In the latest instalment of our Spotlight series, we talk to IntaForensics business development director Dave Privett about the Government-backed Cyber Essentials scheme.
Q: Hello Dave. Before we discuss cyber security, tell us a bit about IntaForensics.
We are a company that has been providing digital forensic and cyber security expertise, software and services for over 14 years. We’re one of the leading consultancies in the UK - driven by quality and the way we achieve that is using internationally-recognised standards. Particularly, we hold ISO 9001:2015, ISO 14001:2015 and ISO/IEC 27001:2013 and maintain an ISO/IEC 17025:2017 accreditation for digital forensics, which was a fantastic achievement for the company.
We’re also accredited to conduct payment card fraud investigations by the PCI Council. We are unique in that respect – the only PFI company globally that has an ISO 17025 accredited Digital Forensic laboratory. We then have a host of other accreditations regarding information security in general. We investigate breaches and incidents from all angles and size from very small companies all the way up to some FTSE 100 companies.
Q: Given how rapidly cyber security threats emerge and change, it can be hard for companies to keep up. What message do you have for businesses that are looking to boost their cyber resilience but are struggling to know how and where to begin?
It’s all about getting the basics in place and building from there. Security is very much about having a layered approach, because there’s so many different potential attack vectors you need to think about. We’ve come across companies that have invested thousands of pounds in other cyber security platforms. They’re great at what they do, but if you haven’t got the basics in place, you’re potentially still leaving the door open for a successful breach further down the line. Cyber Essentials and Cyber Essentials Plus is therefore a great place to start.
Q: A lot of people consider cyber security to be rather complex. Just how difficult is it for businesses to boost their resilience to online crime?
In my opinion, it’s not if you have the right guidance and that's what standards such as Cyber Essentials and IASME are trying to do. Microsoft have also done a wonderful job with the latest versions of the Windows operating systems where many of the security configurations all already in place as a default, but not all. A lot of it is about adopting a common sense approach when setting up IT in a business environment, particularly when you’re processing company information and personal information, which every business does in some form. So yes, I think it’s an achievable. It just needs a bit of education and hand-holding through some of the processes. That’s how we work with our clients.
Q: Where should cyber security rank on a company’s list of priorities?
Really, in this digital and remote working world it should be the number one priority. There’s pressure coming from several different angles. As a company, you might be servicing a client that can only work with suppliers that have Cyber Essentials in place. Secondly, you might want to differentiate yourself from other providers in your space and Cyber Essentials is a low-cost, efficient way of doing that. Thirdly, there’s the need to secure your company against a breach, as the consequences of failing to do so can be catastrophic which is something we see on a regular basis.
Q: Why do you think some companies are reluctant to invest in cyber security?
The old adage of ‘it will never happen to me’ is often prevalent. So many companies don’t feel they’ve got anything worth stealing, in terms of information or financials. This is not the case as the majority of all the data a company processes and produces has a value. We conduct investigations on lots of companies who have been breached. It leaves them all in shock as they didn’t think it would happen to them.
Q: How many breaches does IntaForensics investigate each year?
Literally hundreds. We engage in new investigations every single week. It might be on payment card fraud or it might be an incident response job for a company that has suffered a successful ransomware attack, we are seeing these on a near on weekly basis, many of which could have been avoided by having the basics in place, such as Cyber Essentials. Predominantly, these are all UK clients. This year has been particularly busy. We’ve definitely seen an increase in incidents since the start of the pandemic and that’s due to people working from home. That’s causing some massive problems for companies.
Q: Arguably the most challenging element of cyber crime is the fact that threats are constantly evolving. Do you find it hard to keep up?
Its challenging but that's why companies engage with us, we eat and sleep this stuff! Methods are changing but the underlying technology hasn’t fundamentally changed in quite a while. The fundamentals of cyber security still apply to a lot of the work that we do now. What has changed is cyber security has improved generally. However, that’s now creating more specialised, targeted attacks by individuals who have advanced knowledge on how to exploit systems. That’s why getting the basics in place still applies.