How a CCoE pilot has mapped care sector cyber need
Also inside:
• Immersive cyber training now available
• Why cyber protection should include physical security
• The CCoE gains global knowledge at conference
• Why councillors need cyber protection
Page 2
Introduction from Kurtis Toy, Chief Executive of the CCoE and news from CCoE Advisory Board members.
Page 3
News: Download free cyber report.
Page 4
Feature: Care Pilot programme wraps up.
Page 5
Feature: Immersive cyber training launched.
Page 6
Blog: Why cyber should cover physical security.
EDITORIAL CONTACTS
TRANSFORM IS PRODUCED BY: iESE www.iese.org.uk
TThe CCoE is making strides
he Cyber Centre of Excellence (CCoE) is now more than a year old and is making strides towards its vision of the UK being the safest place to live, work and play online.
In this issue we will talk you through the CCoE’s upcoming plans and progress made in our inaugural year. This is the second year the CCoE has funded a research exercise using the attack surface management tool FractalScan Surface. This means local authority leaders and their IT specialists can now download their second free confidential annual report which reveals whether their cyber security vulnerability level has improved since last year (see page 3 for more information).
www.linkedin.com/
in/kurtistoy/
We also bring you up to date with the pilot programmes we’ve been conducting to help us draw together the right packages of cyber support for various sectors. The most recent to conclude has been the Care Sector Pilot (see page 4 for more details).
CCoE training partner OSP Cyber Academy also has an exciting development to reveal, with the launch of its immersive ‘escape room style’ cyber awareness training (see page 5). Lastly, a blog from CCoE Advisory Board member Niall Burns, Chief Executive Officer at Subrosa Group, outlines the importance of all security when it comes to cyber protection, including physical, technical, and manned security (see page 6).
Email: enquiries@iese.org.uk @iESELtd
CREDITS: Designed by SMK Design (Aldershot)
Editorial by Vicki Arnstein
Views expressed within are those of the iESE editorial team. iESE Transform is distributed to companies and individuals with an interest in reviewing, remodelling and reinventing public services.
We hope you enjoy this issue and that it gives you some new ideas and thinking points as we pass the midway point in the ‘Year of Democracy’. With 2024 being the year with the most elections being held globally in history, we recognise that the need for cyber security in local government is more crucial than ever.
•Contact us to find out how the CCoE can help strengthen your defences: www.ccoe.org.uk or enquiries@ccoe.org.uk
CCoE attends international conference
REPRESENTATIVES FROM THE CCOE ADVISORY BOARD RECENTLY ATTENDED THE ARAB INTERNATIONAL CYBERSECURITY SUMMIT (AICS) WHERE THEY HEARD ABOUT COMMON GLOBAL CYBER SECURITY CHALLENGES.
Thomas McCarthy, the Founder and Managing Director of cyber security and awareness training provider OSP Cyber Academy, who is also a member of the CCoE Advisory Board and a CCoE Director, said multiple speakers from different geographic locations shared similar concerns during the two-day conference. “Delegates and speakers from all over Europe, America, and the Gulf region highlighted that cyber challenges are not unique to one geographical area, and we all need to collaborate in the fight against them. We are all linked through supply chains, we are all vulnerable,” McCarthy said.
McCarthy, who attended AICS with eight other CCoE Advisory Board members, said among the biggest global worries were advanced phishing campaigns and Artificial Intelligence (AI). “AI is becoming the tool of choice for cyber criminals because it gives them more capability to develop more sophisticated attacks at greater speed. Data protection is also a huge concern, while deepfake phishing, which describes the manipulation or creation of audio or audio-visual content designed to extract information or obtain funds, is a relatively new concern but one that is growing,” he explained.
McCarthy stressed that while there was no single solution to cyber threat, the CCoE was well positioned to help pull together a package of suitable protection, whatever the size or type of organisation. “The CCoE has built a very powerful platform which is well situated to help organisations in the UK and beyond. We’ve done this by pulling together hundreds of years of collective experience in our Advisory Board which brings together experts in every aspect of cyber security.”
•To read a longer version of the news piece above please visit https://ccoe.org.uk/blog/cyber-security-on-the-world-stage
Cyber is councillor’s personal responsibility
COUNCILLOR DAVID TUTT, CHAIR OF IESE AND A NON-EXECUTIVE DIRECTOR OF THE CCOE, HAS ENCOURAGED COUNCILLORS TO TAKE PERSONAL RESPONSIBILITY FOR PREVENTING CYBER-ATTACKS ON PERSONAL EQUIPMENT USED TO CARRY OUT PARTY BUSINESS.
He said that with this year being dubbed the Year of Democracy, councillors were at greater risk than ever. “Councillors are intrinsically linked to the wider council infrastructure but are likely to be working away from main council buildings where they can make use of cyber protections. They are also more likely to be working from personal devices, particularly during election periods when using council-supported provisions, such as a council email address is not allowed. Yet we are firmly embedded within the linked chain of constituents, local businesses, and local and central government, making us an attractive target for cyber criminals,” he said.
Cllr Tutt said awareness of cyber security varied among councillors. Whilst some are taking measures to protect themselves, for others it has not yet registered as a potential risk. Some also realise it is something of a risk but hope that it is not going to be them who is attacked.
He believes that the risk, however, is the responsibility of individual councillors and candidates, especially whilst using their own devices and home networks. “Whilst the council can do things to support, at the end of the day the responsibility must rest with the individual councillor. It is no good if you are attacked to blame the council. If an attack occurs on your own personal device, then that is your responsibility,” he added.
One option councillors have is to use Councillor Protect, one of the off-the-shelf products trialled and tested by the CCoE, which gives access to software, training and support to individuals working solo without any central IT infrastructure.
Cllr Tutt added that it would be 'very wise' for councillors to take every possible precaution to protect their IT environment and ensure it is as safe as possible from attack: “Not to do so leaves you vulnerable and, unfortunately, it is not a case of if you will be attacked, it is a question of when.”
•To read a longer blog version of the news piece above please visit: https://ccoe.org.uk/blog/cyber-is-councillors-personal-responsibility •Find out more about Councillor Protect on page 4.
Kurtis Toy, Chief Executive of the CCoE
Download second free cyber report
Local authority leaders and their IT specialists can now download their second free annual report from the Cyber Centre of Excellence (CCoE) which reveals whether their cyber security vulnerability level has improved since last year.
This is the second year that the CCoE – an organisation which aims to make the UK the safest place to work, play and do business online – has funded a research exercise using the attack surface management tool FractalScan Surface. The technology scans the Internet using a domain name or IP address to look for misconfigurations, security vulnerabilities and exposed data.
The CCoE is an initiative designed to protect all organisations from cyber attack by keeping them abreast of developments and giving them access to military-grade cyber protection at high street prices. The organisation is backed by an Advisory Forum of some of the UK’s leading cyber security experts who can jointly assist with the full remit of everything an organisation of any size needs to do to stay as cyber secure as possible.
With the cyber threat level in the UK high and 2024 dubbed the ‘Year of Democracy’, with the most elections being held globally in history, the need for cyber security in local government is more crucial than ever. The vulnerabilities identified by the tool could be seen by anyone online, including hackers, revealing potential routes – or open back doors –into organisational systems. The aim of the CCoE Passive Scan exercise and personalised report is to allow the CCoE and the individual local authorities to identify areas of focus.
“Following the success of last year and how well received the individual council reports were, we have now carried out this exercise for the second time so we can do a year-on-year comparison and start to build up a picture of trends for each individual local authority,” explained Kurtis Toy, Chief Executive of the CCoE and vCISO/CEO of Onca Technologies. He added that the CCoE had committed to conducting the exercise annually for the foreseeable
future. “We are aiming to provide an objective annual spot check to help ensure that the systems and processes local authorities already have in place are working to their expectations. The feedback we got from local authorities last year was either that they were grateful or that they were reassured. This is entirely sponsored by the CCoE as a research exercise and as a helping hand. We have again included the recommendations in the report of where vulnerabilities are and how to fix them.”
Within each council report, scores are generated in four areas, with each area receiving a score between 1 and 5. On this scale, 5 is classed as excellent and a 1 would place an organisation as being very vulnerable to attack. As well as providing an individual comparison to allow each local authority to identify whether their vulnerability has increased or decreased since the scan was carried out in 2023, the report also provides an overview of the council compared with their region, and they get a total number of vulnerabilities and a comparison to where that sits for the UK. The report also highlights the top twenty vulnerabilities for the local authority and top twenty actions to address them.
Toy stressed that the data in the report is only one small metric in the context of an overall cyber security strategy. “A lower score doesn’t mean
that a local authority has terrible security, it just means that aspect of their security needs improving. There are other strands that need to be in place in addition for a strong cyber security stance, including staff training and endpoint security, for example. And, likewise, a perfect score does not mean they are invulnerable. All we are giving is effectively a map of where a hacker is most likely to look if they were targeting their domain, which is very different to if they receive a phishing email and someone clicks on it.”
Vulnerabilities frequently found included badly configured services, out of date software, forgotten servers and neglected websites affected by mergers or organisational changes. Often configuration changes are made which accidently make information available online without an organisation’s knowledge.
As with last year’s reports, information on individual councils will not be made publicly available. Copies of the individual 2024 reports will only be available to download by a CEO, vCISO or IT manager within each local authority or by their authorised IT representatives.
• Contact the CCoE to request a copy of your organisation’s report or email enquiries@ccoe.org.uk
Pilot maps out cyber protection package for care industry
Care providers can now access a complete off-the-shelf cyber protection package from the Cyber Centre of Excellence (CCoE) and Care England following a successful pilot programme.
The pilot took place from April 2023 until May 2024 and trialled a package of cyber security protection and support for five care providers plus Care England, the representative body for the adult social care sector.
The six organisations taking part in the pilot – two large national providers, one learning disability provider, two small providers and Care England –were given access to a range of practical support and solutions and then asked to feedback their experiences.
Kurtis Toy, Chief Executive of the CCoE, explained that the pilot aimed to understand the risks and issues specific to the care sector: “We understand that this an industry that is time poor and resource heavy. They don’t want to learn about problems, they want to be given solutions. The point of the pilot was to find the right solutions for the sector so we can put a package of cyber support together which raises the bar of security and gives them peace of mind.”
The five parts of the pilot were:
• Access to a half-day National Cyber Security Centre (NCSC) assured online Cyber Risk & Resilience Board & Executive course from CCoE partner OSP Cyber Academy for one senior management member.
• A passive scan was carried out on each company and a report was then generated on any vulnerabilities found and advice given on how to resolve them.
• Five spaces were provided for each company for six online bite-sized NCSC-assured courses from CCoE partner OSP Cyber Academy (Ransomware and Malware, Password and Access Management, Phishing and Social Engineering, Cyber Security at Home, Mobile Device Security and Data Breach).
• Support was given by a virtual Chief Information Security Officer (vCISO), including an individual vCISO session where the trial participants were given tailored advice on improving their cyber security.
• Five licenses for zero-trust cyber security solution AppGuard for each company were installed on individual endpoints and the participants were recommended to install a free application providing phone security.
“It has been good to see the willingness to engage with the trial and see that people recognise the risk and are keen to find solutions,” said Toy, “What we understand is that we need to remove as many barriers as possible because this is an industry that is already under-resourced and time poor. We are confident from running the trial that our Care Protect Package offers the right level of ready-to-go support and solutions for the care industry.”
In the closing meeting for the pilot project, one of the care providers involved in the trial said the most valuable part of the pilot was the reassurance the CCoE expertise gave them around who to trust. “We get offered a lot of cyber security solutions, but it is hard to know how much of what is recommended is good and whether it will enhance the security of the organisation, or whether it is being offered to meet sales targets,” said Manlio Mannisi, Head of IT at SeeAbility. His colleague, Mandy Kendrick, Fundraising Coordinator at SeeAbility, added: “I undertook the online training courses as part of the pilot. The short modules were designed in a way that made them easy to complete. They were simple to follow and, even if you already know a lot about cyber security, they are still excellent reminders and refreshers.”
Louis Holmes, Digital and System Transformation Projects Manager at Care England, said the care industry is becoming increasingly aware of cyber security issues but that solutions such as Care Protect were needed to minimise the time and money needing to be invested. “Providers are under so much pressure with regulation, funding, and workforce issues. Unfortunately, cyber can be pushed down the list of priorities because you can’t see it, it’s behind a computer or mobile screen. But care providers need to invest in cyber security because otherwise their organisation could come under attack and possibly never recover. We can’t lose any more care providers because the sector is significantly underserved as it is,” he explained.
He said that the vulnerability scan and vCISO session were particularly useful elements of the trial
for Care England. “The vulnerability scan indicated that there was a potential vulnerability in one of our membership items. While it does not have any personal data on it, if it went down it would take time and money to fix. Having the potential issue alerted has helped us secure that. The vCISO session was also useful as it identified some things to address and how we can work with our Managed Service Provider better. The pilot gave us a lot of takeaways to take forward and is a great starting block to build up on.”
While there have not been any major devasting attacks on care providers yet, Holmes warns that it is a case of when, not if. He also noted that the sector could be seen as a weak link and a way to gain access to interlinked organisations such as local authorities and the NHS through tactics such as phishing. “That is why the training and educational piece is so important because it helps people just get a bit smarter when reflecting on what they should and should not be doing in terms of things like opening suspicious emails. The digital transformation journey the sector is on at the moment also increases the need to protect data and systems.
“I would encourage any care provider to realise that cyber-attacks are an absolute threat and need to be properly recognised. If you do get attacked you might not be able to view someone’s care records, their dietary or medicine information might not be available, for example, which could cause serious, potentially lifethreatening issues. What Care Protect can do is help support your organisation and mitigate the impacts of a cyber attack.”
The CCoE is also carrying out pilots to optimise Care Protect Packages for other sectors and industries. It has recently concluded a parish pilot, is in progress with a school pilot and is now also starting a small business pilot.
• Find out more about the Care Protect Package by contacting Care England at info@careengland.org.uk or the CCoE at enquiries@ccoe.org.uk
anessa Porter, the OSP Cyber Academy Associate who leads the immersive training, came up with the idea of running immersive sessions when she was tasked in a previous role with delivering General Data Protection Regulation (GDPR) training to groups of people in the travel industry. “Some people would see me coming and try to hide away in the stationary cupboard until I’d gone,” she jokes, “I created immersive training to engage the hard-to-reach people and make learning fun and retaining the training objectives easier.”
CCoE partner organisation, OSP Cyber Academy, is now offering the bespoke immersive cyber awareness training designed to complement any organisation’s online and classroom cyber awareness training. The immersive training makes use of escape room style tasks with a variety of games, challenges, and puzzles to bring learning outcomes to life, such as understanding phishing, malware, and password hygiene.
Having a mix of both online or in-person training alongside some immersive training and other awareness campaigns can be beneficial. “When you are developing a cyber security awareness training programme it is important to include all different types of training,” Porter stresses, “Sometimes regulation drives organisations to carry out tick-box training rather than training that works. Online training is brilliant and absolutely has its place for some people, but others need something different. As soon as you start playing games with people and adding an element of competition then it changes the whole thing. When you are having fun, you are releasing dopamine, and when you are releasing dopamine, you are making memories.”
A CFO from one organisation who provided a review of the immersive training carried out by Porter at his company agrees: “Our team still talk about the immersive training a year after it happened. That really is training that sticks.”
The events run by OSP Cyber Academy have a competitive element too, which Porter says is great because when people are under pressure, they start to make mistakes as they would in the real world. “When you are immersed, you don’t necessarily check yourself to ensure you are doing the right thing, which is what happens in a busy workplace when people are distracted,” she adds.
Irene Coyle, Chief Operating Officer at OSP Cyber Academy, says training is important across the whole organisation because people are the biggest risk but
Immersive cyber training offered by CCoE
Organisations of any size can now access immersive ‘escape room style’ cyber awareness training through the Cyber Centre of Excellence (CCoE).
also the biggest asset in data defence. “In any large organisation you have groups of people who will think they are too busy or who think they don’t need to know or already know everything about cyber security. It is an experience for them to come along and genuinely forget that they are in a training session.”
While immersive training might be offered to the whole organisation, perhaps at a teambuilding day, it is also possible just to target specific departments or people who have proven difficult to engage in traditional classroom-style or online self-study training.
“If you are responsible for cyber security training in your organisation, I would suggest that you need to think about who your higher risk people are,” Porter explains, “There are going to be teams and departments who have access to higher risk personal data, such as your HR teams and your finance teams. They are people who need to be trained because they will be targeted repeatedly and the more you can reinforce that learning the better. The other important groups are your high-profile people such as your councillors. They are very busy and are going to be targeted by cyber attackers routinely.”
Both Porter and Coyle agree that sometimes, despite common belief, it might be the younger people in an organisation who are more likely to click on a phishing link or accidently download a virus, partly because they may think they know it all
already, but also because cyber-attacks are getting increasingly sophisticated and difficult to spot.
Offering regular training in different formats is key to ensuring learning is consistently reinforced.
“There might be online training once a year with a cyber security fun day once a year and a cyber security awareness week. Immersive training needs to be part of a whole programme. It is like going to the gym, you can’t expect to be fit if you go to the gym once a year or just buy a gym membership – that doesn’t work. You have to keep exercising the muscle. Immersive training is a tool you can use to keep that muscle flexed,” Porter adds.
The CCoE can offer a range of options to suit any organisation’s size and level of cyber security maturity, including training in-house trainers to facilitate them running immersive training exercises themselves. “We can supply the kit for them to do that. There are a variety of different offers from the CCoE to fit requirements,” explains Coyle.
The CCoE will be offering some of its contacts the chance to experience an immersive training session soon to find out more about how it works and what it involves. If you would like to find out more about the immersive training in the meantime, please contact Vanessa Porter using the details below.
• Find out more about Immersive Training by requesting a meeting with Vanessa Porter here: https://calendly.com/vanessa-mua/immersivetraining-demo?month=2024-05
Get physical to get cyber protected
The physical element of protecting data has been recognised by UK Government recently with the launch of a consultation on proposed regulations relating to the security of data centres. While local authorities and public bodies might not be classed as data centres themselves, they may use one, and this proposed regulation highlights the increasingly recognised need to protect against disruption to data from cyber attacks but also from physical threats.
Physical security (i.e. fences, gates, barriers, doors, locks and windows), technical security (i.e. CCTV and access control) and manned security (i.e. security personnel) are not routinely thought of as relating to cyber security, but they should all be integrated under one umbrella alongside data and cyber security and overseen by someone such as the Chief Executive.
At the Subrosa Group, one of the services we offer is to advise and assess integrated security solutions, which means looking at data and cyber security in conjunction with technical, physical, and manned security. Protecting data starts right at the roadside with perimeters and access control. You must have all the elements to have a holistic approach which we
call defence in depth. The more barriers you have in place before you get to a critical asset, such as a server, the better.
If you have strong cyber security, but your technical, physical, and manned security is weak then someone could come in and put a USB stick into a computer and get the same rewards as if they hack you. A devasting attack on energy company Aramco, which is believed to have partially wiped out or destroyed 35,000 computers, has been reported as being caused by an infected USB stick. While USB sticks are less widely used now, it is still important to consider who has access to what. These days bring your own device is more of a concern, making it important to know who is accessing your networks and to ensure you provide separate guest log ins and a segregated network for employees’ personal devices.
Also important is for all staff to be trained in cyber security, including security personnel. The person on the gate might be emailed a list of who is attending the site that day. If someone understands that this happens every day and wants to send some targeted malware out, they could send an email which looks like the daily list of people to the gate
controller. An untrained staff member is more likely to open a suspicious email than one who is aware of the risks and can spot the signs.
Let me finish with this thought: when did your organisation last have an independent audit carried out on its integrated security solutions, if ever? The Cyber Centre of Excellence can put you in touch with us at the Subrosa Group. We start with a risk assessment, carry out a full security audit, write a report and provide a to-do list to help bring you up to the right standard. Ultimately, integrating physical, technical, and manned security with data and cyber security is the most cost-effective solution and provides the best protection.
Niall Burns is the Chief Executive Officer at Subrosa Group, a specialist risk mitigation, business intelligence and loss prevention company. He also sits on the Advisory Board of the Cyber Centre of Excellence (CCoE), an organisation set up to act as a one-stopshop to assist local government members through their cyber security journey.
