which I can't imagine ever wanting someone to do 200 different as much as I love cyber security I wouldn't ask anyone to do 200 different training modules but um but there are some bits simple to do some bespoke content and then you can put that on as a score module onto your onto your uh onto your existing LMS
2023-02-17 11:24