IFSEC Global chats with Anthony Young, Founding Director of Bridewell Consulting, to discuss the growing cyber threats facing organisations and how they can protect against them. He explains the policies businesses should have in place, looks at the most common cyber security shortcomings and describes his concerns over how the threats are mutating.
Can you tell us a little bit about Bridewell Consulting and the work you and the team do?The business was founded about six and a half years ago, focusing on cyber security, information security and government risk and compliance. Then we added other areas, such as penetration testing, security operations, and managed security services.
When we first started it was just a couple of us. We now have 39 permanent employees and are planning to grow further. We have offices in London, Reading and Newport in South Wales and are looking to open one in Manchester.
We are very much focused on providing security advice in the UK and are certified by the National Cyber Security Centre (NCSC), so we do a lot of government work. We’re also a member of CREST for our penetration testing and ethical hacking services. In terms of different sectors, we work with a variety, including critical national infrastructure, financial services, emergency services, manufacturing and utilities.
When Bridewell first started, the key focus was around financial services. Because it was a heavily regulated industry, everyone had to have security in place, or they couldn’t operate in that area.
However, since the introduction of regulation like GDPR and the NIS directive, as well as increased awareness of cyber security at board level, it has become a critical issue for all different industries. Everyone is now worried about cyber security. We don’t have a day without something coming up in the press about the latest breach.
We tend to do a lot of advisory work with companies. So we work with organisations that are maybe not so mature in their cyber security approaches and help them put in place frameworks or get to a point where they meet compliance or regulation.
We also work with organisations that are more mature and want to have those systems tested. Here we go in and do a penetration test or red team assessment where we’re testing the physical as well as cyber defences. Whereas a penetration test will test a particular application or piece of infrastructure, such as a server or something like that, a red team assessment is more of a real-world attack scenario. This could encompass physical security as well as the actual technical security, or trying to use social engineering to get into the business.
One of the biggest things we’re still seeing is that organisations across all sectors are still getting the basics wrong. This includes the internal training of staff; making sure they are fully trained and appraised in terms of what to look out for, in terms of different attacks over the phone, via SMS, or via email. Also, how to approach people trying to gain physical access to premises too.
Other areas include companies using outdated systems that are no longer supported, or they have not run updates, leaving a number of well-known vulnerabilities open. This, combined with too many administrator’s accounts being used for everyday activities, makes it too easy for an attacker to take control of a company’s systems.
A lot of companies now have joint working groups between physical and cyber security. It’s getting a lot more joined up across different sectors. In the past the two departments had been relatively siloed, and in some companies, it still is, particularly if a lot of physical security has been outsourced within organisations.
There’s a huge increase at the moment in everyone wanting to connect their devices to the internet and have everything interconnected, so they can get a better view of how systems are working. So, the CIO or CTO can work from home and see everything that is going on in the manufacturing floor, within the power plant, or wherever it is.
But having all these systems connected to the internet also increases the number of risks. So organisations need to make sure they are regularly testing those systems and ensuring those security controls are up to date. New vulnerabilities are being found every day on different systems, so all systems must be updated regularly with the latest patches to be secure.
It’s really about getting those basics in place. In the critical national infrastructure sector in particular, a lot of systems that run manufacturing or industrial control systems are out of date and don’t have any security support for them anymore. Also, a lot of those systems weren’t designed to be put on the internet or connected up in the first place, so need to be segregated from the wider IT environment.
It’s about making sure those computers built 15 or 20 years ago that now don’t have the latest security patches on them, do have some sort of security controls to protect them when connecting wider devices and the internet.
A lot of companies now have joint working groups between physical and cyber security. It’s getting a lot more joined up across different sectors. In the past the two departments had been relatively siloed, and in some companies, it still is, particularly if a lot of physical security has been outsourced within organisations.
What we typically find is that a Chief Security Officer and Chief Information Security Officer will be working more closely these days. That’s where something like a red team assessment, which really combines that physical security testing with the cyber security testing, can provide a report which really shows how physical security and cyber security need to be more joined up.
Absolutely. A lot of the time as part of our red team assessments, we can go into organisations under the guise that we’re within their internal IT department. Obviously, in a larger organisation not everyone knows who everyone is that works within the company.
With smaller companies we must take a different approach. It could be something as simple as setting up a meeting with that organisation. You’re invited into a meeting room, they leave you for a while and you may get access to one of their network ports or something like that within there. It’s about finding different ways in.
We’ve even worked on cases where we’ve applied for jobs internally just to gain access. It’s always a case of trying to think outside the box about the different methods we can use to meet our goals.
Red team assessments are usually done over a three- or six-month period. We can bide our time and try to create that real-world scenario. If someone wants to attack an organisation because they’ve got something worth a lot of money, or can cause a lot of damage, we must ask to what degree will someone go to access that, and what are the weakest points?
It’s probably not as bad right now as it was two or three years ago, when everybody was trying to create as many devices as possible to connect to the internet. Everyone wanted to be able to control everything from anywhere. It was a case of how quickly people could manufacture these devices and sell them, and it was only afterwards that anyone started to think about the security implications.
A lot of these manufacturing companies or other organisations haven’t had to think of things from a cyber security perceptive before, because they’ve always been isolated.
There is now a lot more thought process around it. And people are putting in place risk assessments and carrying out cyber security assessments before buying devices. Manufacturers are now making sure everything has got security built in.
The main problem we see lies within manufacturing organisations. A lot of them have grown through acquisition – they started off with five or 10 factories, then bought more and keep connecting each one up to the networks. The problem is they then have about 15 different networks, all connected to one which creates a lot of security vulnerabilities.
The speed in which companies can respond and recover from attacks is a major concern. We’re at a point now where every organisation of any significant size should know they’re going to be attacked at some point and need to be able to respond in the right manner. Businesses must have the right policy, processes and tested mechanisms in place to be able to respond to those attacks at the right time.
We’ve seen organisations that have lost a significant amount of their stock market value from a poorly managed response to a cyber-attack. We’ve also seen CEOs, CIOs and press officers not knowing how to talk about the cyber-attack to the wider world or not disclosing the right information to their customers in a timely manner.
The other big worry we have as an industry is that over the next three to five years, we are going to have a big skill shortage within cyber security. A lot of people are needed to meet the demand right now, but where are the people coming from? There’s a big difference between the good people and the not so good people out there.
