Michael Alexander speaks to two young ethical hackers based in Dundee who recently worked with the CyberScotland Partnership to create videos aimed at opening up conversations on cyber security.
It is the digital revolution that now touches almost every area of our lives.
According to Datareportal”s Digital 2021: Global Overview Report, as of January 2021, there were an estimated 4.66 billion active internet users worldwide – 59.5% of the global population – 5.22 billion unique mobile phone users and 4.20 billion active social media users.
An estimated 300.4 billion emails were sent and received every day in 2020 and 2.27 trillion SMS messages were sent through the year.
Our society is now almost entirely dependent on the continued availability, accuracy and confidentiality of its information and communications technology, whether that be for economic health, the domestic machinery of government, for national defence or for day-to-day social and cultural existence.
Opportunities bring risks
But while digital connectivity brings great benefits, the opportunities also bring risks.
From stealing bank details or valuable intellectual property from companies, to the distribution of terrorist propaganda, cyber security has been ranked by the UK government as a threat to national security alongside the likes of war, terrorism and natural disasters.
Foreign states, criminals, “hacktivist” groups and terrorists can all engage in cyber espionage and computer network attacks.
According to a recent UK government survey, 39% of UK business came under cyber attack in the first quarter of 2021, with many incidents causing significant damage.
The specific costs depend on the sophistication of the attack and how well executed it was.
Attacks could range from systems being offline for a few hours, creating a frustrated workforce and unhappy customers, to an attack that infects an organisation’s systems with ransomware that cripples them for days and weeks.
As well as the loss of data, the cost of recovery alone could cost millions of pounds, plus the risk of reputational damage.
The seriousness of the threat to national security was underlined recently when the UK government confirmed that its cyber-attack agency, known as the National Cyber Force, will be based in Lancashire.
The organisation aims to counter threats from criminals, terrorists and hostile states and brings together officials from MI6, cyber-spy agency GCHQ and the military under a unified command for the first time.
However, at an organisational and individual level, there are certain things that can be done to reduce cyber security risks.
Role of ethical hackers
One way that the resilience of computer systems are being tested is through ethical hacking – also known as penetration testing – whereby hackers are employed to legally break into computers and devices to test an organisation’s defences.
The Courier spoke to two young ethical hackers, based in Dundee, who have been employed to identify vulnerabilities in companies’ systems.
Twenty-year-old Allena Matheson-Dear, who has just gone into her third year of an ethical hacking degree course at Abertay University, and 23-year-old Abertay University ethical hacking graduate Declan Doyle, both work with the SBRC (Scottish Business Resilience Centre).
Allena, a former Linlithgow Academy pupil who “always knew” she wanted to study ethical hacking at Abertay, has been working part-time with SBRC since January.
Meanwhile, Declan, a former pupil of St Mungo’s High School in Falkirk, joined SBRC part time in January 2018 and is now SBRC’s head of ethical hacking and client services.
Declan explains: “Ethical hacking is basically hacking with permission in order to identify in an organisation where you could be hacked. Literally the best way to do this is just to get hacked.
“So rather than waiting for a hacker to hack you and steal your money or your data or anything like that, they’ll ask people like myself or Allena to hack into them and then produce a report based on the ways that we did it.
“Then we’ll say ‘right here’s how we hacked in and here’s how you stop it’. You are basically plugging the holes before there’s a leak by using the same techniques that a criminal hacker would use.”
Basic threats to business
Allena says the first thing many organisations think about when it comes to hacking is money being stolen.
However, it’s vital to think about data as well – particularly with tighter rules on data storage and management now in place under GDPR, where fines of millions of pounds are possible. Another area for organisations to consider is potential reputational damage.
“Even if it’s a hacker taking down a web application or a web site for a day, people are going to remember that,” she says.
“If a website is your business, when people are choosing what website to use they are going to remember a time when the website was down and potentially choose someone else.”
Allena says one of the things that attracted her to ethical hacking is that there’s always something different to learn.
The reality is, she says, that organisations are “never going to be completely secure”. The key is to be “one step ahead of the hacker and making it as difficult as possible”.
At the same time, however, Declan says there can be a misconception when it comes to cyber security.
While it’s true there are always going to be risks, the truth is that for the vast majority of small and medium businesses, it’s not the super sophisticated hacks that catch them out.
It’s basic oversights such as not keeping computer systems up to date or not having a strong password.
Phishing is another problem with something like 80% of cyber attacks due to “human error”. For example, employees opening an infected spam email.
Businesses might think won’t be able to keep up with ways to stop hackers when the reality is that perhaps they’ve not been taking simple measures in the first place such as having extra password security protocols or training staff how to spot a phishing email.
“When businesses think ‘oh I’ll never be able to keep up’, the truth often is they weren’t doing it in the first place. They were never even at that level,” he says.
Declan explains that SBRC is a non-profit organisation with the purpose of improving the resilience of organisations across Scotland.
“As you can imagine a lot of that involves cyber security these days,” he adds.
“There’s a mad statistic that over 50% of crime committed in Scotland is cyber crime which is mental to think about. A large part of what we do is making businesses and organisations more resilient to cyber crime.
“Things like making people more aware of phishing, raising awareness of cyber security and the fact that it’s not the job of the IT person – although cyber security is often tied in with IT and it is very much a computer based topic.
“It’s computer based in the way that everyone is using computers now – for example, using Teams. So equally it’s everyone’s responsibility to manage cyber security.”
‘Hands on’ at Abertay
Abertay created the world’s first ethical hacking course in 2006 under Colin McLean. Declan says there are more universities offering somewhat similar degrees nowadays, but where Abertay shines, he says, is that it’s a very “hands on” course.
As part of their assessment, for example, students will hack a uniquely generated website or network and write a report as if submitting to a client.
Because students are being taught the same techniques criminals would use, students are asked to sign contracts at the beginning of their course declaring that they should not be used for illegal purposes – or face being kicked off the course.
Simple mistakes are made…
Declan is still amazed, however, how many companies can make simple mistakes.
For example, he says, one of the most obvious areas companies overlook is when they outsource the management of a printer or buy in a cheap IOT kettle or camera. The reason they are cheap, he says, is because they can be “easily hacked”.
Declan doesn’t think the increase in home working during Covid-19 increases the risk of cyber breaches per se.
Problems might arise if employees are working remotely and are a bit more disconnected.
Perhaps then they are more likely to fall for a phishing email. So long as organisations have a core message about cyber security, however, he does not think they are more at risk.
…but don’t panic!
For him, the message he likes to get across is that organisations don’t need to panic. But they can help themselves by following some simple advice such as that included in the series of new bite sized SBRC videos.
“I always say to people, especially if they are reading something like this – people think ‘oh my god cyber security is something we need to panic about’,” he says.
“I say don’t. There are so many resources out there. SBRC has huge free resources available. There are organisations up and down the country that are similar.
“The UK and Scottish Government offer resources too. It’s not something you have to worry about by not knowing where to go.
“Things like using two factor authentication and not looking at confidential documents on a bright screen via public wi-fi in a coffee shop can make all the difference!”
To see more SBRC cyber awareness videos go to www.cyberscotland.com/sbrc/cyber-awareness-videos/