By Dr Guy Bunker.
Last week I spoke at the Cheltenham Science Festival, specifically at the Cyber Security Day. I’ve never spoken at a festival before – and the real difference between a conference and a festival is the eclectic audience that goes to a festival. It was a great day and started with the launch of the new schools Cyber Security Challenge. This is partly to raise awareness, but more importantly to start to address the skills gap, bringing new people into the cyber-security arena and help them onto a career path with it. I also met with some of the young people who have been involved with raising cyber-security awareness – especially at their school, The Chase School, Malvern. They had produced a card for all the pupils in their school – wise words to everyone who uses the internet, not just those at school (www.cyberhygiene.co.uk). They will make great ambassadors for cyber-security and hopefully will also end up with cyber as a career.
My session was on explaining some of the buzzwords and terms which flow all too easily when you are in the security world, but if you aren’t then providing some clarity around what they mean is important. So I talked about phishing in all its guises, including spear phishing, whaling and minnowing as well as covering pharming, watering holes and other popular terms. My session also talked about recognising a potential attack and the consequences should it be successful. I also touched on examples of how cyber-crime has evolved over time; the black-hats trying their best to outrun the white-hats. It finished off with some easy steps to follow to help the audience from becoming victims.
The sessions following mine were equally diverse, covering insuring against data loss and some of the popular attacks against BYOD and research in academia into cyber. Finally there were talks by CESG/GCHQ and PA demonstrating some of the guidelines and new proposed standards. The day finished up with a lively panel discussion.
If there was one message which I think every speaker talked about, it was awareness, or rather the lack of awareness, particularly around the consequences of user actions. If we are to become a more security conscious culture we need to improve awareness of threats and risks, help people recognise attacks, whether they are phishing or through social media (Zeus is on the rise once more…) or any other route. The easiest way to do this is through examples. On the day that I spoke there were several cyber stories in the mainstream press; the fine from the ICO to Glasgow council, the breaking of the Citadel based botnets and another story on the scam phone calls claiming to be from Microsoft with ‘you have a virus’. So we are not short of examples to share with our family, friends and colleagues – all useful to raise awareness. Of course awareness is not the only action required, technology solutions are needed as well, but if we can start to change the way that people think, then collectively we may just give cyber-criminals a run for their money.
In the meantime, for those who are even vaguely cyber inclined, do register for the Cyber Security Challenge it looks like it will be great fun – and could lead to a whole new career. Just look at the first winner.