This month we meet James Tucker from Arcanum Information Security in Caerphilly who has sat down with the WCRC to talk about what he does, cyber resilience and what being Cyber Essentials certified actually means.
· Tell me who you are and what you do within Arcanum?
Hi, I’m James a Cyber Essentials Plus assessor and Digital Forensics Practitioner. In these roles I am split between helping companies achieve Cyber Essentials and Cyber Essentials Plus and carrying out digital forensics investigations on computer devices submitted to Arcanum.
· How did your career in cyber security begin?
I started out as a Digital Forensic Practitioner when I left university in 2010, carrying out investigations on mobile telephones and computer systems to support investigations on behalf of various law enforcement authorities. As part of this, I investigated various cyber security incidents, where I would come in post event and figure out what had gone wrong.
In 2018 I trained to carry out Cyber Essentials assessments, this was a bit of a change in what I was used to. Rather than coming in at the end of an incident to find out what had happened, I now assist companies put various procedures and technical methods in place to make their business more secure.
· What’s the best thing about working at Arcanum?
The company culture and the way Arcanum treat its employees. Just over a year ago my daughter was born and the support and advice from my colleagues and management while I got the hang of my new way of life has been invaluable.
· What size companies do you work with?
Arcanum have worked with a range of company sizes, ranging from single employee to multinationals that have hundreds and thousands of employees. Every client and job can be very different, which is another thing I like about my role and working for Arcanum.
· What do you see small/medium companies and charities struggling with in terms of cyber resilience?
Small/medium companies and charities rarely have dedicated IT teams, and even more rarely have dedicated security teams. As such, they rely on an individual wearing multiple hats to try and keep their systems running and secure whilst also doing their main job function. Furthermore, they are often not aware of the easy steps that can be taken at little to no cost to improve their security, such as changing default passwords, asking staff not to use corporate devices for personal purposes, running antivirus software, as well as ensuring that security patches are installed for operating systems and software in a timely manner.
· What is Cyber Essentials and why should companies get Cyber Essentials accreditation?
Cyber Essentials is a government-backed cyber security standard which is cheap for organisations to obtain. Its original aim was to help protect organisations against low-skilled internet-based attackers, although it can also help protect against more sophisticated threats too. Any organisation aiming to gain government contracts are usually required to obtain Cyber Essentials, but more and more private-sector organisations are also requiring the certification for their supply chain.
As well as contractual requirements, the general public is becoming more aware of the risks of their personal data being leaked online or from compromised organisations. Holding Cyber Essentials Certification is a great way to demonstrate to customers that the organisation takes cyber security, and the protection of user data seriously but also opens up a whole new market for them to be able to attain business from.
· What three tips would you give a company with little knowledge of cyber resilience
1. Ensure that Operating systems and software are both in support and updates are applied in a timely manner - the vast majority of commodity attacks target security vulnerabilities for which fixes are already available.
2. Ensure that all users use low-privileged accounts for their daily work, not administrative accounts. The default user account when you create a new Windows installation is a local administrator - You at least need to make sure a second account is setup without administrative permissions that users use for their daily activities. This means that even if user devices do get compromised (for example via a phishing attack), the impact of this should be lesser.
3. Provide guidance to staff on how to generate strong passwords using password management applications or NCSC’s three random words guidance and securing accounts with multifactor authentication when possible.
· 98% of charities believe cyber security is important but often feel overwhelmed or don’t know where to start. What simple tips can you give charitable organisations to help them get started?
I really recommend looking at the UK NCSC's website (http://ncsc.gov.uk/) - it's full of great free resources with lots of advice that companies can take to help keep their organisations secure. They even have guidance tailored toward small charities - Small Guide - NCSC.GOV.UK.
· And our final question – what is your favourite view/ landscape in Wales?
I love to be able to visit the Gower with its changing landscape every season. From Sunflower fields to Christmas Trees and of course the amazing beaches around Casswell Bay and Langland Bay, altogether perfect for my growing family. That said, Arcanum employ lots of veterans and they never stop going on about Pen Y Fan!
Comments