Ep13: Protecting your business online

D. I. Ross Brown, South West Cyber Resilience Centre

These days, we increasingly rely on internet-connected devices at work, in our businesses and our personal lives. And with that comes the issue of cybercrime, our vulnerability to it and the importance of protecting your business online.

Attackers continue to take advantage, of both individuals and businesses. In 2020/21, more than 85% of UK businesses were subject to a successful attack, costing an average of just over £8,000.

But what can we do to protect ourselves?

Our host discusses protecting your business online with Detective Inspector Ross Brown, head of cyber and innovation at the South West Cyber Resilience Centre. 

Set up in October 2020 and led by serving police officers, SWCRC’s mission is to help small businesses and charities protect themselves from cybercrime.  

Packed with practical tips and advice for staying safe online, along with details of joining SWCRC for free, this is a must-listen for any small business. 

You can find out more about the work that SWCRC does and sign up for free membership at https://www.swcrc.co.uk

We hope you enjoy this episode. Get in touch for more information on how we can support your business start-up journey. 

Read the full transcript here

Announcer (00:01):

Welcome to the Outset Podcast, the business startup podcast from Outset Cornwall for support and inspiration to start, run and grow your business. Here’s your host Rich Gunton.

Rich Gunton (00:15):

Hello, and yes. Welcome to our latest edition to the series today. On the Outset Podcast we’re talking all things, cyber security with Detective Inspector Ross Brown, head of cyber and innovation at the Cyber Resilience Center for the Southwest. And if you’re listening to this and you want to have a look at the website while you’re listening, you can do it’s at www.swcrc.co.uk

Ross. Good morning. Welcome.

D.I. Brown (00:44):

Good morning, Rich. Thanks very much for inviting me. I’m really pleased to be here.

Rich Gunton (00:48):

Is, is calling you Ross a bit informal or is that okay?

D.I. Brown (00:51):

No, Ross is good because we are a, a, a limited, not for profit business, although I’m still a serving police officer. We are now working in a business environment and I, I have to say actually the, the police ranks almost become slightly immaterial. So no Ross is absolutely fine.

Rich Gunton (01:07):

As recent as March, 2021. This is taken from the gov.uk website four in 10 businesses. So 39% and a quarter of charities, apparently 26% report having cyber security breaches or attacks in the last 12 months. And then looking over to the US, which I guess we follow to some extent in the year of 2020, 1,001 cases against the United States, but in the same year, over 155 million individuals were affected by data exposures. And, and that type of thing. So it’s, it’s big business, isn’t it? Ross?

D.I. Brown (01:47):

Yes. Huge. And, and I certainly wouldn’t disagree with any of those figures. The only thing I would say rich is cybercrime is massively under reported, so it may even be higher than that. And it is it’s, it’s huge business and, and clearly there are a number of nations who would appear to allow cyber criminals to operate with impunity from within those nation states, apparently with a caveat that if you, if you don’t  touch the, the home country, you can do pretty much whatever else you want across the rest of the world.

Rich Gunton (02:17):

Well, whenever I suppose now, when we visit any websites, we have to accept the cookies or, or not. That seems to be kind of a, a new part of our life. But I suppose, you know, when we think about cyber security and your work at the cyber security center, there’s a lot more to it. So where do we start? How, how would you explain what the cyber security center is and, and, and how you can help?

D.I. Brown (02:40):

Well, what we are, as I say, we’re, we’re a, a, a limited not-for profit company with, which is unusual for police officers to form. And we are part of a national program. That’s been rolled out over the last sort of 18 months or so, and we are here to augment current crime assets. And I think what it’s probably seen is if we can stop businesses and we do operate purely for businesses. So, so we’re not for the private individual, but if we can stop businesses becoming victims of cyber crime, it’s a huge win situation for everybody because in terms of the, the losses both nationally and internationally, you know, the, the, the sums of money are eye watering. And not only there are certain companies, particularly smaller and medium sized enterprises that potentially wouldn’t survive a cyber attack. So if we can give people advice, which we can hand out free, they can become a free call member, and we provide them with all the products provided by the national cyber security center to help them stay safe online. If they apply those products they can, they can make themselves much safer and therefore make the likelihood of them being attacked much, much less likely. But as I say, it’s a huge thing. We are really encouraging businesses to join us, use the products, therefore safeguard their businesses.

Rich Gunton (03:56):

I think it’s, it’s really interesting. I’ve, I’ve been involved in the outset program for, well, well, over a decade pushing 12 years now. And to the best of my knowledge in the initial stages of, you know, discovering what it is that our clients want to do as a, as a business and become self-employed, whether they’re, you know, going to be a dog walker or a digital marketing agency, or a, or a cleaner, or they’ve got some holiday lets; every single one of those businesses will come through our, our program, which is fully funded. And we talk about putting together, you know, a feasibility study or certainly as we move towards a business plan. And I think that now within that business plan and within the content of, of material of organizations, like absolutely front and center needs to be the conversation about cybersecurity, doesn’t it? Because none, none of us are doing a business that doesn’t involve some level of being online.

D.I. Brown (04:54):

No, and, and that’s absolutely right, as you say, it’s got to be absolutely front and center. Everything has to be considered in, in every business decision that people are taking. That’s why we have the free core membership. And we also have a series of webinars, which we held a couple of months ago. But they explain each and every one of the products that we offer. And we posted them onto our website details, which you obviously, you’ve already given, let’s certain on startup and certainly on the size and sector of the business, it makes absolutely no difference. There are always details that other people will be prepared to pay for or, or to get by for some criminal purpose. If, if it’s not just for the criminal purpose, it’s also to sometimes to destabilize the business, certainly during COVID, we’ve seen a rise in ransomware as a service where you can go online onto dark web and effectively get a tutorial on how to commit a cyber-attack on a business.

Rich Gunton (05:55):

I suppose that’s something for us to be aware of. What does one of those sort of ransom things look like? Does your computer all of a sudden, just completely crash and then up comes a message saying, you know, you’re being taken over type scenario, is it, is it as dramatic as that?

D.I. Brown (06:10):

It does tend to be quite dramatic and, and there are a number of sort of different scenarios that are played out during the ransomware attack. Most common is just a bombardment of sort of junk emails, which effectively clogs the system and, and makes it pretty much unusable. There are a number of different things. You know, there’s a total loss of service, the clogging up of the service. But it’s very noticeable.

Rich Gunton (06:37):

So we’re talking to Detective Inspector, Ross Brown, head of cyber and innovation. You can find out more www.swcrc.co.uk.

So we touched on it before there you’re a non-for-profit organization. I mean how are you different from other cyber security organizations? Cause when I was doing a bit of a, a Google and other search engines are and up come quite a lot of what seemed to be adverts and therefore I would think private profit making cyber security agency software, et cetera, what makes you different from them? And what should we be aware of?

D.I. Brown (07:12):

Well I think sometimes the marketplace can be quite a confusing area to find yourself in, particularly if you’re not sort of overly cyber savvy or computer savvy. I think where we differ is we are a police led organization. We are funded by the home office. We are not here to make money out of anybody. What we’re here to do is to try and keep businesses here in the Southwest, much safer online and to maintain their integrity, that’s how we differ. We operate with a series of what we call trusted partners. And they are a series of currently eight cybersecurity businesses that operate here in the Southwest. And they are approved by a group called IA who are the information assurance, small and medium enterprise scheme government backed, approve these trusted partners to provide cyber centrals and cyber centrals plus, which is sort of base level cyber security qualifications, if you like, which prove to both customers and suppliers of organizations that choose to undertake cyber centrals and cyber centrals plus that actually they’re taking cybersecurity seriously. They’re quite real demonstrating to others that actually, you know, they’re taking care of their data and they’re taking care of other people’s data, I suppose, in essence, then to, to summarize them, we are police led, we talk plain English and we give you good sound advice, which emanates from the government.

Rich Gunton (08:35):

In terms of those that you are hoping to help then, you mentioned that it’s not in the, it is obviously businesses, whether we’re a sole trader business or a limited company, or even indeed looking at those statistics charities and non-for-profit organizations are still under attack if you like within the UK 26% in the year ending March this year. So everybody needs to be vigilant and aware. And as a small startup business that our outset clients usually are, it’s not only obviously keeping ourselves and our business safe, but that of the data that we’re collecting in any way, shape or form, be it a phone number or an email address or any information that’s filled out on a web form, cetera, that’s stored of our client base as well.

D.I. Brown (09:17):

Absolutely. And I think you hit the net on the head there, Rich, you know, it is holding other people’s data safe. You know, you’ve got people’s credit card details, you know, even if you don’t have that many customers, actually, if you start releasing that, that has the potential to destabilize your business because you’re not looking after other people’s data. And, like I’ve already said, you may be part of a supply chain. So you may be supplying, you know, a much larger firm. And actually their cyber defenses are really good because they have the IT department, they have the, the financial backing to make sure that their cybersecurity is good. But actually because you are supplying the larger company and your cybersecurity isn’t as effective isn’t as robust, actually you are quite a good way in to get to the supplier. So as I say, by demonstrating that you have good cybersecurity it must improve your business and must safeguard your business as well.

Rich Gunton (10:14):

So I’m having a look at your website swcrc.uk. And there’s obviously about you and, and the services and, and a tab on cyber essentials. You spoke about a free membership. What, what does that involve then? How can we, how can someone get in, in touch and, and benefit from the services that you, that you offer?

D.I. Brown (10:33):

If you go to the the membership page on a website there are in fact full memberships that we offer. The first one is the free membership, which I’ve been talking about today. There are also three other memberships which offer paid services. So when a, a new member joins we either speak to them or we send them an email, whichever method of contact, they prefer and to find out actually why they’ve joined us. And if there’s some cyber issue then we can signpost them to some of the, the paid memberships, although that’s not the, the, the, the sole reason for us being there, but it may well be that they, they do actually need some help with their cybersecurity. We also offer what we term student services whereby we’ve recruited students from university of Western England, and Plymouth who are strictly mentored really well trained about going into firms and businesses to give cybersecurity on a, on its sort of a one-off basis.

D.I. Brown (11:32):

It’s considerably cheaper than the market equivalent, but it’s probably only available on a sort of a one-off situation. But anyway, going back to free call membership, we provide a series of, as I say, national cyber security center, free tools, we provided 10 steps cyber guidance. We also provide the cyber recovery plan, which talks about what you should do in terms of if you are attacked and more importantly, in the aftermath of the attack, how you actually manage that provides you with a board toolkit, but it discusses how to bring cyber front and center into any discussions.

Rich Gunton (12:10):

So on, on your website, a I’ll say it again, S w CRC dot code UK, and we click on the membership tab. And as you rightly say there Ross there’s obviously the free membership, and then there’s three different pay for memberships. One of which is, I think that’s what 500 pounds a year at the moment with use of the, of the logo on your website, right? Which I suppose that will give a level of reassurance to the consumer from the business in terms of the fact that those steps are in place, ready to protect their information and details. You mentioned about the 10 steps to cyber security which is included in the free membership. I don’t want to test you, but what are some of are those steps that we perhaps should be aware of?

D.I. Brown (12:55):

The steps are not overly difficult. And, and I say that as someone who’s come late to cyber and they really genuinely aren’t, but there are things like staff training, making sure that your staff can tell when they’re being subject of a Phish attack to make sure that actually, should they become subject of a phishing attack, what to do say, tell someone, alert someone to the, the fact that this is happening. And it’s also about making sure that you update your system. It also says about, you know, making sure that you patch individual vulnerabilities within your systems and where to find those patches and how to do it. It also speaks about having strong passwords, not sharing passwords. And I know some of the large cyber attacks that have been in the news recently. And I do believe from memory, the colonial pipeline attack bill has been traced with a poor password. So make sure that you have good password management.

Rich Gunton (13:55):

I was just going to say, Ross, you know, on the password. I think that’s a, I remember, I think it was, must have been Chris Evans perhaps on the, on the radio a week or two ago. And there was a whole conversation on passwords and how so many passwords are still password 1, 2, 3, or, or whatever, ridiculous. But, you know, we can be forgiven to some extent using those because every single thing we sign up for, be it, you know, if we’re, as we’re starting up a business and we we’ve got our email account and we are buying a domain name, perhaps, and then we’re opening up a, I don’t know, maybe a Google account or, or whatever. There’s so many passwords are required for almost every single walk of life. And whether it be on our smartphone or work on our computer that trying to keep track and remembering all of those passwords is, is like a full time job in its own. Right. Ross, I mean, is there anything that we should be aware of? Obviously we don’t use password 1, 2, 3.

D.I. Brown (14:50):

I can never forgive people who use password 1, 2, 3, but anyway, we’ll move on from there. Yeah, there are, you know, don’t use anything that’s obvious don’t use football teams, don’t use your pet’s names, your kids names. And actually there are a number of things on the market that you can use password managers. For instance, there are really useful because they can generate passwords and install them for you as well. You can use the web browsers when you’re given the opportunity to save the passwords, the web browser, that’s another good way of doing it, actually good old sort of steam driven way of doing things. You can even write them down in the book, as long as you keep that secure. And that, I suppose that’s the kind of watch word with passwords. As long as secure, you can use three random words, use all sorts of bits and pieces, but whatever way you use your passwords, please don’t ever use the same password for everything, because obviously if you get it compromised in one place, and whether it be on the, you know, the, the new doorbell that you’ve got, that, you can talk to people over, or the fact you could control your washing machine from your mobile phone, that internet of things tends to be the weaker end of the market. And I don’t say that as broad brush stroke, but it does tend to be that way. And therefore, if you compromise your password on something like that, and you’ve used the same password across all your other systems, you can just be sort of rolled up like a carpet effectively. So, do use different passwords and do keep them secure. And as I say, there are a number of ways that you can keep them secure, even if it’s only writing them down in the notebook and keeping that under lock and key.

Rich Gunton (16:23):

As you say, using the same password across different accounts and different mediums whereby some of those may well not be as secure as the banks, for instance, or the other areas that save our memorable information as it, as it were. And then as we’re thinking about this on the Outset Podcast, as a business ourself and collecting information, and maybe we’ve got client login details that are part of what we do as a business, maybe say, we’re for instance, a web designer and, and, and we’ve got an account set up on a platform that we’re sharing with the clients to get their website up and running, et cetera. There needs to be a little bit of responsibility that we take as a business owner to make sure that our client isn’t sharing the password that they use on all the other devices within their home and life with us. For instance, though, then if we’re hacked as a business that has a knock on effect to, to the customer and all of their other avenues of life, isn’t it, which I base, I suppose, comes right back to the, to the start, as we said about not using an easy password and not using the same password for multiple logins.

D.I. Brown (17:31):

I think anything that you can do that will make it secure, you will, you know, make up some sort of personal code that you will always remember, that that’s fine, as long as it’s not obvious. And as long as you keep your password secure, I mean, effectively, what you are doing is, is you are doing the same as a password manager only, you know, without doing it electronically.

Rich Gunton (17:53):

We’re talking to detective inspector, Ross brown head of cyber and innovation at the cyber resilient center for the southwest www.swcrc.co.uk is the website. We’ve talked about who the cyber security center are, and what you do and, and how you work and who you’re hoping to help, and the free membership and services that are provided. And we obviously visit your website to be able to join up onto the membership tab, at www.swcrc.co.uk. You mentioned earlier, there’s some resources that we can look into terms of webinars and, and those sorts of things.

D.I. Brown (18:31):

It’s all available on the website. Rich. If you go to the news page and have a scroll through there, we’ve got back copies of our newsletter. We’ve got webinars that we’ve already had. So we’ve got four webinars on there plus updates and sort of interesting stories and case studies.

Rich Gunton (18:48):

We’ve spoken to Detective Inspector Ross Brown on the Outset Podcast, about all things, cyber security. So Ross, before we say goodbye and farewell, or as the French say, au revoir,  any final sort of closing thoughts or, or reminders that we can, that we can be left with today for our outset clients, as they walk through the early stages of starting up in business?

D.I. Brown (19:11):

I suppose it’s an impassioned plea, I guess, please, please join us as a free call member. It will cost you nothing. We’re not here to sell anything. We’re here to make sure that your business is safeguarded online. We’ll provide you with the all the tools to make sure that you’re safer and you can operate your business effectively. And we will keep in touch with you. And if you ever have any issues then we are a trusted organization we’re police led that you can come to and you’ll get plain English advice and we’ll point you in the right direction.

Rich Gunton (19:47):

Absolutely great. So swcrc.co.uk, a Detective Inspector Ross Brown of the Cyber Resilience Center for the Southwest. Thank you very much, indeed.

D.I. Brown (19:59):

Not at all. Rich. It was my pleasure.

Announcer (20:02):

Thanks for listening to the Outset Podcast brought to you by the Outset Cornwall program, which is funded by the European Regional Development Fund, H M Government and the Outset Foundation, supporting people to become self-employed and start their own business. For more information, visit outset.org/cornwall.