Dr. Victoria Baines is, according to Secure Computing Magazine, one of the top 50 women of influence in cyber security. It’s not surprising when you consider the contribution she’s made to cyber thinking, across public and private sector organisations and through her academic research.
She has worked to help prevent the abuse of children with the Child Exploitation and Online Protection (CEOP) command of the police. She led the strategy team at Europol’s European Cybercrime Centre, where she was responsible for the EU’s cyber threat analysis. She was for several years Facebook’s Trust & Safety Manager for Europe, Middle East and Africa. She now sits on various advisory Boards (including Reliance acsn) and is a visiting research fellow at both Oxford and Bournemouth universities.
I’m Martin Sutherland, CEO of Reliance acsn, and recently I had the privilege to sit down with her (socially distanced, of course!) and explore her thoughts on how this most challenging of years has impacted the cyber security sector. This is what we discussed…
Martin: Victoria, as you know, I joined Reliance acsn a week before the country went into lockdown in the fight against COVID-19. It’s clearly been a very challenging time for so many people and for so many sectors in the economy. It’s also been a year where we’ve seen a large number of businesses dealing with new and emerging cyber threats. How has 2020 been for you so far?
Victoria: Busier than I expected! Like you and the rest of the team at Reliance acsn, I’ve found that my services have been very much in demand in lockdown. It’s quite strange to have spent so much time at home in the last six or seven months. I’m so used to travelling for work. The pandemic gave me some much-needed time to focus on research work: I have a book deadline that is rapidly approaching.
The other big change has been the significant digital transformation we’ve all seen. I’m perhaps more practised than most at working remotely. But I too have had new experiences – pre-recording keynote speeches for conference delegates I can’t see, MC-ing scenario exercises online, doing TV interviews from my dining table, and the like.
Businesses large and small had to make considerable efforts to ensure their operations continued outside the office, in many cases on personal devices shared with family members. In the cybersecurity security industry, I would say we’ve seen something of a renewed focus on endpoint security as a result.
But we shouldn’t forget that for many small and even medium-sized enterprises, continuing to function by any means necessary was the priority. Security may not always have been front of mind for everyone.
Martin: We found that during those first few weeks of lockdown in the spring, companies were rightly entirely focused on business continuity, making sure the business could continue to operate effectively with perhaps the majority of their staff working from home. With the rapid shift in working practices and in some industries the rapid adoption of new online business models, lots of new cyber threats have emerged. So whilst the early days of lockdown were about business continuity over time, we’ve seen our customers shifting their attention to the security of their operations. What do you make of reports of huge increases in cyber threats during the pandemic?
Victoria: I’m not at all surprised that identified incidents and attempts have increased in number. People like me have been writing about huge increases in cyber crime for at least a decade! In fact cyber threat levels haven’t gone down at any point in my career.
What I think we have seen is an evolution of the threat vectors: for example, bad actors mimicking government communications in phishing attempts. That’s to be expected: cyber criminals have always capitalised on high profile events, for example through malicious search engine optimisation that exploits trending search terms.
They also constantly refine their delivery and social engineering narratives, for instance by building different content and payment methods into ransomware pop up screens.
The heightened sense of alert generated by COVID has been something of a gift to threat actors. Citizens and businesses were instructed by the government to look out for and respond to official communications about testing, track and trace, furloughing and support schemes. The speed with which the scams appeared is testament to how fleet-footed and entrepreneurial criminals can be.
Martin: We’re now seeing so many people working from home. Do you think this shift in working practices has created additional security risks, and because everybody was doing it, is there now more interest in and awareness of cyber issues?
Victoria: I’d wager that the shift towards remote working may have facilitated certain threat vectors. In the case of Business Email Compromise, being physically isolated from co-workers could make employees less likely to verify whether a request for payment is legitimate. In the security equivalent of the much-discussed disappearance of the ‘water cooler moment’, in lockdown we lost the ability to informally check request for approval with colleagues. The process itself became more vulnerable to a specific attack vector.
There is also greater media interest in cyber threats than ever before. Ten years ago, when I worked for the European Cybercrime Centre (EC3) at Europol, we struggled to get journalists excited about cyber security! Now, cyber attacks are headline news, and the more sensational the better.
As we speak, the world’s technology press and information security specialists are exercised with the announcement by the German police that they are investigating as homicide a death that may have resulted from a ransomware attack.
Just before the UK went into lockdown, I travelled to the Newsnight studio for a live debate on targeted coronavirus disinformation. These are of course very serious threats deserving of public attention. Precisely because of their gravity, citizens and businesses need practical advice and solutions they can understand. That’s especially important now, when many are arguably already suffering from ‘alert fatigue’.
Martin: Cyber criminals are pretty entrepreneurial. Whenever there is a new opportunity to shift their business model they will. As you say, we’ve seen all sorts of different cyber threat actors evolve and adapt their trade craft for years. That’s not new. What I think is different in 2020 is that the pandemic has driven just so much change in so many businesses so quickly that the threat actors have had lots of new opportunities to exploit. Where do you see this heading? What cyber threats do you think are coming next?
Victoria: I’d be very rich indeed if I possessed that level of clairvoyance! I do think it’s possible to identify changes in the cyber environment that could be vulnerable to exploitation. A decade ago, we highlighted Bring Your Own Device (BYOD) as a business trend that would increase the attack surface.
In lockdown, many employees brought their offices and work networks into their homes for the first time. Now we’re faced with hybrid businesses environments and hybrid attack surfaces: many employees are spending part of the week in the office, the rest at home; many will never return to permanent office space, if the new policies of some larger corporations are anything to go by.
Martin: What are the hot topics right now in information security? I know you don’t want to give predictions but can you see any certainties for the rest of the year?
Victoria: Asset mapping and access management have always been important process steps in information security. But with many more services in the cloud, and many more authorised endpoints, businesses of all sizes now need to be thinking about regular audits and continuous security operations. On the positive side, the pandemic has proved once and for all that Security Operations Centres (SOCs) can function perfectly well remotely.
For the rest of it, even though I flatter myself that I am something of a cybercrime futurist, 2020 is proving quite a challenging year in which to make longer range predictions. Two things are certain: attack methods will continue to evolve, and criminals will continue to exploit changes in their operating environment. Cyber threat intelligence will be crucial to anticipating and defending against attacks. As a former intelligence analyst, I would say that, wouldn’t I?
DR VICTORIA BAINES
ADVISORY BOARD MEMBER
Dr Victoria Baines is Principal and Founder of Cartimandua Insight, and is a leading author and speaker in the field of cybersecurity. She regularly appears in major broadcast media as an authority on the misuse of emerging technologies.
Until 2017, Victoria was Facebook’s Trust & Safety Manager for Europe, Middle East and Africa. Before this, Victoria led Strategy & Prevention at Europol’s European Cybercrime Centre (EC3), and was responsible for the European Union’s cyber threat analysis. Victoria is a Visiting Associate of the Oxford Internet Institute, and a Visiting Fellow at Bournemouth University’s School of Computing.
CHIEF EXECUTIVE OFFICER
Martin has spent 30 years in the security and technology sectors, building and diversifying businesses. He started his early career with Andersen Consulting (now Accenture) and BT, before spending 18 years with Detica, a specialist national security and cyber security business.
He helped to grow the business to over £400m in revenue over that time, becoming Managing Director for 6 years when Detica was acquired by BAE Systems and rebranded Applied Intelligence. Most recently he has been the CEO of De La Rue plc. Martin holds a Masters degree in Physics from Oxford University, and a Masters degree in Remote Sensing from University College and Imperial College London.