Contents
4 David Colombo Ethical Hacking
Dear Reader, Welcome to Cyber News Global, this informative publication has been brought to you exclusively by Cyber News Global Limited. The focus of the editorial team is to bring together the leading Industry subject matter experts to provide insights into the ever-changing world or Cyber Tech, Human Capability, issues of focus and Cyber leaders of today and the future. CNG has focused on building collaborative relationships to be present at many of the worlds leading Cyber events, and in so doing bridging the gab for our readers and partners to share their news and views with a global audience. One such collaboration is the exclusive partnership at this year’s Arab International Cyber Conference & Exhibition ( AICS ) in the Kingdon of Bahrian. We are honoured to have been appointed as the official publication for the two-day conference, providing every delegate in attendance with a complimentary hard copy of this edition. This edition has been extensively supported by many of the UK Pavilion partner companies, with additional support from Scotland leading Cyber Cluster body, ScotlandIS, who we are delighted to be working with on this project and many more for 2024. So please read, review and share our content with your partners and colleagues, CNG Media team will be on the ground providing exclusive insights and interviews that will be shared on CNG TV. Our warmest hello and welcome on board has to go out to Lucy Harvey PR & Communications who have now been appointed as our official PR Partners, Lucy Harvey will be working closely with CNG and our partners, providing that critical PR capability to ensure the news we provide is of the highest quality and most relevant to our readers.
Have an inspiring day and read on! Official Partner
8 Generative AI: What is it, How does it work and what’s the risk? 10 Pioneering paths : Senior Female Visionaries. 14 AI won’t take your job, It is somebody using AI that will take your job 16 Jennifer Cox, Director for Ireland at Women in CyberSecurity 17 Who is SCOTLANDIS? 28 Protecting - Operational Technology 32 Top 10 Tips: CISO 40 How To Code Securely 42 Five Steps to Improving your Cyber Security Awareness Program 4
8
David Colombo Ethical Hacking
Generative AI: What is it, How does it work and what’s the risk?
10
14
Pioneering paths : Senior Female -Sophie De Ferranti
AI won’t take your job, It is somebody using AI that will take your job Dr. Jassim Haji -President ,International Group of Artificial Intelligence
3
4
Cyber News Global
5
CRI M I NALS USI NG TH E DARK WEB TH I N K YOU CAN'T SEE TH EM. WITH SEARCH LIGHT CYBER, YOU CAN.
Our dark web investigation and monitoring tools can help you to identify criminal activity on dark web forums, marketplaces, and hidden sites. This provides invaluable early warning to cyber threats, critical time to adjust your defenses, and the opportunity to prevent cyberattacks.
VISIT SLCYBER.IO TO FI N D OUT MORE.
ND
Editorial Design editor@cybernewsglobal.com office@ogvenergy.co.uk Advertising Events & Partnerships marketing@cybernewsglobal.com ceo@cybernewsglobal.com CONTRIBUTORS
OUR PARTNERS
Disclaimer: The views and opinions published within editorials and advertisements in Cyber News Global are not those of our editor or company. Whilst we have made every effort to ensure the legitimacy of the content, Cyber News Global cannot accept any responsibility for errors and mistakes.
ADVERTISE WITH US View our media pack at
www.cybernewsglobal.com or scan the QR code
20 8
GENERATIVE AI: WHAT IS IT, HOW DOES IT WORK AND WHAT’S THE RISK? Since the launch of Chat-GPT, it seems that everyone is waking up to the possibilities and risks associated with a truly data driven world. There are so many buzz words associated with the revolution in analytical technologies, that having a solid understanding of the concepts is important to make sure that your business can maximise the benefits and understand the risks. So let’s start with some simple definitions of the terms that are currently being bandied about:
Artificial Intelligence Artificial intelligence (AI) is a branch of computer science which deals with the simulation of human intelligence in machines by drawing on aspects of statistics, mathematics, information engineering, neuroscience, cybernetics, psychology, linguistics, philosophy, economics, and much more. The discipline has been around for a long time but the the term “AI” has come to mean a more specific thing, referring to the application of complex techniques typically involving “Deep Learning” such as Computer Vision and Natural Language Processing.
Machine Learning Machine learning (ML) is a branch of artificial intelligence that uses algorithms and statistical techniques to learn from data by analysing it, identifying patterns, and making predictions or decisions based on the datasets they are exposed to. Cyber News Global
Machine Learning typically uses structured data which is organised into tables. Deep Learning, a subset of Machine Learning, uses unstructured data such as text and images.
Generative AI Generative AI is a type of Deep Learning that is designed to generate or create new content, such as images, text, music, and even videos. These models learn patterns and structures from a given dataset and then generate new examples that resemble the original data. These have been around for a while but the hype really kicked off in 2022 when Chat-GPT was released. A type of generative AI is Large Language Models (LLMs). Chat GPT and Bard are both examples of LLMs.
So how do Large Language Models work? LLMs are fundamentally models that take a series of inputs and then given, a question to answer will predict the sequence of words that will answer that question. You could argue that LLMs are really just a sexy sentence completion tool. I asked Chat-GPT to write me a song about AI in the style of 90s pop sensation Boyzone. And this is what it came up with:
VERSE 1: In a world of wires and dreams, where circuits softly gleam, A tale unfolds, a story to be told. Of silicon hearts that sing, in the language of machines, A dance of bytes, where secrets
are unrolled. (Chorus) Artificial hearts, beating in the night, In the glow of LCD lights, We’ll find a love that’s so divine, In this realm of ones and zeros, we’ll intertwine. Not bad, eh? You can probably fit these lyrics into any Boyzone tune, more or less. What’s happening here is that the Large Language Model is taking the dual inputs of Boyzone lyrics and articles about Artificial Intelligence and token ising them. Tokenization is where words, or parts of words, within a sentence are broken down into “tokens”. These tokens are then put through a supervised learning model where the model can train a data set to begin to link each word and also indicate a probability of word occurring in particular sequence. Then using the LLM, we can generate completely new lyrics, in the style of Boyzone. We can do that by starting at any word and then following a sequence based on the probability of next occurring word. You should now begin to see how LLMs like Chat-GPT can start to “hallucinate”. Hallucinations could also be defined as “lying with confidence”. The data sets on which LLMs are trained are based on the incomplete and inaccurate data on the internet. As the old saying goes, “garbage in, garbage out”. So if all an LLM is really doing is predicting the next word in any given sentence, the inputs upon which the model is trained need to be accurate.
Generative AI
What is the security risk of LLMs? One of the immediate risks of LLMs is their ability to generate convincing and coherent text. This capability significantly improves the quality of phishing emails, fake news or other forms of disinformation. One of the lessons we taught users was to watch out for emails containing spelling mistakes. That is a lesson that we will all have to unlearn. LLMs can now automate social engineering attacks. The ethical LLM engines such as Chat GPT will decline to offer information on specific individuals but the number of options for creating LLMs through non ethical sources are continually growing. If sensitive data is available in any training data set then this can be used in any output. Your policies and training should be updated to makes sure that sensitive or proprietary data is never uploaded into any Generative AI engine. The Generative AI rabbit is now out of the hat and the threats continue to emerge. Like any new technology, it’ll take time for the ethics and legalities to catch up. While it does, Cyber Security leader should make sure their users are aware of what the technology does, how it works and what the risks are.
About Vanessa Porter Vanessa has been helping enterprises to use data and analytics effectively and responsibly for more than 25 years. She develops & delivers memorable data and security engagement programs that increase technology adoption, safely and securely. She lives with too many dogs in rural Oxfordshire
9
10 20
Pioneering Paths...
PIONEERING PATHS: Senior Female Visionaries Revolutionizing the Cyber, Tech, and AI
As we move rapidly into a technology and AI-driven future, there are an increasing number of senior female leaders at the forefront of ground-breaking developments in the cyber, tech, and AI realms. These extraordinary women are shaping the industry’s trajectory, ensuring inclusivity, and advancing innovations that echo across industry sectors. In this exclusive October issue with Sophie De Ferranti, Global Head of Cybersecurity at Teneo People Advisory, we shine a spotlight on these female vanguards of progress who are poised to lead the industry into uncharted territories.
Nicole Eagan – Chief Strategy & AI Officer at Darktrace. Nicole has established herself as one of the most remarkable voices in the cybersecurity industry — traveling the world to raise awareness about topics ranging from adaptive AI cyber defenses in building tomorrow’s cities of the future and AI-powered threats to regulatory compliance and cyber risk. In addition to her commitment to leading the change in how organizations approach cyberattacks, she also leads internal and external efforts to solve the issue of gender disparity faced by women in the cybersecurity industry.
Rana el Kaliouby Ph.D - AI Girl Boss! Founder of Affectiva & Deputy CEO at Smart Eye An Egyptian American scientist, entrepreneur, and AI leader Rana is on a mission to bring emotional intelligence to the world of AI. Since growing up in the Middle East and moving to the United States to become an entrepreneur, she’s spearheaded the application of artificial emotional intelligence in a slew of industries and established herself as a global leader in AI.After making her exit as CEO of Affectiva — an MIT spin-off company she co-founded to humanize how people interact with technology — she stepped into her current role as CEO of Smart Eye, which acquired Affectiva in 2021. Her work is helping to scale the company to a global AI powerhouse, with a key focus on ethics, diversity, equity, and inclusion.
Reshma Saujani, Founder of Girls Who Code: Reshma Saujani’s non-profit organization, Girls Who Code, has been a catalyst in bridging the gender gap in the technology sector.
Cyber News Global
Her fervent passion for driving change and advocacy for women in tech has ignited a movement, empowering thousands of girls to explore and excel in tech domains. Saujani’s visionary approach to inclusion is nurturing a generation of female tech enthusiasts poised to redefine the industry.
Anne Neuberger, Deputy Assistant to President Biden and Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House Leading from the frontlines of national security, Anne Neuberger plays a crucial role in shaping cybersecurity policies. Her astute strategies in managing cyber threats and vulnerabilities have fortified national cyber infrastructures, reinforcing global cybersecurity frameworks. Neuberger’s initiatives in bolstering cyber defenses and her relentless pursuit of excellence are setting new standards in national security protocols.
Jane Frankland, Cybersecurity Consultant and Award-Winning Tech & Cybersecurity Leader. As a renowned cybersecurity consultant, Jane Frankland is known for her strategic insights into cybersecurity frameworks and risk management. Her relentless efforts in building resilient cyber ecosystems have empowered organizations to safeguard their digital footprints effectively. Frankland’s advocacy for women’s representation in cybersecurity has redefined gender dynamics in the sector.
Pioneering Paths... 11
Carmen Marsh, President & CEO at United Cybersecurity Alliance
push boundaries, and create a balanced, equitable industry landscape.
Carmen is a proud and vocal advocate for women in cybersecurity and has dedicated herself to creating opportunities for female experts to thrive in the cybersecurity industry. As the founder of the 100 Women in 100 Days Cybersecurity Career Accelerator program, Carmen is committed to developing the next generation of security experts for companies across the world. Her program provides women with free education, hands-on experience, and the accreditation needed to obtain the top industry certifications, ensuring they have the skills and knowledge to succeed in a typically gender imbalanced landscape.
Balancing Ethics and Innovation.
Joyce Brocaglia, Founder of Alta Associates. Specializing in cybersecurity, risk management, and IT transformation, Joyce Brocaglia is the founder of Alta Associates. Brocaglia is a long-standing advocate for women in cybersecurity, fostering an environment where women can lead and innovate. Her commitment to diversity has been instrumental in shaping a more inclusive industry, establishing her as a beacon of leadership in the ever-evolving cyber domain.
Kirsten Davies, CISO at Unilever.
The commitment to ethical considerations in technology developments is pivotal in navigating the intertwined paths of progress and responsibility. The relentless pursuit of ethical frameworks and responsible innovations is forging a path that balances technological advancements with moral and societal implications
Sowing Seeds of Change. These senior female leaders are not just shaping the present but are also sowing seeds for a future rich in diversity. The impacts of their leadership, advocacy, and innovations resonate far beyond their immediate realms, catalyzing a global movement towards an equitable and progressive tech industry.
Education and Awareness. Promote STEM Education: Encourage young women to pursue education in Science, Technology, Engineering, and Mathematics (STEM) fields, and provide the necessary support and resources. Create Awareness: Raise awareness about the opportunities and potential for women in cyber and tech through workshops, seminars, and career talks. Female Mentorship Programs: Establish mentorship programs where experienced female professionals can guide and support aspiring women in tech.
Having lived and worked on four continents, Kirsten Davies’ global approach to information security, data privacy and enterprise risk has led to her recognition Helping set precedents for Biasas a true thought leader in cybersecurity transformation. Her skillful approach to Free Recruitment: cybersecurity has led to accomplishments like building Africa’s first end-to-end Implement unbiased security function and negotiating recruitment processes Creating the first-ever Cyber Security to ensure fairness an Inclusive Master Agreement with the in hiring. Inclusive Environment. Develop German Workers Council for Job Descriptions: policies that support Hewlett Packard Enterprise. Write inclusive job women and create a descriptions to attract workplace culture that a diverse applicant Driving industry pool. Promote Internal evolution and taking values diversity and Mobility: Encourage and progressive strides. inclusivity. support the promotion of women from within the The achievements of these pioneering organization. women have set in motion a transformative wave, breaking the barriers and reshaping the contours of the tech industry. Their collective efforts have positioned diversity as a cornerstone of innovation, establishing a culture of inclusivity and progressive evolution. The convergence of cyber, tech, and AI has opened avenues for interdisciplinary innovations and these trailblazing women are harnessing this convergence to solve complex problems,
Professional Development and Advancement. Leadership Training: Offer leadership development programs and training to equip women with the necessary skills to take on senior roles. Networking Opportunities: Provide platforms for women to connect with industry leading peers, mentors, and
diverse role models. Celebrate Female Achievements: Regularly recognize and celebrate the accomplishments of women and establish awards that honour outstanding female leaders in the tech, AI, and cyber sectors. Advocacy for DE&I (Diversity, Equity and Inclusion) really does begin at both ends of the talent spectrum : in the Classroom and the Boardroom As a senior female thought leader at Teneo I have dedicated my professional career to getting to know exactly who are the game-changers in the cybersecurity and tech landscape. The contributions being made by senior female leaders in cyber, tech, and AI are leading the charge towards a future where inclusivity, innovation, and ethical considerations coexist thus ultimately helping to propel the industry forward. As we usher in this new era of technological evolution, the legacies of these extraordinary women stand as beacons of inspiration, illuminating the path for future generations of diverse leaders and innovators. As a staunch ambassador myself for promoting women in cybersecurity, there still remains much work to be done to raise awareness in the C-Suite. It is also important that we drive change top-down to bridge this gap and this can be facilitated by creating mentoring and development programs for senior female leaders that help pave way for the journey into the Boardroom. Grassroots initiatives must also come hand in hand if we are to successfully address an increasingly widening diverse talent gap, and some of those initiatives should include.
Celebrate Female Achievements: Regularly recognize and celebrate the accomplishments of women and establish awards that honour outstanding female leaders in the tech, AI, and cyber sectors. Advocacy for DE&I (Diversity, Equity and Inclusion) really does begin at both ends of the talent spectrum : in the Classroom and the Boardroom. And last but not least, and perhaps the main thrust of this article, as that we must have female role models. Let us celebrate successful women in cybersecurity and continue to inspire others across all levels of society. Sophie De Ferranti, 27 September 2023 Senior Managing Director Teneo People Advisory
CyberPrism OT SECaaS CyberPrism provides Operational Technology Security as a Service using proprietary technology, underpinned by industry-leading expertise, to protect OT within Industry and Government ➢ A world class team of senior military personnel and leading cyber experts ➢ Proven technology compatible with the OT environment ➢ Automated processes under human control ➢ Cyber Risk Assessment and Technical Authority
➢ Asset and Vulnerability Discovery
➢ Compliance/Maturity Tracking ➢ Network Design and Modelling ➢ Network Segregation and Segmentation ➢ Asset Life Extension ➢ Process Optimisation and Data Integrity ➢ Incident Support ➢ Supply Chain Assurance ➢ Training and People Risk Assessment CyberPrism.net 210-214 Union Street, Aberdeen, AB10 1TL Tel +44 1224 45 1999 contact@cyberprism.net
TAKE CONTROL OF YOUR OPERATIONAL TECHNOLOGY
ĐLJďĞƌƉƌŝƐŵ͘ŶĞƚ
14
AI won’t take your job...
By prioritizing transparency, accountability, human control and oversight, we can ensure that AI serves as a tool for human progress rather than a threat to our autonomy and well-being.
AI WON’T TAKE YOUR JOB, IT IS SOMEBODY USING AI THAT WILL TAKE YOUR JOB
What will the future be for the Human within Cyber how much will AI take control of the various Cyber related activities; and where do you see the Human still being front and Centre, AI won’t take your job, It is somebody using AI that will take your job.AI would augment the human capabilities, expanding their computational capacity and extending their influence in various domains. There would involve a dynamic interplay between AI and the future humans.
While AI will likely assume an increasingly prominent role in various cyber-related activities, humans will remain central in specific areas that rely on uniquely human qualities. Humans are uniquely equipped to provide strategic direction, oversee ethical implications, and adapt to unforeseen circumstances. Our ability to synthesize information from diverse sources, empathize with stakeholders, and exercise moral judgment is essential for making informed and responsible decisions.
While this automation can boost efficiency and productivity, it also raises the possibility of widespread job loss and social disruption if we don’tmanage this transition wisely. Balancing the advantages of AI with the potential downsides is a complex task.
- Dr Jassim Haji
AI, on the other hand, can enhance human capabilities by providing datadriven insights, identifying potential risks, and automating repetitive tasks, freeing up human time and effort for more strategic and creative endeavors.
President ,International Group of Artificial Intelligence
Humans can leverage AI’s analytical prowess to gain deeper insights, evaluate options more effectively, and optimize resource allocation.
while maintaining human control and oversight, ensuring that the technology complements and enhances human capabilities without compromising safety and ethical standards.One significant concern is the potential displacement of human jobs as AI technology becomes more advanced.
AI, in turn, can benefit from human guidance and oversight, ensuring that its recommendations align with ethical principles and organizational goals.For example, the future of autonomous vehicles depends on how we integrate AI into our transportation systems
Cyber News Global
Monitoring and governing the development of AI will be crucial and many experts advocate for ethical AI principles and human-centric policies.
By providing accessible and effective training programs, individuals can acquire the necessary skills to transition into new roles that align with their talents and the evolving demands of the labor market. This mindset shift, coupled with targeted upskilling programs, will equip the workforce with the flexibility required to thrive in an AI-driven economy, ensuring that the benefits of AI extend beyond economic growthto encompass individual prosperity and societal stability. Humans will need to adapt and learn skills that are complementary to AI. Working symbiotically with AI systems will become increasingly important across many industries. Rather than competing with AI, humans should work alongside these systems, leveraging their strengths while applying their unique skills and expertise.
AI won’t take your job... 15
This partnership is not about humans versus AI but rather about humans working with AI to achieve better results, drive innovation, and solve complex challenges. This cooperative relationship between humans and AI is particularly crucial that combines the AI’s computational power with human intuition and ethical judgment. For instance, in healthcare, AI can analyze vast amounts of medical data to identify patterns and potential diagnoses, while human doctors can provide their expertise in interpreting these findings, making informed decisions about patient care. Working together, humans can guide AI, ensuring it aligns with ethical and societal values, and harness its potential to drive progress and efficiency. Another major risk associated with AI is the potential for misuse, whether intentional or unintentional. AI systems can be designed to perform harmful actions, such as spreading misinformation, conducting cyberattacks, or even inciting violence. The Bletchley AI SafetySummit is an important step in addressing these risks of AI and developing solutions to mitigate these risks. By bringing together experts from
governments, industry, and academia, the summit is helping to stand-in international cooperation and collaboration on AI safety.
among experts in various fields, including technology, ethics, law, and governance. We must collectively create an AI ecosystem that adopts responsible development and use, ensuring that AI serves as a tool for human empowerment rather than a threat to human.
A key outcome of the summit was the signing of the Bletchley Declaration, a non-binding agreement that outlines The future of AI will depend significantly principles for the safe and responsible development and use of AI. As the UK on how we choose to integrate it into our lives and systems. If we embrace prime minister rightly commented on the AI with responsibility, foresight, and potential role that AI could play in the a commitment to human values, upcoming general elections in various international countries, it has become we can use it to tackle global critical that governments, challenges,enhance human As AI indaustry, and academia work capacities, and create a technology more prosperous and together to implement the continues to advance at principles outlined in the equitable future. an unprecedented pace, declaration for ensuring the need for a thoughtful that this most disruptive However, if we fail to and balanced approach to and powerful technology its integration into our lives adequately address the potential risks and is used for the benefit of and systems is becoming humanity. challenges associated with increasingly AI, we could unintentionally undeniable. AI offers great potential to create a future where AI complement human abilities and help exerts undue influence on our lives, weakening human intervention and us achieve more, but it’s vital to approach its development and deployment with worsening existing societal inequities. We can either embrace AI with open arms careful consideration. Finding the right balance between leveraging the and allow it to shape our future in ways power of AI and maintaining human that we may not fully understand, or we can take a more cautious and thoughtful control will be an ongoing challenge as AI capabilities continue to advance approach, ensuring that AI is developed and deployed in a manner that aligns rapidly. It will require ongoing dialogue, collaboration,resources and innovation with our values and ambitions.
16
JENNIFER COX, DIRECTOR FOR IRELAND at Women in CyberSecurity (WiCyS) UK & Ireland Multi-award-winning advocate for Diversity in Tech | Mentor
In my 18 years of experience working in the technology sector, I have learned that women in tech don’t do their job. You may want to read that again because yes, I did say that they don’t do their job. They do much more than that. All of the women that I have had the pleasure of working with, for, and led have intentionallyor unintentionally found themselves being a spokesperson for the Women in Tech movement. When there are so few of us, everyone matters. As a result of being pushed intothe spotlight, whether it be within the company they work for or in a more public setting,these women have had to take the opportunity to push for changes and advances in more areas than gender equality. I have seen these women push for changes in workplace support for all diversity, disability, family, mental health, and more. Appreciating that everyone’s opinion is important and has value is heartfelt by women in any career that is majority male-led. Because of that, there is a deep appreciation for any quiet voice to be heard. Having women share the lead and decision-making in technology ensures that the future of technology will serve all humans. When we consider AI for example, and the potential impact this will have on the future of technology from retail and manufacturing to healthcare and travel, having women such as Patricia Scanlon — Ireland’s first Ambassador for AI, driving policy and standards for AI is critical. When at the forefront, a woman can be instrumental in important decisions for the future of technology, providing perspective and insights her male colleagues simply don’t have. This is a game changer and demonstrates the importance and value of women in tech and cyber. Many of the women that I have had the joy of being connected with have created their own companies, initiatives, charities, and further diverse groups supporting communities beyond those that the big multinationals are involved in.
Cyber News Global
Through this kind of voluntary work influencing technology, cyber security, AI, and the future of the same they have ensured that it is made accessible to women and diverse groups all over the world. More support for these kinds of initiatives would allow for faster growth and equity to happen sooner because, at its current pace, we are unlikely to reach true equality — in my lifetime at least. One of the women that I’ve seen breaking ground for a new life for families and people in tech, especially other women, is the CEO of Flexa, Molly Johnson-Jones. Flexa takes all of the forward-thinking family-friendly companies and roles that they have available and puts them in one place, making it easy for a job-seeking individual to find positions and companies that support their work-life balance and future plans. Of course, this positively impacts homemakers, those raising families or caring for people most. Those roles are shared in many families and this forwardthinking ethos will serve all those working and caring for children or elderly parents and therefore our communities in general. Beyond the current and the future workplace, today’s women in tech and cyber are making a difference to our future workforce of women and other diverse groups — such as groups like Girls Who Code, Black Girls Code, Girls in Tech, Cyber for Schoolgirls, and many more. All of these organisations were created for and by women, having identified a need, a shortfall in support, and groups encouraging young women and girls to get involved in tech..
If you’re an individual trying to understand what you can do to make a difference, then volunteer. It doesn’t matter if you are a man or a woman or what your background is. Your time is the most valuable thing that you can offer so offer it and get involved with the groups that can make a difference. Then there are women in global organisations such as WiCyS — a global organisation with over 60 affiliates worldwide, of volunteer groups both professionals and students working with women entering the industry, returning to the industry, or already working in the industry. Making education available to these women through sponsorships and scholarships with an aim to increase representation moves us towards equality in the workforce and better representation overall. Every single one of these affiliates is run by women who have volunteered their own time to ensure future equality in tech. Rather than call out any single individual. I mention WiCyS as one of the many organisations that are motivated toward the same goal.
So what can you do to support women currently in the industry and future women of the industry if you are a CEO running a company today? First off a company’s visability as having a supportive and inclusive culture is important. Ensuring that your future employees know that your culture supports equality in tech and cyber and the evolving needs of families and women in tech. Statistically, companies with a more diverse workforce perform better than companies without. It’s a no-brainer.
To make better products and more money you need a diverse workforce. To have a diverse workforce and diverse thinking you need to promote a diverse culture. For companies that don’t already do this, begin by supporting the not-for-profit groups that are doing the work at ground level. Get behind the women who are making the changes to ensure that your company benefits and profits from the resources that they are enabling as part of your future workforce. Promote their events, promote their individuals, promote their visibility, and promote their actions. A company that stands behind its employees will no doubt appeal to future employees.
Who is SCOTLANDIS? 17
WHO IS ? OUR SERVICES 1.Eco System Development
2.Business Innovations
WHO IS SCOTLANDIS
What DO We Do
ScotlandIS is the trade body and Cluster Management Organisation (CMO) for the digital technology sectAor in Scotland and are proud to host the Scottish Cyber Cluster, ScotlandIS Cyber -Where Cyber Security meets industry, innovation and talent.
Our mission is to build a connected cyber community across Scotland. We aim to drive cyber security growth and innovation, to support the growing skills pipeline and collaborate to addresscyber security skills challenges.
We are pleased to introduce ScotlandIS’ Head of Cyber Cluster: Beverly Bowles! Bev joined ScotlandIS last summer as the Project Lead on their IT Managed Services work, running a series of ITMS events,building a community of IT Managed Service providers in Scotland, and working with providers to create an ITMS Charter (an established
We also seek to build strong UK and international relationships to support and promote the Scottish cyber security community at home and abroad. Our ecosystem of cyber security experts,businesses and academia have created new and
3.Cyber Skills Growth
innovative products and systems that are enabling and driving industry to reach new frontiers. We choreograph the relationship and community bringing together pioneering cyber companies with investors, industry and government creating wealth in Scotland. WHY SCOTLANDIS ScotlandIS is at the heart of Scotland’s digital economy, shaping, chaging and driving it forward.
MEET OUR CYBER CLUSTER
20
Power of Cyber Security
The Power of Cyber Security Solutions: A Global Imperative and why Scotland’s cyber ecosystem could be the key to solving global cyber challenges. with Edinburgh University recognised as Cyber Security Centre of Excellence in Cyber Security Research (ACEs-CSR)
A for Global Cooperation:
Safeguarding National Interests: The digital landscape knows no boundaries, and neither do the threats that traverse it. For nations, investing in cutting-edge cybersecurity solutions is not just a matter of protecting sensitive data; it is safeguarding their very sovereignty. As cyber threats evolve in sophistication and scale, governments worldwide must proactively seek innovative cyber security measures to secure their critical infrastructures and maintain the trust of their citizens. And Scotland’s growing cyber security ecosystem has the talent, innovative solutions and services to help do just that.
Cyber threats respect no borders, and neither should the response. A united front against cyber threats requires international cooperation. Through shared intelligence, coordinated responses, and joint initiatives, nations can create a formidable defence network. Establishing global norms for responsible behaviour in cyberspace can set the stage for a secure and collaborative digital future. In Scotland we are very lucky to have an engaged and supportive community, and this has been helped by the close working relationship across enterprise, government, academia and the entrepreneurial and start-up community. These 4 parts of the ecosystem jigsaw work in close collaboration to drive growth and innovation in
Behind every successful cyber security solution are skilled professionals. In the pursuit of bolstering digital defences, nations benefit not only from advanced technologies but also from fostering a workforce proficient in cyber security. Collaboration between countries in sharing expertise, cultivating talent, and establishing international standards is pivotal in creating a collective defence against cyber threats. This is something that Scotland as a nation take very seriously.
There are just over 400 cyber security companies which operate out of Scotland, ranging from start- ups, scale-ups, SMEs to large global enterprise who see Scotland as a key market to target and having that local presence as being a critical part of that strategy. The estimated total GVA of the Scottish cyber sector is £426m with £811m generated in 2021 from cyber specific companies across Scotland. With our thriving cyber ecosystem it is clear to see that Scotland should be a key collaboration focus area for any country looking to strengthen themselves in the area of cyber security.
More than 70% of Scotland’s universities offer cyber security courses and many courses are now lookingat embedding cyber security practices into them in areas that are not even considered as technology focussed. Abertay University has the first Ethical Hacking degree course in the world, and the only fully certified NCSC (National Cyber Security Centre) degree is run by Edinburgh Napier University – BEng Cyber Security and Forensics. Additionally, there are 2 NCSC fully certified Masters courses available, one at Abertay University, MSc Ethical Hacking and Cyber Security and Edinburgh Napier University, Advanced Security and Digital Forensics,
This era of cybersecurity is a global one. As nations confront the challenges of an interconnected world, prioritising cyber security is not just a matter ofnational interest; it is a shared responsibility. By investing in and collaborating with the innovative and pioneering cyber security companies in Scotland, nations can forge a path toward a digitally secure future, ensuring the protection of their citizens, economies, and the integrity of the global digital landscape.
The Human Element:
Cyber News Global
Providing Cyber Security Solutions designed to Protect your People
www.csa.limited | info@csa.limited | +44 (0)300 3034691
ISO 27001 Certiicate Number : 21227-ISMS-001
ISO 9001 Certiicate Number: 21227-QMS-001
22
WEALTH UNDER SIEGE: Family Offices and the Rising Threat of Cyber Breaches
In the world of high finance, where family offices safeguard the fortunes of the affluent, the allure of vast wealth also attracts the attention of cybercriminals. Family offices, responsible for managing the intricate financial affairs of high-net-worth individuals and families, have become prime targets for sophisticated cyberattacks. In this exploration of family offices and cyber breach stories, we uncover real-world incidents that underscore the urgent need for heightened cybersecurity measures within these bastions of wealth. 1. The Elusive Enemy: Social Engineering Unleashed In a case that sent shockwaves through the financial community, a family office fell victim to a cunning social engineering attack. Cybercriminals, adept at exploiting human psychology, posed as trusted vendors and manipulated unsuspecting employees into divulging sensitive information. The attackers crafted convincing emails, mimicking established communication patterns, and creating an illusion of legitimacy. The result was a breach that exposed confidential financial data.
To counter insider threats, family offices are now implementing stringent access controls and following the principle of least privilege. Regular reviews of access permissions, coupled with advanced monitoring systems, help identify and mitigate potential risks posed by disgruntled employees or those susceptible to external manipulation.
5. Phishing in Trusted Waters: A Family Office’s Unwanted Catch
This incident serves as a stark reminder of the human element in cybersecurity. No matter how advanced the technological defenses, the weakest link often remains the individual behind the screen. Consequently, family offices are now placing a premium on continuous employee training programs that simulate real-world scenarios, teaching staff to identify and thwart social engineering attempts.
A well-established family office found itself ensnared in a phishing attack that exploited the inherent trust relationships within the organization. Crafted with precision, seemingly legitimate emails requested sensitive information, leading to a data breach that exposed confidential client details. This incident highlighted the pervasive threat posed by phishing attacks, where cybercriminals exploit trust to gain unauthorized access.
2. Ransomware’s Gripping Hold on Family Fortunes In a chilling episode, a European family office found itself in the clutches of a ransomware attack that paralyzed its operations. The attackers encrypted critical financial data, rendering it inaccessible, and demanded a hefty ransom for its release. This incident highlighted the vital importance of robust backup systems and a well-thought-out incident response plan.
To counter such threats, family offices are investing heavily in continuous cybersecurity education and awareness campaigns. Simulated phishing exercises serve as a proactive measure to inoculate staff against deceptive tactics, ensuring that employees remain vigilant against the evolving landscape of cyber threats.
Family offices, recognizing the potential devastation of ransomware, are now doubling down on cybersecurity measures. Regularly backing up essential data, coupled with routine testing of restoration procedures, ensures that family offices can recover swiftly without succumbing to extortion attempts. This strategy not only protects financial assets but also safeguards the reputation and trust placed in these institutions. 3. Third-Party Perils: When Trust Becomes a Vulnerability In a testament to the interconnected nature of the financial world, a family office faced a cybersecurity breach through a seemingly trusted third-party vendor. The vendor, entrusted with specific responsibilities, had lax security measures that became an unwitting gateway for cybercriminals. This incident emphasized the critical need for robust vendor risk management. Family offices are now placing greater emphasis on thorough due diligence when engaging with external partners. Rigorous assessments of the cybersecurity protocols of third-party vendors ensure alignment with internal security standards. As these breaches often exploit weak links in the supply chain, family offices are working towards creating a comprehensive ecosystem of security, extending beyond their immediate walls. 4. Insider Threats: Breaches from Within In a betrayal of trust, a family office faced a significant breach when a disgruntled employee, armed with privileged access, intentionally leaked confidential financial information. This case highlighted the ever-present threat of insider attacks, where individuals with intimate knowledge of the organization’s operations become adversaries.
6. The Cost of Delayed Detection: A Family Offices Wake-Up Call In a narrative that unfolded over months rather than days, a family office faced the harsh reality of a cyber intrusion that went undetected for an extended period. The delayed discovery allowed cybercriminals to navigate through the system, causing significant financial losses and irreparable damage to the institution’s reputation. This incident underscored the critical need for continuous monitoring and prompt incident response. Family offices are now investing in advanced threat detection systems, conducting regular security audits, and implementing real-time monitoring to identify and address vulnerabilities swiftly. The focus is not just on prevention but on creating a resilient cybersecurity framework that can adapt to evolving threats.
Conclusion: Learning from the Frontlines These real-world stories of family offices grappling with cyber breaches serve as both cautionary tales and invaluable sources of learning. As family offices navigate the complex intersection of wealth management and digital security, the lessons gleaned from these incidents become guideposts for a more secure future. The battle against cybercrime is ongoing, and family offices must remain vigilant, continually adapting their cybersecurity strategies to match the evolving tactics of cybercriminals. By investing in employee education, securing third-party relationships, implementing robust access controls, andfortifying defenses against emerging threats, family offices can not only protect the wealth entrusted to them but also uphold the trust and confidence of their high-net-worth clients in an increasingly digital age. Andy Miles, CISO, Quantum Resilience International (QRI)
Cyber News Global
24
26
Cyber News Global
27
28
Protecting Opertional Technology
PROTECTING OPERATIONAL TECHNOLOGY – AN INDUSTRY VIEW
Martin Smith, MD of CyberPrism, looks at the issues facing industry in securing its OT.
There is a growing perception that Operational Technology is the next big focus area for cyber security. Certainly, the incidence of attacks seems to be increasing, although reporting is still low. Moreover, World events such as the war in Ukraine and its associated energy conflict have concentrated minds on industrial security as the Global situation becomes less stable, and the boundary between state intervention and criminality becomes increasingly blurred. The huge potential for ransom, extorsion and economic disruption now seems clearer than ever. The Energy Sector in particular looks like a great target, but it is the indiscriminate nature of many forms of malware which is perhaps most worrying: there is no need to be targeted in order to become a victim and many successful attacks can be seen as a form of collateral damage which was never envisaged by the initiator. These forms of malware can be seen as hybrids of weapons and contagions – analogous to biological warfare in some ways. Add OT security’s implications for safety and the environment, and it is easy to see why it is attracting attention. But what are companies doing about this? What are we seeing as industry, and the Energy Cyber News Global
Sector in particular, tries to adapt to a changing threat landscape? Firstly, we need to understand that we are dealing with commercial entities here. Companies exist to create value and sit within complex ecosystems, with multiple threats and a host of conflicting drivers. Government entities are subject to many of the same pressures. Quantifying the risk and consequences of attack, and the benefits of security investment in terms of value and ROI, is difficult. Perhaps the most obvious driver is the operational cost inherent in increased ‘downtime’ due to cyber attack; but many industries are still on the road to truly data-driven operations, may be subject to other factors such as weather in offshore operations, and significant downtime is often seen as a fact of life. Reputation, and the consequences for share price, would be another significant driver, but it is really where this starts to overlap with some form of licence to operate, backed by Government regulation and enforcement, that we are seeing most traction for what can otherwise seem like an intangible issue.
Add in safety and the environment, for instance in the Health and Safety Executive’s enforcement of the Network and Information Systems Regulation in the UK Energy Sector, and we move to a much more tangible imperative. So, given increasingly effective industry drivers, what are the issues? We tend to see cybersecurity as a technical activity, but the first issue we encounter in most situations is governance. Put simply, who is responsible for OT security? It may be that the IT Department has ended up with the lead – either explicitly or by association. Alternatively, the integrator or OEM might be assumed to have this role, or perhaps it is Operations or Engineering. Sometimes different elements have responsibility for different OT networks at a single site – a difficult situation for the Duty Holder to manage, especially where the supply chain introduces extra vulnerabilities. Either way, we would suggest that clarity of 2 roles and responsibilities – and associated resourcing – is a necessary precursor to technical intervention. On the technical level, from what we see, it is fair to say that there is a lot of work to do.
Protecting Opertional Technology 29 The issues set out above, along with the prevalence of aging equipment connected in ways that weren’t originally intended, and not fully patched or patchable, has left us with a matrix of vulnerabilities: essentially a large and complex attack surface. Key issues would be asset and vulnerability discovery, network visibility and alerting, network segregation and event response – but there are several others, all underpinned by personnel awareness and training, and with an underlying issue to do with insecure network architectures. Having scoped the problem, we seem to have encountered a bow wave of work which runs the risk of pushing OT security from the ‘not understood’ pile to the ‘too difficult’ pile. How to move forward against this difficult backdrop? Well, wicked problems must be addressed by teams, not individuals. In this case, the team must include operators, license holders, cyber security companies, integrators and the supply chain – to name but a few. Our military background tells us that the most important element in any team is trust, so that is where we must start. Building trust won’t be easy in an attractive industry with many new entrants at various levels of competence, but it is essential if we are to make progress against increasing threats. However, even given the right relationships, Industry doesn’t have enough qualified people and simply increasing the training pipeline won’t generate the right level of experience. This is where technology has to come in. Processes such as asset discovery, segregation, alert response, compliance tracking and training need to be increasingly automated: not taking the humans out of the loop, but putting them in control. Trust will be a factor again here – interventions in OT networks must be safe and there is too much loose talk of AI. Legacy systems will need particular attention, especially those that can no longer be patched effectively. This is where we come in as a Security as a Service (SECaaS) provider for OT, fusing deep
integrating technology and services into existing infrastructure more costeffectively than most clients could achieve on their own, to increase asset availability and regulatory compliance, and to leverage trusted data to support the fine-tuning of operations and improved decision-making. Industry may be somewhat behind the power curve, but with the right industry drivers, improved governance, trusted teams and the right technology we stand a good chance of turning this around not without some investment, of course. OT security can be made feasible and cost effective, but it will require considerable collective will to regain the initiative. The good news is that some companies are grasping the nettle in exactly this way: they are the leaders who will show industry the way ahead. Regulatory compliance may be the key driver for OT security at the moment, but we look to the time when it will be overtaken by a desire for real security and the competitive advantage which process optimisation and protection can bring.
32
Top 10 Tips : CISO
INSIGHTS FROM A VIRTUAL CHIEF INFORMATION SECURITY OFFICER (VCISO): Top 10 Tips for Securing Today’s Digital Landscape In the dynamic and fast-paced realm of cybersecurity, Chief Information Security Officers (CISOs) serve as the vanguard against an ever-growing array of digital threats.
attacks and other threats. Encourage employees to raise the alarm if they spot a problem or suspect an issue, it may just save the company.
Drawing upon a wealth of firsthand experience and hard-won knowledge, a seasoned CISO imparts invaluable insights to help organisations stay abreast in the modern digital era. The following top tips serve as a starting point for organisations striving to safeguard digital assets in an era of constant evolution and persistent threats.
A single security measure is rarely sufficient in any scenario and in cyber security it’s vital to deploy multi-layered defences and mechanisms. This involves integrating various technical security measures such as firewalls, intrusiondetection systems, antivirus solutions, and encryption protocols.
1. Prioritize Risk Assessment and Managements: The foundational role of comprehensive risk assessment and management in any effective cybersecurity program cannot be understated. By identifying and prioritizing potential threats, organisations can assess and allocate resources accordingly to proactively mitigate vulnerabilities. However, it’s important to stress that a risk assessment is not a one-time task, it should become a living document and process that is frequently reviewed and updated.
Cyber News Global
This will help to address any gaps in the cyber defences, and ensure actions are implemented to manage the risks accordingly.
2. Establish a Culture of Security: It’s often recognised that the human element is typically the weakest link in cybersecurity, however this component can also become the greatest strength if a culture of positive engagement and learning can be adopted by the organisation. Regular training sessions and awareness programs become instrumental in ensuring that every member of the organisation understands their role in maintaining a secure digital environment. This cultural shift towards prioritizing security awareness creates a collective resilience against social engineering
3. Implement Multi-Layered Defence:
These technical controls should be utilised along with robust processes and clear user awareness to avoid any single points of failure. By creating a sophisticated web of defences, organisations can better with stand the relentless and evolving nature of cyber threats.
4. Embrace Advanced Authentication Methods: In response to the ever-growing sophistication of cyberattacks, we need to move beyond traditional passwordbased authentication. Instead,
Top 10 Tips : CISO 33 cybercriminals. By staying informed, organisations can adapt their cybersecurity measures to evolving threat landscapes and pre-emptively address potential risks.
10. Conduct Regular Security Audits: Regular security audits serve as a cornerstone for evaluating the effectiveness of the cybersecurity program. To assess how well the company have implemented security controls, organisations should conduct thorough audits, both internally and through thirdparty assessments. These audits identify gaps and weaknesses that may have been overlooked, offering a comprehensive view of the organisation’s security posture.
11. Emphasize Data Privacy and Compliance:
Kurtis Toy CEO and Lead vCISO for ONCA Technologies Ltd organisations should adopt advanced authentication methods such as biometrics, multi-factor authentication, passkeys, and other leading technologies. These measures not only bolster access controls but also provide an additional layer of defence against unauthorized access. Checking for unrecognised sign ins should also form part of your cyber resilience
5. Keep Software and Systems Updated: Any IT professional will highlight the critical importance of regularly updating software and systems to patch vulnerabilities and protect against known exploits. Outdated software and unpatched systems are common entry points for cybercriminals. The recommendation extends to the implementation of automated patch management systems, streamlining the process and ensuring timely updates across the infrastructure.
security objectives, creating a unified front against
7. Monitor and Analyse Network Traffic: A proactive stance against cybersecurity threats involves the continuous monitoring of network traffic. Implement advanced network monitoring tools and intrusion detection systems to promptly identify and respond to potential security incidents. This real-time analysis is crucial for detecting anomalous activities and potential breaches before they escalate.
8. Develop and Test an Incident Response Plan:
6. Foster Collaboration Between IT and Security Teams:
Despite proactive measures, security incidents may still occur so it’s important to have a well-defined incident response plan in place. Regular testing and updating of the plan ensure that the organisation can effectively mitigate and recover from security breaches. This strategic preparedness minimizes the impact of incidents and facilitates a swift return to normal operations.
Silos between IT and security teams can create vulnerabilities that cybercriminals may exploit. By fostering a collaborative approach, organisations can ensure that IT decisions align with overarching
To stay one step ahead of cyber adversaries, organisations can take proactive use of threat intelligence services. These services provide
9. Leverage Threat Intelligence:
In an era marked by stringent data privacy regulations, the importance of prioritizing data privacy and compliance is apparent. Adhering to relevant regulations not only protects sensitive information but also mitigates legal and reputational risks. A comprehensive approach to data privacy involves implementing robust data encryption, access controls, and regular compliance assessments.
12. Stay Informed about Emerging Technologies: Within the world of cyber, there is an enormous need to stay informed about emerging technologies and their potential impact on cybersecurity. Understanding the implications of technologies such as artificial intelligence, blockchain, and the Internet of Things enables organisations to proactively address new security challenges. By staying ahead of technological advancements, organisations can integrate innovative solutions that enhance their overall security posture.
In conclusion, the insights from an experienced Chief Information Security Officer, or an outsourced equivalent, will provide a roadmap for organisations seeking to fortify their defences in today’s digital landscape. By prioritizing risk assessment, cultivating a culture of security, and embracing advanced technologies, organisations can navigate the intricate cybersecurity landscape with resilience and effectiveness. If in doubt, ask your CISO!
QUA N TUM – T H E POWER BEHIND WO R LD- C L ASS FINTECH AND CYB E R SECURIT Y. Quantum Group is a leading fintech and cyber security investment incubator, delivering world-class, practical solutions through a range of core products and services. Our companies deliver real world support for our clients, combining integrated hardware and software solutions with first-class customer service
and product delivery. From state-of-the-art technology to unrivalled expertise, Quantum provides our teams with strong governance, leadership and investment to optimise performance at every level to guarantee the quality and consistency of service from all our member companies.
WWW.QUANTUMGROUP.UK | INFO@QUANTUMGROUP.UK +44 (0) 207 409 1888 | 15 BELGRAVE SQUARE, LONDON SW1X 8PS, UK
ONCA
TECHNOLOGIES Virtual CISO & Cyber Security Experts IT Support & Monitoring ISO 9001 & 27001 Compliance Risk Management Training Campaigns GDPR Compliance Business Optimisation & Data Analysis Digital Solutions Support & Guidance Security Gap Analysis System Organisation
w w w.o n c a t e c h .c o m
Security, Cyber and Investigation Services
VALKYRIE SERVICE LINES CYBER SECURITY TECHNICAL SURVEILLANCE AND COUNTER MEASURES (BUG SWEEPING)
CYBER PENETRATION TESTING CYBER AWARENESS TRAINING PHISHING SIMULATIONS CYBER SECURITY REVIEW CRISIS RESPONSE SECURITY TRAINING PHYSICAL AND PERSONAL SECURITY
INCLUDING ASSESSMENTS | ACCESS CONTROL | TECH SECURITY
INVESTIGATIONS PHYSICAL PENETRATION TESTING
15 Belgrave Square, London SW1X 8PS, UK
+44 (0) 2074 999 323
security@valkyrie.co.uk
www.valkyrie.co.uk
WE ENABLE PEOPLE TO WORK FROM ANYWHERE. SECURELY
WE OFFER CYBERSECURITY SOLUTIONS FOR BUSINESS, ALLOWING YOU, YOUR COLLEAGUES AND PARTNERS TO ACCESS DATA AND WORK FROM ANYWHERE. SECURELY TRANSFORM
PROTECT
RECOVER
SASE
Email Security
Cloud Backup
Secure Web Gateway
EDR
Disaster Recovery
Identity
ASM
Microsoft 365
Data Loss Prevention
Anti-Malware
Google Workspace
ZTNA
Anti-Ransomware
Infrastructure Backup
SD-WAN
Vulnerability Scanning
Data Protection
discover@everycloud.co.uk | www.everycloud.co.uk | +44 800 470 1820
40
How To Code Securely
BALANCING EFFICIENCY AND SECURITY IN SOFTWARE DEVELOPMENT
In summary, internal developer platforms can play a crucial role in improving the efficiency and overall security of software development. They enable standardised, automated, security-focussed and collaborative ways of working inside the protection of organisational guardrails. They provide the foundation to operate a safe and productive development process and an efficient developer workflow. - Fraser Davidson CTO, Frontier Digital https://gofrontier.com
low-code development technologies aren’t a silver bullet for software development talent shortages. A lack of flexibility and customisation options, dependency on a third party for support and updates, and inability to meet organisational compliance standards can disqualify their usage for applications requiring more advanced functionality. As a result, software development teams find themselves under immense pressure to deliver more with less.
Open-source software All companies are now software companies. Reliance on code – and demand for those who can write it – has never been higher. The relentless pace of technology innovation and the opportunity to gain competitive advantage by harnessing it creates talent vacuums. A Gartner survey from 2021 revealed that talent shortages were the biggest barrier to emerging technology adoption, ahead of implementation costs or security risks. Organisations are being forced to look for ways to accelerate technology delivery through efficiency, rather than expanding head count, to meet business needs. No-code & low-code Many are looking to no-code and low-code development technologies to do so. Low-codeapplication platforms democratise software development, enabling business technologists – a.k.a. citizen technologists or citizen developers – to build cloud services, mobile apps and web apps without having to write much (or sometimes, any) code. Users of these platforms can drag and drop ready-to-use building-blocks together from catalogues maintained by the vendor to implement the desired business logic or user experience, and the platform takes care of the rest. The market for these technologies is predicted to grow by 20% in 2023 alone. The reality for most, however, is that no-code and Cyber News Global
Access to ready-to-use building-blocks isn’t reserved to users of low-code application platforms – developers can consume open-source software (OSS) packages. OSS packages are collections of reusable files, functions, scripts, routines, and other resources that implement re-useable functionality or business logic. Hardware manufacturers, software vendors and cloud service providers all produce software development kits (SDKs), distributed as OSS packages, to enable developers to interact with their products and services without having to write that code themselves. Enthusiasts also produce OSS packages to contribute complex re-usable logic such as encryption, application logging or browser cookie handling to the OSS community. OSS packages are distributed under a license that allows developers to use, study and change them freely. Open-source software turbo-charges software development by enabling developers collectively to stay “DRY” (don’t repeat yourself) - a huge win for efficiency. However, caution is required. Code quality is often lower than with proprietary – paid-for – software; developers need to ensure the use of an OSS package doesn’t introduce . bugs or performance issues into their application. Support and maintenance can’t be relied upon; developers should be aware that an OSS package might be abandoned at any time by the original author, forcing eventual removal. Most critically, the author of the code – and their motivations – are often unknown; developers must ensure an OSS package does what it claims to, now and in the future.
Internal developer platforms
How To Code Securely 41
Software development teams have a balancing act to perform between efficiency and security. Low-code application platforms enable business technologists to build cloud services, mobile apps and web apps using catalogues of ready-to-use building blocks, but lack of customisation options and worries over vendor dependency can be a barrier. Open-source software enables developers to benefit from the collective code-writing capacity of an entire community but opens the door for low quality and malicious code to find its way into applications unchecked. Internal developer platforms also typically provide service catalogues – curated collections of standardised, readyto-use building-blocks created and maintained to meet organisational security and quality requirements – that can be used to accelerate development and drive consistency across the organisation. With the right support from developer enablement teams, service catalogues can enable business technologists and developers alike to build cloud services, mobile apps and web apps in a manner not too dissimilar to the experience low-code application platforms offer.
The security of the software supply chain – which includes the people, processes and technology involved in the creation, distribution and maintenance of open-source software is a critical concern for OSS-consuming software development teams when protecting their applications from digital attacks, data breaches, and other cyber threats. Sonatype – who operate an OSS distribution service called Maven Central – rveal in their 9th State of Software Supply Chain Security report that 1 in 8 OSS package downloads from Maven Central include a known risk, that 18.6% of open-source projects across Java and JavaScript that were maintained in 2022 are no longer maintained today, and that the number of malicious OSS packages discovered this year was more than double that of all previous years.
Generative artificial intelligence In absence of a suitable (or safe) open-source software package to pull into an application, generative artificial intelligence (AI) is rapidly becoming the next avenue of efficiency in software development. A range of tools – both free and paid – are available to generate code on demand. AI-powered code generators take a prompt in human language – “write a function that checks if a user is logged in” – and produce working code in a relevant programming language. Generative AI has the potential to revolutionise software development, in part by making developers more efficient, but the use of such easily obtained code is also not without risk.Generative AI models require data on which to train the model – to identify the patterns and structures within existing data to enable generation of the next most relevant letter, word or symbol. AI-powered code generators use models trained – largely – on open-source software code. That dataset undoubtedly contains high quality, safe code, but it will also contain code now considered defunct, or worse, code now vulnerable to recently discovered cyber threats. Developers need to be aware that AI-powered code generators might not produce the safe, high-quality code that AI-hype might lead them to expect and instead might simply be repeating other developers’ mistakes.
And AI-powered code generators provide code on-tap but have the potential to introduce bugs and vulnerabilities that an experienced developer may have avoided.
DevOps – and an internal developer platform – can help. DevOps is a combination of methodologies, practices, and processes used to build a culture of collaboration and shared responsibility across software development and operationsteams. The aim is to increase the efficiency, speed, and security of software development. A DevOps culture can be enabled by an internal developer platform – a set of tools, services, and automations that support and accelerate software development teams by integrating security, standardisation and workflow seamlessly into the software development process. Internal developer platforms can be built or bought, the former usually by in-house Platform Engineering teams. Users of an internal developer platform can expect their applications to be analysed automatically – and regularly – by software composition analysis (SCA) tools. SCA tools identify all packages used in an application and all the known vulnerabilities of those packages, and use data created and shared by cyber security professionals globally to ensure vulnerabilities in OSS packages can be detected and identified as soon as they’re discovered. Static application security testing (SAST) – running automatically on the internal developer platform – detects security risks introduced by AI-powered code generators, or by developers themselves. SAST tools analyse code line-by-line to identify common mistakes and misconfigurations that can introduce security vulnerabilities. Results of both SCA and SAST analyses are be made available to developers, cyber security teams and product owners every time code is committed. Shifting left – the practice of moving performance, quality, and security testing closer to the developer – enables early detection of security and other issues, empowering developers to take corrective action long before their code goes into service, reducing the impact of re- work, and ultimately increasing development velocity.eventual removal. Most critically, the author of the code – and their motivations – are often unknown; developers must ensure an OSS package does what it claims to, now and in the future. eventual removal. Most critically, the author of the code – and their motivations – are often unknown; developers must ensure an OSS package does what it claims to, now and in the future. eventual removal. Most critically, the author of the code – and their motivations – are often unknown; developers must ensure an OSS package does what it claims to, now and in the future. eventual removal. Most critically, the author of the code – and their motivations – are often unknown; developers must ensure an OSS package does what it claims to, now and in the future.
42
Five Steps to improving...
Five steps to improving your Cyber Security Awareness Program Education and behaviour change is critical to keeping your organisation safe. If you want to make your training effective, you need to carefully consider what your program looks like so it can address 1. Understand Your Audience Not every user is made equal. The program should be tailored to the specific roles and responsibilities of different employee groups. Your Finance, HR and Procurement teams, for example, should have enhanced levels of training because of the level of sensitive and financial data that they have access to. Your industry will also face specific threats, influencing what is contained in your Cyber Security training program. For example, Financial Services organisations may wish to focus on phishing attacks and insider threats, whilst Educational establishments might consider ransomware attacks and or identity theft or academic fraud to be of highest priority. Equally, the specific legislation for different regions and industries will need to be covered within the Cyber Security training program. 2. Engage your users Too many Cyber Security Awareness programs are, well, just a bit dull. What should be an exciting,dynamic subject is seen as somewhat dry and irrelevant. Users are engaged when they understand the objectives of training, that the training is relevant to them and that it is interactive. Fun is not something that is often associated with Cyber Security, but having fun or experiencing positive emotions is positively correlated with how memorable the training is, a concept known as “ emotional memory”. This concept states that when you have fun or experience positive emotions during a task, your brain releases neurotransmitters like dopamine, which can enhance memory consolidation. Interactivity encourages active participation which can also enhance the recollection of key learning points. This could include quizzes, discussions and simulations. 3. Embrace Different Learning Styles Everyone learns in a different way. Learning styles outline the way that different people process information, and embracing different learning styles in a training program makes learning more inclusive, Cyber News Global
engaging and effective, ultimately leading to a more successful training initiative.There are different models that describe learning styles. One of the more popular and easy to grasp models categorises learning styles into three main types: visual, auditory, and kinesthetic. Visual learners understand information best through visual aids such as diagrams, charts, and written materials. They benefit from seeing information in a clear, organized format. Auditory learners, on the other hand, prefer learning through listening. They grasp information effectively through lectures, discussions, and verbal explanations. These learners often benefit from participating in group activities and engaging in conversations to reinforce their understanding. Kinesthetic learners learn best by doing and experiencing. They thrive in hands-on activities, experiments, and real-world applications, as physical engagement aids their comprehension and retention of information. What this means in reality is that your Cyber Security Awareness program should be multi-media and multi channel to cater for as many learning styles as possible. This could include hands on learning, newsletters, infographics, simulations and escape room styles “immersive” training.
Five Steps to improving... 43
4. Make it a Priority As the saying goes, what gets measured gets done. There are clear compliance reasons for measuring your program, but it will also help you assess the effectiveness of the training initiative and make informed decisions about its continuation, improvement, or modification. Measuring the impact of a training program provides tangible evidence of its value to your business and to its leaders. Leadership support is critical to the success of the program, not only for budgetary reasons but also for reinforcing the importance of your efforts. If your leaders participate and enforce your program, it will contribute to its success. GVA of the Scottish cyber sector is £426m with £811m generated in 2021 from cyber specific companies across Scotland. With our thriving cyber ecosystem it is clear to see that Scotland should be a key collaboration focus area for any country looking to strengthen themselves in the area of cyber security.
About Vanessa Porter Vanessa has been helping enterprises to use data and analytics effectively and responsibly for more than 25 years. She develops & delivers memorable data and security engagement programs that increase technology adoption, safely and securely. She lives with too many dogs in rural Oxfordshire 5. Create a Habit Being safe with data is a habit. Developing any kind of habit involves creating a consistent routine and making gradual, sustainable changes. For Cyber Security Awareness, you should consider regular training, rather than an annual “one and done”. Encourage users to think create habits around being safe online, taking time to make decisions about sharing data or disclosing information. Visual cues such as posters or notes will help to reinforce the habit, as will regular practice.Phishing simulations have a useful place, as does regular microlearning. Celebrating achieve ments can also be a useful tool in creat ing new patterns of behaviour. Consider an annual “Data Safe” Award ceremony or Cyber S e curi t y team building event. By considering these factors, you can de sign a cybersecurity awareness program that is tailored to your organization’s unique context, encourages a security-conscious culture, and effectively mitigates therisks associated with cyber threats.
44
Cyber News Global
45
48
49