Adam Gleeson:
Hello, and welcome to another episode of Tales from The CyberLab. Today, we’re going to be talking about the impact of crime on SME businesses. Joining me on the call today is John Greenwood from Bedfordshire Police. John, would you like to just introduce yourself and tell the people a little bit about who you are and what you do?

John Greenwood:
Yeah, sure. So, as already mentioned, I’m John Greenwood. I work for the Eastern Region Special Operations Unit, which is a regional organised crime unit. There are nine regional organised crime units in the UK, and we work across serious threat areas. My area is cyber, and I am one of the cyber protect coordinators. People often ask, “What’s that?” and I think it’s difficult to explain, because most people associate policing with knocking on doors and traditional policing. But obviously, times have changed, and so have the threats. Cyber is now a really large threat against individuals and our economy as a whole. Every force in the UK has a cyber protect officer, and their job really is to engage with individuals and businesses to help them become more resilient against cyber crime and improve their cyber maturity, or their digital hygiene. My colleague, Haley, and I coordinate that piece of work for the seven forces in the eastern region: Norfolk, Suffolk, Cambridgeshire, Hertfordshire, Bedfordshire, Essex, and Kent. We have people in each of those regions, and we’re working to pull everything together.

Adam Gleeson:
Cool. Alright, thank you. Well, I think we can probably dive straight in. We won’t be following the normal format for the podcast today because it’s a slightly different topic. Although, I think you talk about a lot of the things we discuss with customers here at CyberLab, it’s obviously from a different perspective. It feels a little bit like a dark art to me, because, obviously, we’ve spoken before, but I think it’s a unique perspective that you’re able to offer, because you’re doing it from the enforcement side. So, I think you’ve already covered some of this, but the first thing I wanted to ask is about your role and experience with handling cyber crime, especially in relation to SMEs. What are the most common types of cyber attacks that SMEs are facing these days?

John Greenwood:
I’ve been in the policing area for about six years now, and it always amazes me that, yes, new things come about and cyber is a really interesting and ever-changing area, but a lot of the threats and trends are persistent. They’ve just maybe changed their methods slightly or their techniques, but the core message has remained the same. That’s the key thing we need to get across. From an SME point of view, protect officers in each of the forces do lots of different engagements. We do staff awareness training, we have engagement tools like cyber escape rooms, and we also have an investing infrastructure exercise tool. Our core content comes from the NCFC (National Cyber Security Centre). So, from a practical point of view, I have colleagues who work in pursuit, investigating cyber crime. My remit is really around the protect and prepare aspects. The protect side is about giving people advice, stopping them from becoming victims, and improving their cyber security. The prepare side is about improving business resilience. Ideally, from what we see, ransomware is probably the number one driver. Interestingly, when you look at things like the cyber security breaches survey, phishing tends to come out on top, and ransomware is often down at around 6%. A big problem we encounter in law enforcement is underreporting and the failure to report cyber crime. There are different reasons for this: some of it is due to the stigma surrounding it, but I think the main reason is the reputational damage. What will happen if this gets out? So, ransomware… I’m often the point of contact when we’re offering advice to organisations post-event, if you like. Obviously, we don’t want to crowd them; they’re under a lot of stress. So it’s usually a case of, “Do you need anything? Can we help with anything?” If the answer is no, then it’s, “Brilliant. Okay, you’ve got your incident response companies and your insurance companies notified. You’re on top of this. We’ll come back to you in a week or two, and then let’s see what we can do to help strengthen your cyber resilience in the long term.” We also see the typical phishing techniques, which are normally the initial compromise. From there, it typically leads to ransomware or data extortion in some form.

Adam Gleeson:
It’s all intrinsically linked, really. Unfortunately, these days, they categorise these things as different threats, but it’s all part of the same story. The phishing is typically where it all starts. The attackers then use whatever level of access or credentials they’ve been able to exfiltrate or steal from someone—or trick them into giving up—and use that to further the attack. Ideally, in their eyes, it leads to ransomware. One thing I found quite interesting that you mentioned was the cyber escape room. Could you tell us a bit more about that? What’s involved?

John Greenwood:
Yeah, sure. So, the cyber escape room is a tabletop exercise, and it was developed by the Met Police. The key reason for it is that, before I moved into this area of policing, I worked in education for over 10 years. With all things, if you say, “Oh, there’s a talk on cyber security for 50 minutes,” people are instantly on the back foot. Cyber security…It’s one of those topics—it’s like when you turn up and someone says, “Oh, we’re going to have a presentation on GDPR today,” and everyone’s like, “Oh, here we go.” Yeah, it’s all about trying to make those topics interesting and engaging. Exactly. And the escape room is one of the tools we use. We build it into things like staff training, but we also deliver it at public events and similar occasions. It’s an exercise where participants have a case to solve. It covers the basics, really—things like personal digital hygiene, strong passwords, two-step verification, phishing, account compromise, social engineering, ransomware, backups, and all those topics—but in a gamified way. We often find it works best when we do it as part of a two-phase process. We start with the escape room, and people walk in thinking, “We’re doing cyber training?” They walk in and then they’re like, “What is going on here?” Well, you’re doing the escape room? Oh, are we okay? And then we take the lessons learned, if you like, out of that and just expand on it, trying to make it relevant to them as individuals. For me, that’s the big thing. Not a lot of companies do cyber security awareness training, unfortunately. And if they do, they probably just do an online package where it’s very much like, click answer one, click answer two.

Adam Gleeson:
In order for the engagement to land with the people doing it, you’re exactly right: they have to be engaged. And I think that’s a fantastic way of doing it. Those tabletop exercises, I mean, when you do them all the time, they can become a bit of a chore, but if you’re doing something new, it’s a really good way to get people thinking, “Oh, we hadn’t thought about that,” or “I hadn’t even considered that as a potential problem, but I can now see that we haven’t considered it.” So I think it’s an invaluable way for businesses to take that 360-degree look back at themselves and certainly be able to do lessons learned. And then I’d imagine that the follow-on tabletop exercise might be a bit slicker once someone’s taken some of this stuff away.

John Greenwood:
And I think we do also do managers’ tabletop exercises as well. I always think they’re quite interesting because often there’s a disconnect between the managers and the technical teams. So you ask a question, and they’ll be like, “Well, can we do that?” “Oh yeah, we can do that.” And then I’ll be like, “How long will it take?” And they’ll be like, “Oh, what? An hour?” And I’ll say, “Three days.” They’ll be like, “Three days?” So it’s understanding those choke points. Companies might say, “Yeah, we’ve got an incident response plan,” but have they tested it? Have they looked at their backups? All of those sorts of things. I worked with a business a while back, and they were a small business. They said, “Yeah, we’ve got a backup.” And I said, “Oh, great, where is it?” They said, “It’s a cloud backup.” I went, “Okay.” And I asked, “Have you tested it?” They said, “Well, it says ‘verified’ on the screen.” I said, “Well, okay, but have you tested it?” It was only when I said, “How long will it take to do a full recovery from that?” that the IT person said, “Oh, about a week and a half.” The manager was just in shock. They were like, “How long would we do that?” So then it’s thinking about prioritising simple things, but often, like you say, they’re not really thought of until you’re doing an exercise.

Adam Gleeson:
The other point that you’ve touched upon, I think this is a fantastic tool: it’s forgetting the different areas of the business when talking about cyber security. It’s something that, I think I mentioned it in pretty much every one of these podcasts that I do now because I think it’s a message that, if people haven’t quite got the hang of it or it hasn’t sunk in, I need to keep repeating it to try and raise the profile. And that’s not an IT issue, it’s a business issue. And there are elements that require input from all areas of the business, and these kinds of escape rooms, I think, are a fantastic way of doing it. And exactly those types of conversations that you had — that’s the real value, where all of a sudden they’ve all talked about this stuff before. Recovery points, objectives, being a good example, where management’s expectation is that it’s this, but then when it’s actually seen, it’s like, “Well, no, that’s not the reality at all.”

John Greenwood:
Yeah, and that can then pose a question to the business of, “Well, are we happy with that, or do we need to try to do something else?” And exactly, whether that’s prioritising what is the critical infrastructure that we need to get restored first, so we can get back up and running as quickly as possible. But I think that’s a fantastic way of getting these things out in the open and starting to crack the whole thing open. But you’re exactly right around incident response and stuff like that. If you don’t test these things and testing backups — again, the number of people I talk to, it’s like, when was the last time you actually just did a test or restore to make sure that the data that you’ve backed up and you’re like, “It’s verified. I’ve got a copy of that,” will it actually work when you press the button? Now, I would say that this is less of a problem than it used to be because the media that we’re storing it on is less volatile than tape and the other stuff that we used to use. But I think there’s still a place for it, just for that peace of mind that it’s going to work when you press the button. I would certainly want to be testing them, even in a very limited capacity, just to verify that it looks good.

John Greenwood:
That’s often the stumbling block we find, as businesses say, “Well, I don’t think we can get those four people in the room or those eight people in the room.” It’s like, “Well, you’re going to have to when the time comes.”

Adam Gleeson:
Exactly. 

John Greenwood:
You surely want it to be a slicker response when it happens. 

Adam Gleeson:
Absolutely. Absolutely right. I think just to add as well.

John Greenwood:
Sorry, quickly, I often look at the analogy of fire alarms, like fire drills. Businesses are all over that from a health and safety point of view, and they have their exits marked up, they have drills, they do all of that. Well, I would say a cyber attack is more likely than a fire.

Adam Gleeson:
Exactly. So why not exercise or test them or double-check that the way they think it’s going to work is actually the way it’s going to work? And you understand who needs to be involved and stuff like that. So let’s talk a little bit more about… So we’ve talked about what the threats facing SMEs are, what about the impact? So this is something, again, in other podcasts that I’ve taken a step away from talking to people about how things work internally. We’re exploring, like we’re doing here today, what does this look like from an external perspective? Not something that, unless you’ve actually been directly involved with it — and probably frequently involved in it — you’re not really going to be familiar with it. You’re not really going to understand what happens from the legal aspect. What are we going to get from them and what are the regulatory things? We might know these things, but we don’t necessarily understand how they work in the background. I think it’s interesting to hear your perspective on what you see as the impact of these different types of cyber incidents. And so normally I should say cyber incidents, not cyber attacks. They’re not always an attack, but if the police are involved, more than likely it is going to be an attack we’re talking about. So in terms of what loss, operational disruption, reputational damage, what are the kinds of things that you see happening?

John Greenwood:
Yeah, I think you’ve hit the nail on the head there. Financial is quite tangible, isn’t it? You can say, “Oh, it’s cost us X.” I think the problem I often encounter is that businesses don’t realise that actually that’s going to be a long-term cost. You’ve got a lot of remediation in the backend. It’s not just, “Oh, we got X, Y, and Z in to fix A, B, and C, and they’ve done it.” There’s also the, “Well, what about the time you’ve lost?” And a really good example of this, I was doing some exercising with an organisation and we did a ransomware scenario basically, and I said, “Well, your phones are down as well because they’re internet-connected, aren’t they? And if your infrastructure’s down, you made that decision, you’re probably not going to have your phones working.” And first off, they weren’t sure if they were, and the IT guy was like, “Yep, all our phones are down, we wouldn’t have any phones.” And then there was the, “Well, how would we…?” Well, people could still ring mobiles. And I was like, “Okay, so then you’re taking paper-based notes. Then you’ve got to transfer that. So then where’s your human resource going to come from for that in the long run?” So I do think there’s the longevity of it that needs to be considered. The key thing for me, which is really difficult to quantify, is that reputational damage.

Adam Gleeson:
Yeah.

John Greenwood:
And I’ve worked with organisations who have been excellent, who’ve come out and they’ve gone, “This is our press release. This is what we’re sending to our clients, our customers, this is what we put on our website, and this is how we’re going to update them.” Super. Okay. Exactly.

Adam Gleeson:
Yeah, I’ve seen others that haven’t done as well.

John Greenwood:
And they’ve done it. They make their stand. They’ve said, “This is what we do, and this is what’s happened. We’ll update you regularly,” and they’ve done that. And I would say, like you say, gold standard — their customers are going to feel valued and they know what’s happening. I do a technical scenario as well, and I work with a technical team, and the question I had was, “When are you going to elevate this? When are you telling your manager and when are you telling your customers?” And there was this discussion between newer and older staff, and some of them were like, “Well, I just wouldn’t tell the customer.” And the older staff were like, “But then if it gets out, that’s our reputation gone, isn’t it?” So I think often businesses don’t think of that PR response.

Adam Gleeson:
Yeah, exactly.

John Greenwood:
And often what we see, especially in ransomware cases, is maybe the ransomware actor will engage with one of the senior staff. And I’ve seen WhatsApp messages posted, which is a conversation between the ransomware actor and a managing director. And they’ll stand there and say to me, “No, nothing’s happened.” And I’ll be like, “Well, here’s the WhatsApp messages.” And they’re still saying, “No, nothing’s happened. We’ve not lost anything.” But the information’s there, it’s in the clear. So I think, like you say, getting a handle on it and coming out is really important. And reputational damage is something you can’t really quantify. So it’s the thing you need to treat with the most kid gloves because it could be all-encompassing. If your reputation is shot, then you’re not going to get any new clients. So downtime might have cost you 10 grand, but if you’re not getting any new clients, your business is over.

Adam Gleeson:
These intangible things, but the thing is, it’s also — I say it’s intangible, but that doesn’t mean it’s inconsequential because this can seriously affect the future prospects of your business. And one of the other things that was interesting that you touched upon there around how some organisations are organised about putting this stuff out there, I’m of the opinion that, looking on a long enough timeline, at the moment, we can put organisations into two categories: those who have had a cyber incident or data breach, and those who haven’t. Now, there was an old adage — I think it was around storage — and it was the people who have encountered a storage failure and those who haven’t encountered a storage failure – yet. And I kind of think that the same is going to apply to organisations. It’s only a matter of time until the number of organisations sitting in that category of ‘not had a breach, not had a cyber incident’ is going to vastly diminish compared to the other side.

Most people are going to suffer with these things, and instead of measuring people on whether they’ve been hit or whether they’ve had an incident or not, I think we’re going to see a shift in the market. It’s going to look at how well people coped when they had a breach and whether or not they did everything correctly. Because I think that’s really going to be what becomes important moving forward. It’s not the organisation I want to start dealing with. Are they going to make a complete mess of it if we have a breach and make the problem worse? Or are they going to be upfront, open, reassure customers and reassure investors and anyone else like that, that they’ve got this under control, and that they’re being honest about it and that there’s nothing they’re hiding? Apart from anything, there’s a legal element, isn’t there? If you’ve suffered a data breach, it’s illegal for you to not report it to the ICO, depending on the type of data that’s been breached.

John Greenwood:
Depending on the type of data, and I think it’s your personal identifiable information, obviously within 72 hours of a recognised incident. Just going back to what you said, I think there is a grey area of organisations that have suffered a cyber incident and aren’t aware of it. That’s a very good point.

Adam Gleeson:
Yeah, that’s a good point.

John Greenwood:
One of the things we also have is we have intelligence passed to us, and we go into businesses and say, “We believe we have intelligence that suggests this has happened.” And quite rightfully, most of the time the business is like, “Can you prove you are from the police?” And we go through this whole process, and then sometimes it’s just access credentials that have been made available for sale. So, how did they get those? Poor staff hygiene, all those sorts of things. Often quite a lot of the time, businesses have no idea about that. I delivered one last week and the business had no idea. No idea. And it was led back to, looked like a suspected SQL injection attack on our website.

Adam Gleeson:
So had they been hacked and someone had worked their way in from the outside?

John Greenwood:
Yeah. And there was quite a significant amount of PII there. And then it got onto conversations over, “I think you need to look at your data retention policy and why is that there?” So our job isn’t — my role in the protect area is really just to try and inform people and try and get them to think about those changes they could make to improve their digital security. So I’ll give you another example. We had a firm that got hit with ransomware. They used a lot of cloud services, but what they also had was a photocopier. And so when people photocopy files, the photocopies, the scans if you like, were kept locally on that device.

John Greenwood:
They’d never wiped them. So they couldn’t get into any of the cloud files, but they could get this treasure trove of scanned documents, which they didn’t wipe down weekly or daily or anything like that. There was two years’ worth of scans on there. So simple things — and sometimes we talk, often it’s like humans are the main weakness. Well, humans can be a great strength if you train them.

Adam Gleeson:
Exactly what I say. They can be your greatest asset or they can be your greatest weakness in your cyber defences.

John Greenwood:
And I think that naturally leads on as well to patching devices. I go into charities especially, and schools and things like that, and I’ll see devices that are past end-of-life, years past end-of-life. And often the comment is, “Oh, well, we know it’s past, but we’re going to move next year, so then we’ll replace it.” And it’s like, “It’s a threat now – what’s your risk strategy around that?” I often think if you’re in a factory and you had a particularly dangerous machine, you’d have all those risk strategies in place. You’d be like, “Well, only a trained person can use it. They’ve got to have the right PPE, they’ve got to be observed, trained, all those sorts of things.” Well, likewise, for an asset that potentially doesn’t have the security it should.

Adam Gleeson:
Yeah, that’s a very good point. Very good point. Just out of idle interest, really — going back to, do you see — is it once in a while that you come across an organisation that’s been hacked and they don’t know anything about it, or that they’ve had a data breach or something they don’t? Is this something that you come across once in a while or is it quite actually quite a common occurrence?

John Greenwood:
No, it’s pretty common. So, the cyber breaches survey said that I think it’s a third — 33% of businesses have security monitoring tools, and we see both sides. So, I worked with a business this week and I spoke to them and they were like, “Well, we’ve got all of this security in place, and nothing’s come up.” But the breach was in a different system that wasn’t within their area. It was a website one, actually, I mentioned earlier. Equally, I’ve worked with businesses and they’ll say, “We just weren’t aware of that. We had no idea.” And we are seeing more and more businesses looking now, using intelligence — basically more often from a practical point of view and a financial point of view, it makes more sense to outsource that. So, things like web scraping, breach forums, scraping, and things like that, and also data breaches themselves. Have I Been Pwned and other resources, just the services, because often we find most businesses will say, “No, we don’t think that’s happened.” And the other is a negative. They’ll say, “We’ve got no evidence that any data’s been stolen.” And I’ll say, “Well, have you got any evidence that the data hasn’t been stolen?” And then they’ll say, “Well, we’ve got no logs.” So for me, you’ve got to take that as a — “Well, we can’t prove that nothing’s been stolen, so we need to do our homework on this, and we need to do our investigation.”

Adam Gleeson:
Let’s talk a little bit more about how SMEs can collaborate with the likes of people like you across the country to improve their cyber resilience. How do they go about engaging on doing that?

John Greenwood:
Excellent. So, I would say there are two main points. So the first is, there’s a load of great resources out there, but often it’s the “wood for the trees” — there’s too many. So I think the first point of call is to make contact with your local protect officer. Now, you might need to find your ROCU first, so there is www.ROCU.police.uk, and then you can find your local ROCU and you can email them basically. They might have a separate website that talks about their cyber services, things like that. So that would be my first point of call because often there’s some great stuff out there for SMEs, like an action plan for really small organisations, and tools like ‘Test My Cyber Security’ from the NCSC. The NCSC does have really great resources, but from an SME owner looking in, it’s very overwhelming.

Adam Gleeson:
That’s one of the messages that we try to convey to customers, and I’m going to reiterate it here, is that we know that this stuff can be complicated and that no one really, if you don’t have a background in this kind of thing, even if you’ve got an IT background, it doesn’t necessarily mean that you now understand all the potential different threats and attack vectors that exist in the realm of cyber security. So, it becomes very overwhelming almost immediately. And that’s what people like me are here for. We want to help people make themselves stronger, give themselves that peace of mind. Sorry, I interrupted your flow there.

John Greenwood:
No, spot on, spot on. I think that’s the key thing I always like about cyber security is there’s lots of people willing to help. It’s just you need to know that it’s a problem that you need help with in the first place, isn’t it?

Adam Gleeson:
Yeah, which does become a bit of a chicken-and-egg situation.

John Greenwood:
Yeah. So, NCSC — great resources. Find your local Protect Officer. We will do things like staff training, like I’ve mentioned. We are not going to come in every Wednesday and do staff training sessions, but we will come in and do a session and get you up to speed and help you get on your cyber journey, if you like. Because really, a lot of the things for SMEs are really the basics, unfortunately. So, multi-factor authentication, updating devices, strong password policies. Really, our aim is to push people towards looking at and gaining Cyber Essentials, for instance, which for SMEs, it covers the basics and will make you slightly better off against what are really, most of the time, fairly generic attack types.

Adam Gleeson:
It’s about understanding. I mean, that’s the posture assessments that I help to develop, that we run at CyberLab with our customers. They’re aimed at trying to get a holistic view of what the cybersecurity landscape looks like for that customer, understanding the nature of their business, and then providing advice. And rarely, the advice is, “Well, you’ve actually heavily invested in an area that is not really a major risk for you, whereas you’re not investing in this, which is probably going to be the way that someone is going to approach your users, email security, for example.” The chances are that your users are going to get exposed to that, and you’ve got very little in regards to security there. Microsoft does a reasonable job of giving you something that’s better than nothing, but there’s still an awful lot of stuff that comes through that, which is why we tend to layer additional security on top of it.

John Greenwood:
There’s also the Cyber Resilience Centres as well. So, they were formed by the government and they’re police-led. Their aim is to provide long-term support to SMEs as well. So, that’s another really good contact for you as well. The Cyber Resilience Centres — there’s one in each force area, and they do free memberships.

Adam Gleeson:
Perfect. Awesome. That’s brilliant. Thank you very much for your time today, John. It’s been really interesting talking to you. Again, it’s an area that I’ve not really had the exposure to from your perspective, so I think it’s quite interesting. Hopefully, everyone watching has found this useful. If you do have any questions, please reach out to your CyberLab account manager or contact us using the link below or via our website. That’s all for today. I’ll see you next time. Stay secure.