In this episode Demi provides an insight in to Safer Internet Day which is on Tuesday 9th February 2021.
You can contact Tarian here.
Items mentioned in this podcast are below;
For general Cyber Security;
Please forward any Phishing emails you receive on to email@example.com and any text messages on to 7726.
Our hosts today were Patrick, a Detective and Cyber Protect officer for the West Midlands Regional Cyber Crime Unit (WMRCCU) part of the West Midlands Regional Organised Crime Unit (WMROCU) and Demi the WMRCCU as an intern taking a year out from her University Studies.
Also, a member of the WMRCCU is
Hello and welcome to the Cyber Threat Weekly your podcast by the police delivering you non technical Cybersecurity Awareness.
I'm Patrick Detective and Cyber Protect Officer within the West Midlands Regional Cyber Crime Unit.
And I'm Demi I work alongside Patrick on Protect and also Prevent.
Today we're going to speak about Safer Internet Day. First of all, he will give us a good insight into what it is and then we'll speak to one of our colleagues in the Regional Organised Crime Unit for South Wales.
So Tuesday, the 9th of February marks the 18th edition of Safer Internet Day. So a little background about this initiative is that it was started in 2004 and takes place annually across the globe. With the theme of coming together for a safer internet for all, especially children and young people this year Safer Internet Day in the UK will focus on reliability within the online world and we'll explore how we separate fact from fiction. I'm sure we are all aware that the internet can be both a great resource, but also a misleading and dangerous place for a child. Therefore, it is important to ensure that we educate not only them but ourselves on how they can stay safe online. The sSafer Internet Day website gives useful tips such as having a conversation with your child about their online activity. Understanding what children are doing online is the first step in understanding how we can help them support them. Discuss the types of people and pages they follow. Are they appropriate and in line with this us safer internet day theme is the information they are consuming, reliable. Educate them on the real world implications of their online actions and how this can impact not only them but others. Even from a young age, it is important that children are aware of their digital footprint and online privacy. It is important that they are aware of the people they are sharing the content they post with and highlight the importance of keeping personal information safe and not to share it with strangers. And although we never want anyone to be in a position where they would have to do such a thing. It is vital to discuss with your child the importance of reporting inappropriate conversations, messages, images, or behaviours and how they can do this. Another tip Safer Internet Day talks about is setting an example if you come across a fake news story or get sent a phishing email. Why not make this a loon opportunity you can discuss with them how you spotted it and let them know how you dealt with it. If you see an unreliable article or resource maybe show them how to fact check reliable websites or books. For more information visit saferinternetday.org. It has many resources and a lot of information for everyone including parents, carers, and professionals of all vocations. You can also find information for training opportunities and free virtual events. And like I said before, Safer Internet Day is celebrated around the world with around 170 countries now involved. So if English isn't your first or preferred language, they have resources in many different languages.
Thank you very much Demi for that we will now go and speak to our South Wales colleague Rhi more precisely from Tarian, the Regional Organised Crime Unit for South Wales if I have missed lead or miss described anything there, please let me know Rhi Yeah, we're going to talk to Rhi, about what's going on in South Wales with Tarian and what they're up to and for anybody listening in South Wales, or they can potentially assist with Rhi would you like to tell us about yourself and Tarian and pretty much anything you want to tell us about?
Yeah, great, thanks, Patrick. So yeah, I'm Rhi and I'm a Police Regional Cyber Protect and Prevent officer. And as Patrick said, I work for its Tarian Cyber Crime Unit. So it's a police organisation that covers South Wales Gwent and Dyfed-Powys Police Forces. There's a few things that I'd like to talk about today, including Safer Internet Day, and current threats to small and medium and enterprises, a new government tool called Police Cyber Alarm, and hopefully some advice that you can implement straightaway.
So the first thing I'd like to talk about is actually Safer Internet Day that's happening at the moment. So Safer Internet Day is basically where the community can come together to share knowledge and advice on how we can be safe online in both our personal and professional lives. As with many cyber industry specialists Tarian have run a campaign to highlight tips and tricks to being safe online. So two of the things really is one is where we've recorded a video, but the most googled questions in cybersecurity, and it's quite funny. So there's a few bloopers on that one. And another one is running a competition for young people where they can create a short video about the Computer Misuse Act, to get those youngsters involved. And the cyber community is coming together in podcasts like this that I'm doing today with Patrick and to increase knowledge and raise awareness because there's four tier one threats to UK National Security, and they are war, terrorism, natural disaster or pandemic. So if you'd asked anybody 18 months ago, which of the four would be next to hit the UK? I'll be honest, I doubt anybody would have said pandemic. But here we are. I don't think people realise the severity and vulnerability we have when it comes to cyber but it is one of the big four for a reason.
One of the biggest cyber threats to businesses in the current climate is impersonating scam. So millions of pounds of loss by individuals and businesses each year due to impersonation scams. And this number has definitely raised due to the pandemic. Now, with most businesses having to quickly adapt to staff working from home, there's definitely a vulnerability that criminals are exploiting. And the recent Hiscox report speaks that one in three small businesses have fallen victim to cyber attack, and the message needs to be one of high alerts of all organisations.
With intelligence reported to UK finance, the impersonation scams rise is partly driven by criminals exploiting COVID-19. So these scams include forces sending emails to businesses pretending to be from government departments, offering grants for furlough all the way through to free PPE. Additionally, criminals are exploiting the growing numbers of people working remotely by posing as IT departments, or software providers, and claiming that payments are needed to fix problems with your computer or your internet, broadband. And criminals will research your target first. So using information gathered from scams, social media, even your business website and data breaches. In order to make their approach sound genuine, they will often try and rush or panic you into making a payment. So make, for example, that you can't get access to your data or your software. So there's a common theme with businesses that I talked to in that higher awareness of phishing emails seems to be more relaxed when you're working from your sofa than from your office desk. So you will be aware of what phishing is. So I'm not going to teach you to suck eggs, but it's worth stressing to your friends and family and staff and colleagues, that the good practices that you'd have in an office, they really need to stand when you're working from home at Tarian. We've also seen a spike in phishing emails with the focus from attackers now using COVID as a reason for you to click on those links and emails. False alerts warning of revised lockdown restrictions in your area, links to fill in details about yourself to track or trace or to book in an urgent COVID test that you must pay for. Now when I say it like this in a podcast, it sounds like common sense and when you look at it rationally it does. But attackers are becoming more and more sophisticated in their approach, questioning the legitimacy of how every email should be it's standard practice. And it's something that we need to stress going forward. We're in an unprecedented situation at the moment. So we don't really have enough to compare to, to taking the time to stop and think about it is really the best advice. If you suspect an email is phishing. Obviously, the general advice is simply to delete it. If it is genuine, and obviously someone will follow up with you. But you can also report it to firstname.lastname@example.org. And this will allow the government to collect the data and spot any trends, best increasing awareness for everybody. I think the most important thing is that education, awareness and staff competence really are key when it comes to being safe online. Because 80% of businesses see that cyber security is high priority for senior management. And the question really is does that high percentage include your business? Are you relying on pre existing cyber safety plans that your business had in place before the pandemic? Or have you updated them to reflect the changes? Have you revised your cyber security policy accordingly?
I mean, at the end of the day, it is difficult enough for businesses to get to a pandemic without cyber attackers making it harder. And you might be in a fortunate position where you've got a dedicated department looking after your business needs and your security needs. And you are perhaps prepared against ransomware attacks, impersonation scams and cyber threats. You may even have a financial safety net in the event that attacks does happen, and that you can rebuild and patch your cyber security after an attack and you could spare the 1000s of pounds of this could cost. Your staff may or will be so queued up that people like myself and Patrick could be out of a job. But even with all this, cyber criminals are constantly developing their approach and becoming increasingly sophisticated, and it's up to everybody to make protecting themselves against this a priority.
So there's so many ways and resources available to UK businesses to help with this. And Tarian is just one of them. We have an arsenal of tools to help you. And one of them can be presentations where we can do this remotely or in person when COVID allows. We can engage you with practical exercises such as Decisions and Disruption Game, which is an active Lego game that many of the Regional Organised Crime Units have access to not just in South Wales. We have this arsenal of guidance and information for you to help support you. So it is worth getting in touch with your local Organised Crime Unit to see what's available.
One of the things that you've highlighted there was about the reporting tool that's available. And you know, I read something very recently, which was quite interesting. This was marketed quite strongly last year in 2020. And I've just read some figures that says as of the 31st of December 2020, the number of reports received does stand at more than 4 million. With more than 26,000 scams and 48,000 URLs removed. Sadly, the number are quite stark when you look at them like that. And the more reporting the better, because we can't know what we don't know. But thankfully, we know a lot more now, thanks to this tool.
Absolutely. And at the end of the day, we can't do anything about things we don't know about. So by reporting incidences, even if you're not sure, just by reporting, it makes a huge difference to the back end, and what we do behind the scenes and the police.
And one of those reporting systems, like I say, is Police Cyber Alarm. This is a new government funded tool, which has been recently made available, and it can help businesses increase their cyber security. So you may have seen some information for this online. And our region here in Tarian, was one of the pilot regions for police cyber alarm, and it's already proving really successful with proactive businesses that have installed it.
What it basically does is it offers near real time monitoring of cyber threats that organisations face every day. Cyber Alarm is a data collection and analysis platform and can continuously collect data without any impact on day to day organisation operation. The data that's sent to the Cyber Alarm system does not contain any private data or any traffic information, only the data sent is meta data, which is data about the traffic itself, not the traffic. And additionally, it's securely encrypted and compressed by the team. It kind of acts like a CCTV camera monitoring that metadata traffic seen by a members organisation to the internet. And the reports for businesses who are members of Cyber Alarm receive contain details of suspected malicious activity, enabling you to minimise your vulnerabilities and to protect yourself. But the good thing about it is also that the information that gets reported is also sent to the police. And this data can help us monitor and predict trends. And we can provide alerts and awareness to those trends back to businesses. And it's a great way for business and police collaborating to help stamp out cyber crime, which is kind of related to what you said earlier about the reporting. We can't do anything about what we don't know about. And this is another method for us to do that. If Cyber Alarm is something that you'd like to find out more about. It is being rolled out nationally to the UK. So obviously with Patrick works in West Mids and of the other Regional Organised Crime Units, it is becoming widespread. So you might find that your region is now active. And the best place to find out more information on this is the cyber alarm website, which is cyberalarm.police.uk.
The way you described it, you summed it up really well there acts like a CCTV system, it doesn't interact or interrupt, it just is more passive data that's collected, that then is used to great extent. So it's a brilliant tool.
Yeah. And it's helping both you if you're a business owner, you're part of the business and helping you obviously monitor that information because you get those reports. And you can choose whether you have the monthly or quarterly or annually, and you can obviously see what's going on and see where your vulnerabilities are. But also it helps us in the police because having that information and those trends means that we can provide the right guidance, whether it's in a podcast like this, or we put fliers through doors, and we post on social media, we can tailor the advice around the threats that we are monitoring. And the best way to do that is to have more data.
I was just wondering how accessible is that Police Cyber Alarm? Is it a paid service a subscription? Or is there something that businesses can get for free?
I mean, that's a really good question. So please sign belong is government funded. So it's at no cost to businesses, the only real requirement is that you have a firewall, the terms and conditions and also the criteria for you to actually become a member of Police Cyber Alarm. And it's actually all on the information page on the website. But as I say that the main thing is that you have to have a firewall, but if at no cost to your business, and that will never be the case. There are obviously lots of options out there for paid services for scanning and things like that. But Police Cyber Alarm is a government funded policy.
Great, thank You.
Great, thank you very much for that, we're going to learn more about Cyber Alarm. In a later episode, we're going to get somebody from Cyber Alarm to come on. And anybody wants to know more about it, we hopefully will be able to preempt potentially questions, because we're going to give you a good full rundown of it. But as I said, we'll put the links into the show notes anyway, for those who want to get a bit of a head start and learn a bit about it.
The main message for me to hope to get across today is that the police can't do anything about attacks or phishing emails, or even smishing, which is your SMS. Phishing. If they don't know about ticks reporting it is a key step. So if for example, you entered your bank information incorrectly, or to a spam website that you think is perhaps untrustworthy, the first priority must be to contact bank safely. And you obviously can do this by calling the number on the back of your bank card or visiting your branch when COVID allows or even go through your bank secure app. And the same goes for obviously reporting to Action Fraud, or the report@phishing email address, which obviously helps us collect that information and be proactive in our responses. With cyber security, the main thing is that we're really stronger together and sharing our knowledge and experience helps us all in the defence against cyber crime. And that goes so listening to a podcast like this or getting your information from the NCSC website.
And there's a couple of things that I'd like to see the hopefully people can take away and know that you must be proactive in protecting others against phishing and smishing. And the best way that you can do this is to forward text messages to 7726. And that basically gets picked up by your network, who will then investigate. And again, that message of reporting. And the same as it goes to earlier was for the emails email@example.com, which will help the police and the Regional Organised Crime Unit, and the government to spot trends. I mean, if you are a business, or you're a member of one that wants to increase cyber security defences, can take a look at that Police Cyber Alarm tool that Patrick mentioned will be in the show notes for you. And you can talk to your loved ones and colleagues. Unfortunately, we haven't do this via zoom and WhatsApp and FaceTime at the moment. But your cyber security is only as strong as your weakest social connection. So it's worth having those conversations on a regular basis.
And the last thing really, for me is to remember that it happens to us all. I mean, this is my job. And I still have to be really vigilant when checking my emails and my messages, because cyber criminals are becoming really sophisticated. Cyber vigilance is like a skill. So whether that's driving or cooking or dancing, you have to practice to be good at it. So to taking the steps like using three random words, your passwords, not using passwords across all of your accounts, watching out for phishing emails, listening to information to make sure you're getting the most up to date advice. This is a skill that you have to actively develop, and it will eventually become second nature, the more that you do it. And let's face it, technology is developing so quickly that cyber security is a skill that we're going to need for the rest of our lives.
I couldn't agree more. One of the most common things that we say to people is it's not an IT issue. It is an everybody issue. You can make a comparison with Health and Safety, in a business. It's not the Health and Safety person's responsibility. It's everyone and equally, not the IT department in your organisation, because unfortunately, no matter what measures an IT department put in place, if unfortunately, we do receive those very sophisticated phishing emails, and we click on a link or download an attachment whilst at work. There's only so much that your IT department can do they need you to help them.
Yeah, exactly. I mean, a scenario that we like to use and carry on is if, for example, you're in the office, and it's normal time pre or post COVID. If there was a fire in your building, you wouldn't phone the fire department, then sit back at your desk and wait for them to deal with the problem with you, you know, you wouldn't sit there amongst the flames. And the same goes for exactly that there's a plan in place people know to evacuate the building, people know who the fire marshal is people know where the fire extinguishers are. Everybody knows what to do in that situation. And it's talked about and it's planned ahead of time. And the same goes for cyber, you can't predict if and when you're going to have a cyber attack. But when you do, you don't sit back at your desk amongst all the flames. You have a plan in place, and everybody has to be proactive in dealing with the solution.
That's an amazing analogy that I wished I'd have thought of. Yeah. And if I do use it, which I can't promise I won't I promise I won't plagiarise, I will I will reference accordingly. Yeah. That's fantastic. I'm very pleased with that. Is there anything else you would like to say about Tarian on specific to the South Wales region, anything at all you want to say please feel free to if there's any other sort of initiatives you want to highlight?
There's a lot going on behind the scenes, I think, as is the case of everybody at the moment, we're all sort of pedal to the metal trying to get work done. But the main thing for me is that a lot of people don't realise that we're there. And the same goes for all of the Regional Organised Crime Units across the UK, when people think of cyber attacks and needing to get help from a police, we think of it as a force level issue. And they don't realise that there's a step above that a regional unit that can be there to support you.
The point of it is, is that because we police we dont charge you, there's no security advice fee, there is no coming out to visit you charge. There's none of that. The point is, is that we're industry professionals, and we have the training and experience behind us. And we're here and we're government funded, because we are public servants at the end of the day. So we do have obviously the protect messaging, which is a key part of what we do. And that doesn't matter the size of your organisation, you could be a one man band all the way through to several 1000 employees. We can tailor that messaging around your current working situation if your staff are at home, and we can deliver it in a way that's appropriate to you. And the same goes across the region. So wherever you are in the UK, check out who your Regional Organised Crime Unit are the services that they offer, whether that's messaging or deliveries or presentations, or even phishing exercises like we do with not to phish, which is a free exercise where we would phish your employees in a controlled exercise and deliver you that data so you can see who is vulnerable. This is stuff that's available and it's worth checking out your region's website to see what they've got on offer.
Absolutely, and again, in the show notes, there's a link that can take you to the NCSC website which will then give you the list of all the contacts, email addresses for all the Regional Organised Crime Units within England, Scotland, Wales and Northern Ireland. That's brilliant. It's really, really good. I think it's worth bearing in mind just to sort of add to what's already been very well explained, worth bearing in mind that the UK is the sixth biggest economy in the world. And one eight of its GDP comes from the online economy. That's actually the largest and the G 20. So it's worth bearing in mind that the UK is a very attractive target for cyber criminals. And because of that, the government has realised this a number of years ago and has invested in what's known as a National Cyber Security Programme. So that's why people like myself and Demi's here today, we don't come out of a local policing budget, we come out of a national central government budget. And just to re emphasise, again, what Rhi said we're the police. There's no expenses, no fees, nothing like that whatsoever. If we can provide information awareness and guidance diary allows the answer will be yes. And we do operate at all levels, there is local representatives, but Rhi, Demi and myself, we work at a regional level to do anything else you'd like to add Rhi.
No, I mean, I've just wanted to say thank you for the time really, it's great to talk to another Regional Organised Crime Unit and to see what's going on. But ultimately, the main thing is to get the message out there and hopefully, people have enjoyed listening to what we've had to say today.
You've had some really valuable stuff and you're the first non West Midlands Region Organised Crime Unit we've spoken to on the podcast, but I'm sure won't be the last because our aim is to basically speak to everybody and some people will be reappearing again in the future like yourself, Jimmy, do you have any comments, observation or even question for Rhi?
I don't think so. I just want to thank her for insight has been very interesting, and I certainly learned a lot and I'm sure our listeners would have learned quite a bit as well.
Yes, definitely very grateful and I certainly welcome you back as often as you can fit into your diary.
Thank you very much. Bye for now.
That's all we've got time for this week. For more information on cybersecurity, please visit the National Cyber Security Centre, Action Fraud, CyberAware and Take Five website.
Don't forget we have our own website wmcyber.org.
Anybody listening to this would like to contact us for any guidance and education in the area of cybersecurity, how to protect and prepare yourself and your organisation. Whilst online. Please use the contact details in our show notes.
Thank you and goodbye.