.jpg)
AI for Business with BCN
AI for Business is the essential podcast for business leaders who want to stay ahead of the artificial intelligence curve. Hosted by BCN, each episode invites guests to share stories on how they’re using AI in their field and industry, with the goal to inspire you to bring this to your business.
We break down the biggest AI news, like major model releases, industry-wide shifts, and regulatory changes, translating them into practical strategies for the C-suite and business leaders. You’ll hear from guests, sector specialists, and our own AI consultants, all focused on helping you navigate disruption, seize new opportunities, and future-proof your organisation.
Make “AI for Business” your go-to source for staying informed, inspired, and ready to lead in a rapidly changing world.
AI for Business with BCN
Cyber Security Series, Episode 1
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In the first episode of our Cyber Security series, our host, Peter Filitz is joined by BCN's Michael O'Neill, Managed Security Services Director and Simon Edwards, Head of Compliance at BCN.
This episode takes a look at the Cyber Security threat landscape and introduces our Cyber Security Pledge as well as introducing the BCN Cyber Security Journey.
Thanks for listening!
Hello and welcome to the BCN Podcast. I'm Peter Phillips and I work with businesses in helping them understand how IT and technology can better assist them with delivering on their business goals, stay ahead of the competition, and equip their staff with the necessary tools to be successful. This podcast series is all about keeping you up to date with the trends we're seeing in the IT and business technology space. We are here to educate you on everything that you need to know from a business technology perspective and provide a better understanding on how IT and technology can have a positive impact on your business. In this episode, we're taking a closer look at the cybersecurity journey businesses should be taking and if not, how to get on board. In today's interconnected world, cybersecurity is a concern we all share. And as the global threat increases, BCN is committed to doing our part to make the digital world a safer place for everyone. An attack against your business is not just an attack on you, it's an attack on your users, your stakeholders and your customers. While a data breach may leave your business open to regulatory fines, financial loss, and a damage to your reputation with customers and suppliers, the impact on the data subject can be catastrophic. This is why we have created our cybersecurity pledge. With me today discussing this in more detail, I have Michael O'Neill, Managed Security Services Director here at BCN, and Simon Edwards, Head of Compliance. Gentlemen, thank you for joining me on today's chat. Let's start with you, Michael. Why don't you tell us a little more about yourself?
SPEAKER_02:Hello, uh, yeah, Michael O'Neill. Uh as you said there, I'm the managed security services director, sometimes a bit of a mouthful. Yeah, I look after a group of people who are focused primarily on managed services around security, uh, which we're going to talk about today. I have too many years to think, but over 24 years in IT. And then the latter part of my career focused more and more on security, as it's a big problem in our area that we need to help people with.
SPEAKER_01:Thanks, Michael, for that overview. That's great. And thanks again for sharing your time with us today. Simon, over to you. Why don't you tell us a little more about yourself?
SPEAKER_00:Hi, Pete. Yeah, so Simon Edwards, I look after one of the security teams that that comes under Mike, sort of specializing in cyberessentials and some other bits and bobs, which we'll obviously delve into. Thanks, Simon.
SPEAKER_01:The cybersecurity journey, I referenced it in the opening conversation piece and understanding more around you know some key stats and how the landscape's changing and and why essentially BCN has created this journey and the pledge to go with it. Michael, Simon, I'm gonna hand it over to you guys. Maybe, Michael, do you want to start and just sort of set the scene there?
SPEAKER_02:Yeah, I mean, security is a big, big concern for everyone. So much so that BCN decided to carve it out and have its own area that specializes in many things we're hopefully we're gonna cover today, as opposed to our normal MSP sort of duties, which over the years would have incorporated elements of security for sure, but the attacks our clients are having require dedication, meaning require a team to focus on common areas to help our clients. There are many stats out there from the various vendors and and other dedicated sites that collect these things. Infrastructure is the most common attacks still. Of course, cloud and SaaS is fast becoming the new target and identity management problems as well. One of the biggest growing areas of issue that leads to incidents and attacks is misconfiguration of cloud environments. We're all moving toward various cloud environment and SaaS solutions that are better, faster, quicker, but not always secure. And we also have other elements like shadow IT, where intentionally or not, um other businesses are adding services to cloud services, and in doing so, alleviating the problem in one area but introducing new security attack vectors for the bad actors, the hackers and such, which can go unnoticed for a long period of time. This is also why we encourage regular audits, and part of our journey, which we'll come on to later, you know, we encourage regular audits rather than just single audits. But the bad actors are coming up with incredibly devious, complex methods to gain footholds in your business and in your supply chain for that matter, and to laterally move with various techniques that well briefly mentioned but they're quite technical, but DNA is poisoning. And a fairly new one, which is an attack factor called quishing, I think I've pronounced it right, but it's QR code scanning. Whereby QR codes, which you know we're all used to today, rather than having URLs for websites, point our camera at them, they go to what may look like a normal site or the site you're expecting, but you've entered details or or information that allows the attackers to use that information or that session information to attack you in some capacity, but also at the same time push you on to wherever you were wanting to go to, so you're none the wiser. So just be aware of any any QR scanning these days, guys. It's it's a growing vector. There are many other threats that we can get into, but man in the middle, obviously insider threats I mentioned recently, and zero-day threats, which are becoming more and more common whereby a product or service has a problem that's been identified and released to the public, so we can take action or mitigate action. But sometimes the curve to get that action completed or or fixed can be weeks, months, or otherwise, and the same information is exposed to the bad actors. So, yeah, there's quite a few other types of you know attacks, whether they be supply chain attacks, stealing your credentials, session hijacking, where your session is hijacked. So your session to 365, where your session to many other products are hijacked and they act as you, which obviously is very hard to track and diagnose.
SPEAKER_01:So obviously, sophistication increasing of these um malicious uh gangs that are out there, and it's not only the sophistication, but from what we can see the volume. I mean, some of the key stats we've got listed there on our side. I can see in 2023 SMEs with under 200 employees are becoming increasingly targeted by ransomware gangs. So it's you know, it's not just the bigger businesses that we know for some time has been targeted, but it's everyone really.
SPEAKER_02:There's many stats, but ultimately we see the problems and deal with the problems on our desk, large, medium, and small problems, and common ones that still prevail are technically called wheeling, whereby you know, targeted, targeted physique attacks attempt to identify CEOs or other execs and mimic those people so that you're confident that you're dealing with the CEO or other person and you transfer money. You'd think this doesn't happen, but it does, and we see it quite regularly. And simple things like reviewing your policies and your processes can alleviate that or at least add further delay, whereby you just phone and check, for example. You know, 13% of people pay ransomware, and again, there's no guarantees you get your keys or your data unlocked.
SPEAKER_00:I sort of feel for the current day business owner. I was kind of at an MSP partner event last week, and it came up in conversation about going back over the years, you're sort of talking about your budgets and you're setting a budget aside for IT, and okay, the bigger kind of companies will be setting aside a specific budget around security. But of course, that's now becoming the norm for all businesses, irrelevant of your kind of size, because it's just it's a constant battle, the things are evolving, the landscape's changing all the time. And how does a small, medium-sized business keep up with that? It's just an incredible challenge. I mean, it's difficult enough for us as an MSP or the MSSPs to keep up with the trends and how the landscape changes. And so, you know, a small, medium-sized business, how are they supposed to be able to cope with that? How do they make sure that they have all the right systems and applications in place protecting themselves? And yes, okay, that is obviously where we come in, but it's still a challenge, I think, for businesses to understand and to know, okay, well, we know we need to think about security, we know we need to assign a budget towards security, but where do we start?
SPEAKER_01:No, I think Simon, you hit the nail on the head there. You know, my job is very much engaging with a lot of new businesses and understanding their pain points and challenges where they are on their IT roadmap. And, you know, the one thing that is a continuous challenge is the changing landscape, specifically on the security front, because you know, you might have reviewed it today, and in three months, what you thought you had in place was adequate is now outdated. And it is an ongoing process that you need to undertake for ensuring your business, your staff, your clients, your data is adequately protected. And, you know, we've seen also tough regulation come in from the UK insurers and underwriters because you know they've been uh hit hard, where businesses have obviously not met the criteria for adequately protecting their data and the insurers have have had to pay out. Mike, following on then from what Simon saw last week at the event he went to, why don't you give us uh an overview on the sort of proactive and reactive steps and and measures we're looking at for helping businesses on this cybersecurity journey?
SPEAKER_02:Yeah, Simon makes a good point. You know, it's it's tough, it's tough for everyone to keep up, you know, us included, but you know, that's what we aim to do. And to that aim, we're we're developing a sort of roadmap for clients, you know. It's not exactly linear, but a general roadmap for clients that that we can engage with and work with clients on. You know, we've broken it down. You may have heard of the various frameworks like NIST and CIS and probably others, but they're complicated beasts, and we're trying to simplify those down. Um we've broken it into four areas. You know, I'll do a quicker review of the four. Largely what we talk about later will be the first two, but we break it down into reactive, proactive, managed, and embedded. From a reactive stage, the business has limited security posture, relies primarily on reactive measures, basic AV, basic firewalls, items we would have had quite a few years ago. We haven't really adapted or updated. Security is typically addressed ad hocly and is seen as an overhead or a problem area. Um proactive, you know, we're we're moving on a bit. We're taking a bit more of a proactive approach to security, implementing basic security measures like more advanced AV and MDR solutions and more advanced firewall solutions. We're possibly taking assessments every so often, maybe once a year. You know, we're encouraging employee security training as well. That's a bit more proactive. Managed is work we're taking it very seriously. We have many security measures. You know, we might even be adhering to ISOs, specifically 27001 and/or other. We have monitoring tools, we have incident response plans, and security is is positive in the business, and again we have regular assessments. Embedded is the top. This is where you know security is very mature in the business, it's integrated to all aspects of the business by a security by design type model where anything in the business is is referenced to security first. Security is viewed as a business enabler with a positive outlook, and many processes and controls, and the security is aligned to the business goals and objectives and growth. So they're there are the four main areas, and you know, we aim to assess essentially first where clients are on this and provide a roadmap of marks to hit before you can move up the chain, if you like, to the embedded section. Um, we also have a baseline of our own whereby again it's a bit more toward the proactive and managed side. You know, we know every business can't afford or doesn't have the time or effort just now, but we can take you on that journey toward it if that's your goal. And one of the first steps is an area that Simon looks after.
SPEAKER_00:Cyber Essentials is a good kind of place to start. For us, it's not really necessarily about the client having the certificate. Okay, the client may require the certificate for you know tenders and client relationships and things like that, but for us, it's more of a measure as to ensure that that client has the relative controls in place. So whether that's the basic kind of things like MFA and security awareness training and things like that.
SPEAKER_02:Just a bit more about Cyber Essentials in case it wasn't familiar to people, you know, it's it's a UK government-backed scheme to overall improve you know your cyber posture. It's distributed or managed by an organization called Iazmi. And again, there's over 132,000 UK businesses have achieved CA by the last stats there were May 23. So it's growing year on year if you look at the stats. So it is it is, as we say, our basic principle and where we're trying to drive and encourage clients to be because it's a great help to them. Again, assignment says it's a good first step and look favourably upon you know uh cyber insurance when you go to renew. And it's a point to mention, actually, you know, to make sure consider cyber insurance. It's a wee bit more difficult to get these days and a bit harder to maintain in certain industries. We of course can help with that, but make sure you've got your own specific cyber insurance rather than cyber insurance wrapped up in other policies because sometimes there's caveats in those policies.
SPEAKER_00:Again, you know, we talk about stats, and I think it's something like 80% of attacks are eradicated by having cyber essentials in place. So just having the controls, those five controls that Cyber Essentials requires will eliminate a huge chunk of any chance of being attacked maliciously. And so actually, it's it's just a good baseline, it's a good measure. So that's kind of what we're really trying to promote, you know, with our client base is to get that in place, and then you can sort of start tweaking and add adding other relevant services for your business.
SPEAKER_01:That's great. Thanks, I mean. That you know, that echoes what we're seeing uh across the industry, you know, more and more insurers, regulators, even clients for that matter, want to see businesses taking a proactive approach in essentially safeguarding their data and the business by implementing, you know, some sort of standards and best practices.
SPEAKER_00:That goes back to what we were saying earlier in the conversation, doesn't it, about that kind of ever-changing landscape. Again, you go back a few years, cyber insurance wasn't really a thing. It was just kind of covered under your general, you know, business cover. Whereas now, you know, it's out there, but now what we're seeing is from the cyber insurance perspective, the requirements are constantly kind of increasing all the time. Cyber essentials in itself is changing frequently as well, and the requirements needed to be in place for cyber essentials is getting more and more difficult the time, but they both kind of align, but they're not increasing the difficulty or the requirements just because they feel like it, they're doing it because it's a necessity and how things are going that way. And and just having insurance or cyber essentials kind of isn't enough these days because a lot of insurers are now requiring annual pen tests, they're requiring, you know, vulnerability scanning and a and a kind of managed remediation service around that as well. So it's it's only going one way ultimately, isn't it?
SPEAKER_01:So true. And Simon, am I right in saying there there are basically two options for attaining your cyber essentials certification? There's the Cyber Essentials and then there's Cyber Essentials Plus. Could you talk us through briefly what the difference is between the two?
SPEAKER_00:So, how we do it is we would review a client's environment to first get an idea of, you know, if they were to go through the cyber essentials kind of process, how far off the mark they would be. So then that enables us to be able to, I say, do the review. We can address those kind of remedials because we obviously know the cyber essentials and the kind of requirements so well now. And then we can obviously kick off a the CE process. Now, with the CE process, there's as sort of mentioned earlier, there's there's kind of five controls. The idea is that those five controls are kind of covering the entire environment. So whether that's from a technical perspective or a policy kind of process perspective, you know, it's not just about do you have a firewall in place, do you have MFA in place, but it's also about okay, well, do you have IT usage kind of policies and bring your own device policies in place and things like that? As we know, obviously security isn't just about the technology, but it's about the people who use in the system and the data as well. The main kind of difference really between the basic kind of CE and the CE plus is just that it's the CE is the self-assessment, whereas the plus is assessed by an accredited assessor.
SPEAKER_01:So the difference is that you know the CE, as you say, it's an independent self-assessment, and the CE plus is getting a third party or an external ratified person to double check and make sure that what you say you have in place is in fact in place. Otherwise, it defeats the purpose of the certification.
SPEAKER_00:We're sort of currently going through the the Cyber Essentials advisor scheme as well. To be sort of on the IASME website listed as a Cyber Essentials qualified assessor, there's actually an exam and everything that you have to go through. So we're sort of going through that process at the moment so that we're in the best possible place to be able to advise clients on their security posture. That program is fairly new.
SPEAKER_02:You know, it's a next step for us to evolve into. It's rigorous, you know, the the exam is up to three and a half hours long. It's a great badge of honour to have, personally, you know, but also for the business, because you know, it shows that aptitude and and that approval for my as of me, the body, to go ahead and educate and talk to clients about the overall cyberessentials process and the evolution of it.
SPEAKER_00:Yeah, I think putting ourselves in a position where we're sort of qualified advisors, we're qualified assessors, we're putting ourselves in the best possible position to be able to advise and help clients where we can.
SPEAKER_01:And and that's key, you know, being a partner to the businesses we work with, it's important that we have an intimate understanding and knowledge of their business and and thus be in a better position to advise on what they need from an IT and technology perspective to achieve what they set out to do. But correct me if I'm wrong, Michael and Simon. I mean, we as a business have to some degree been fulfilling that role over many years. I guess it's now getting to a point where you can get a formal badge and a certification that is essentially rubber stamped by a recognized security body. Because I know that is a role we've been playing for many businesses over the years is being that sort of trusted advisor around the technology and business IT solutions space.
SPEAKER_00:So I think it's one thing, you know, being able to achieve cyberessentials. But if you take security seriously, then it's not just about the certificate, is it? You want to ensure that you've got those controls in place and you are sort of taking the necessary steps. But actually, that sort of continual kind of process. So you want to be compliant all year round, not just a once a year kind of thing. So we've kind of been putting together a managed service for that because you can you can bet your bottom dollar that. That one account, that user account that had an issue and it went to I don't know, IT and MFA got disabled or whatever it was, you can be sure that that's the one account that's going to get compromised. So unless you kind of got something in place that keeps an eye on that all the time, all year round, it's just a tick and time bomb. So we're working to deliver a managed service that will monitor and report and alert, and we can remediate that as soon as we find anything that falls out of compliance with the likes of CE.
SPEAKER_01:Yeah, and and and I think that goes back to what you said earlier, right? It's no longer a tick box exercise. It's, you know, yes, it's it's nice to have the CE accreditation, and yes, your suppliers and your insurers want it, but at the end of the day, the reason they want it is because those controls mitigate the security threats. And it is so important that you stay on top of those controls all the time to make sure they are enforced from top to bottom. Because a lot of the security starts with the user, with the business, their processes and procedures. Whilst, yes, from an IT perspective, we can put a lot of measures in place to mitigate external breaches, etc., it is so important that it is sort of encompassed in the business values and culture, so to speak.
SPEAKER_00:And that's why, you know, we're adding other services as well. You know, we've got like the vulnerability scanning and remediation. It's all of those kind of things that we can do all year round. We can monitor. It's being able to pick those issues up before they're an issue, if that makes sense.
SPEAKER_01:And identifying any potential threat early on. As Mike alluded to earlier, a lot of the cybersecurity breaches only come to light, you know, weeks or months even down the line that the business network has been infiltrated. So making sure you have those proactive measures in place is so important. You know, gone are the days, as Mike said, where you could just rely on simple antivirus and firewalls, you need a proactive approach to really stay on top of it. That's really been great, gentlemen. Thank you so much for giving us a detailed overview. Is there any last thoughts you you guys want to share with with the audience? Obviously, this is the first episode in a few that we've got coming up around the security services. Mike, any parting words?
SPEAKER_02:I was thinking, you know, when we're thinking about the topic of the podcast, um, you know, if we could leave the listeners with five basic things that maybe they should consider. And it's very difficult because, you know, five, there's ten, there's fifteen, you know, distilling it down to five was quite difficult for me. And apart from assessing your environment on a regular basis, which I'm considering that a norm and not part of the five, my top five would be you know, to educate your staff and check on policies. We see it unbelievably still happening, whereby someone has paid money to an external person that has been, you know, it's been a scam. With a simple phone call and check of money going out, you can eliminate that. We still see it not happening. And to say they can be very devious and can send emails back and forward and may have been infiltrating your network already for a long period of time, building this scam up. So make that phone call, make that check. Um, that's a big one. Of course, achieve C E or and or C E plus because it's sort of a cheat and encompasses quite a lot of other areas that Simon mentioned. Pay attention to software and hardware updating. You know, again, it's a major tactic that if something's not updated, and this could be a printer, we've seen incidents where printer software has been out of date and it's been used to do bounce things, store things that can be undetectable in the network are very hard to detect. So get those pieces of hardware and software updated and schedule. And as Simon mentioned, continuously doing updating, encrypt data where possible, including backups. You know, one of the biggest areas for fines and problem areas with whatever body you may report to is being fined for uh personal identifiable information out there on the internet, credit cards, names, addresses, things like that. Encrypt it where possible. Test your backup and DR plans regularly. We have seen many situations where it's just not been right and hasn't been tested properly. We've got green text to say the backup's working, but there's something wrong. It needs properly tested. And that's why that's tough for five, because obviously MFA needs to be in there. Um, but I'm I'm using a bit of a cheat code. If you get C Ain C or C E plus, it sort of encompasses that. But it's important to point out. So they're my top loosely top five things you should do. And if you're struggling in any of those areas, come and speak to us.
SPEAKER_01:Excellent. Thanks, Mike, for those words of wisdom. Very pertinent and relevant to what we're seeing out there. Simon, any thoughts, any advice?
SPEAKER_00:Yeah, I think just to kind of echo what we were saying, really, I think we've sort of mentioned that cyber essentials might not be for every business, but I think it's important to take away and review the controls that are part of cyber essentials. And again, you don't need to go for cyber essentials, but we talked about the users and things like that. They're always the weakest link. So having security awareness in place, taking it seriously.
SPEAKER_01:Yeah, thanks, Simon. I think that's so true. Working towards some sort of industry recognized benchmark is definitely something that most businesses should strive towards, even if they're not going for the actual certification. I guess the only other thing I'd like to add, I think um something that we've also seen more and more businesses needing and wanting is a cyber incident response plan. If you don't have one as a business, you need to look at getting one. You know, I think as for the discussion we've had today and and some of the stats we've shared, it's not really a question of if anymore, but rather when, and making sure you're adequately prepared for such an event to help navigate your business, your staff, and your customers through that is really important. So, again, if that's something you need help with or you'd like more information on, Michael and Simon's team can certainly help on that front. Thanks for joining us today on today's podcast. If you want to find out more about the products and services that we provide, please feel free to visit our website www.bcn.co.uk. There you'll find a wealth of information and knowledge around products and services that can help your business move forward. We've really just touched on the tip of the iceberg here today in terms of the products and services around cybersecurity that we offer. Um, so please feel free to go and have a look and familiarize yourself with that. We look forward to hearing from you. If you have any further questions or you'd like to know more, please don't hesitate to get in touch. Thank you for tuning in and please don't forget to subscribe.