Will A Cyber Attack Happen? Why, yes!
Will A Cyber Attack Happen? Why, yes!
I give talks in many countries and cities, but it is in Edinburgh and Glasgow that I often get the most engaging and open audiences. In these cities, you see registrations move quickly to “sold-out”, and where those attending are open to debate and discussion.
And so, today, against blue skies and a calming warm wind, I was off to Dynamic Earth (and which is a stone’s throw from the Scottish Parliament building) for CyberScot19:
But it was an easier role than normal, as I could have a bit of fun of being on the other side of a panel, and just chairing it:
I had no slides to prepare. I had no challenging statements to make. No live demos. Just a chance to grill a couple of experts.
And so I opened up by asking our expert audience whether they thought that a major cyber attack would hit the UK in the next few years, and it was not good news:
And how robust is Scotland against it … possibly not enough at the current time …
Ouch! Not good news for all those who depend on Internet-based services … such as health, social care, tax gathering (well, maybe not that one!), and education. And what’s the greatest threat to the public sector, well data leakage and ransomware will keep many of our government leaders awake at night:
And so we polled the expert audience as to the questions that wanted to ask our experts … “Has enough money been invested into the critical national infrastructure of Scotland?” … answer from experts … “Mmmm … we need to balance things” … difficult to get a definitive answer from the expert panel.
And then our expert audience wanted to ask our expert panel ... “Does the public sector know where its key risks are?”
It was close, but our expert audience wanted to know … “Does the public sector in Scotland really understand how to encrypt citizen data?” and “Does the public sector have good plans for sharing across sectors but keep secure?”.. Ans “Well, bits and pieces …”
Encryption, to me, should be the starting point in protecting citizen data, and the public sector should be leading the way in this … and not saying “Each agency can set their own standard, and decide for themselves”. If we want citizen trust in government services, we need all government agencies to respect data in the same way that they respect the citizen’s rights to be treated in a fair and honest way … “I am my data!”.
And then we opened it up to the audience. First up was a nice and loading question from the expert audience for an expert panel … “Why is the Scottish Government security incident response framework quite so complicated?” … I wouldn’t like to get that one if I was the one responsible for it …
And the answer … “Well, wait for the new alpha release … it will be much better”.
And so … “Is holding ISO27001 accreditation and/or Cyber Essentials enough to protect against attacks?” … quick answer …. “No! … watch those pesky insiders, too.
An interesting question was : “Should organisations move away from the standard periodic pen test and move towards red teaming to fully assess the security of the organisation?” … and the quick answer is … “Yes!”
And the last question to the panel, “What’s your favouriate city in the World?” … and both responded with “Edinburgh, of course”. And the sun smiled a big smile over Arthur’s Seat …
Conclusions
Thank you to Holyrood Events for the invite to sit on the other side of a panel, and ask a few probing questions. We need to rebuilt our digital world, and put the citizen and their rights at the core. We live in a 20th Century digital world, and now need to build one fit for our next generation. Our current digital world is riddled with flaws, and we cannot just patch these anymore. We can trust little in our digital world, and these needs to change.
— Old World Breaker, New World Creator