Every day, small UK businesses are targeted by an estimated 65,000 cyber attacks (Hiscox). Fortunately, cybersecurity expert Stuart Green is guarding the gate to our precious information, but what can we do to help him?
As the founder of his own recently rebranded group of cybersecurity companies, The Armour Group, Stuart has a tremendous amount of experience and expertise in the attacks and security breaches that plague businesses and individuals all around the world.
I was lucky enough to speak to the former Royal Air Force team supervisor, systems manager and airborne technician about the importance of cybersecurity, the dangers of the digital world, and his love of Lincolnshire and the RAF.
This week’s #KnapChat is a must-read for anyone who shares information online; some of you may be doing it without even realising. Don’t say we didn’t warn you!
KW: You were in the RAF for 23 years, what drew you into it?
Stuart: I grew up in the North East and knew I wanted to do something technical when I left school. As I get seasick just looking at the sea, a career in marine engineering didn’t seem like a wise choice so I looked towards the Royal Air Force and I joined as an apprentice at the tender age of 16.
I never looked back. I got on the train at Newcastle Central Station on 21 March 1990 and pulled into Swinderby station a couple of hours later. I had no idea that Lincolnshire would play such a large part in my life.
KW: What are your thoughts on the Red Arrows moving away from Scampton?
Stuart: It’s a shame that there’s the potential for anything to move away from Scampton as that base in particular has played such a large part in defining our “Britishness”.
It’s been home to national treasures such as the Dambusters, our V-Bomber force and our Royal Air Force Aerobatic Team and it is right in the heart of Bomber County so it’s a site that, as a nation, we should treasure.
When I joined the Royal Air Force, we were 108,000 people strong but when I left we were down to 35,000 so something has to give unfortunately, and it looks like Scampton is just the latest in a long line.
KW: You describe being involved with the Red Arrows as a “high point” in your career, what in particular made it so? What did you learn from being in that environment?
Stuart: Just like any other posting in my career, it was the people that made it enjoyable. It was high-tempo moving the maintenance operation for a fleet of aircraft nationally as well as internationally so there were challenges in plentiful supply. Being part of that operation which visibly thrills and has an impact on so many people worldwide was quite something.
It was also quite humbling to travel the world and be on the receiving end of praise aimed at the wider Royal Air Force. I think that made us all realise that we were part of something uniquely British and an extremely highly regarded force for good.
KW: When you got into technology nearly 30 years ago, what did “cybersecurity” mean? How has it changed?
Stuart: I think cybersecurity as a buzzword is quite new but the basic principles date back way longer than my short time on this planet.
The main change has been how it now literally touches people in a way that they haven’t been touched before. Victims are seeing more devastating attacks and it’s affecting them financially and emotionally.
Victims don’t just suffer fraud – there’s a way more sinister side of the cyber issue that affects our children more than we realise and grooming is effectively being conducted out in the open yet hiding in plain sight.
There’s also something within people that makes them feel safe at home yet that’s where they are the least protected because they’ve got a £10 router provided by their service provider which they are relying on to protect them.
We’re all feeling much more comfortable giving our data to faceless companies that don’t protect it and have questionable views on our own privacy. Combine all of these together and we’re beginning to feel safe in a warzone, completely oblivious to how exposed and in the line of fire we actually are.
KW: So why do people and businesses ignore warnings about cyber security?
Stuart: That’s the million dollar question right there, isn’t it? For some, they are of the opinion that “it’ll never happen to them” and they believe in that so firmly that they don’t do anything. For others, they believe that it is purely an IT problem so whoever looks after their IT will be completely covering their cybersecurity needs and that’s always a million miles from the truth.
There’s often a perception that cybersecurity is expensive and that is often fuelled by the fact that IT support is charged out at such a low rate, it leads to the IT equipment being massively de-valued – often, [insert name here]’s lad looks after the IT stuff because “he knows a bit about computers” (and he’s really cheap because he hasn’t left school yet).
It’s a huge problem in Lincolnshire where people are often naturally sceptical but it isn’t until their bank account has been emptied or something worse has affected them that they’ll act. Of course, it’s just too late, then.
KW: It can seem like a lot of doom and gloom for people when they think about staying safe online, what are the most important things they should do (or not do!) after reading this?
Stuart: The first thing to realise is that for every attack there’s a defence and we’ve got to have that willingness to defend what is ours. Even ransomware can be defended against so these issues can really become non-issues without it costing the earth.
A paid-for anti-virus is essential. A good quality firewall at home is essential. Despite what NCSC have recently said, having a good quality anti-malware app on your smartphone is essential. One that looks at your behaviour rather than just the apps – is an absolute must.
One account – one password. NEVER re-use passwords. E – V – E – R!
There’s an old Russian proverb which is particularly appropriate here – “Doveryai, no proveryai” which means “Trust, but verify”. As a society we’re at risk of believing pretty much anything we see on our mobile phone screen and we’re easy to influence.
Confirming what you’re seeing from a separate source is really important as when we blindly trust an email, text or social media post, it can lead to problems.
Phishing via email (and Smishing via SMS message) is a problem. Nobody is ever going to find you via email and want you to hand over bank details so you can get paid the proceeds of a long lost [insert African state here] relative’s estate – that just doesn’t happen. Really, it doesn’t happen. Your bank isn’t going to send you a link to log in to your bank account via a text message. By all means, trust what you see if that’s what you want to do BUT you MUST verify its authenticity. Trust but verify.
If something is free, you’re the product not the consumer. Facebook monetises your data. Google monetises your data. Public WiFi often monetises your data. Your data is YOUR property and nobody else’s and you have a RIGHT to privacy.
When one online identity can attract a sum of over £800 on the dark web, we can’t say that we no longer have anything of value. Our homes, our castles, need defending properly. Trust but verify.
KW: What can you tell us about your experience of working with GCHQ? Is it as hush-hush as people think it is?
Stuart: ICATQ – I Cannot Answer That Question, Sir.
KW: You’re a father, how concerned are you about your children’s online safety? Are parents doing enough to lead by example?
Stuart: Phenomenally concerned. To the point where they get tracked wherever they go, whatever they do, often without their knowledge that they are being tracked. The last person a teenager wants as a parent is someone involved in cybersecurity, I assure you. But maybe that’s just me. Or maybe that’s just teenagers?
The short answer is that no, parents aren’t doing enough to lead by example but often that’s not their fault. Technology has advanced at such a rate that it is difficult to keep up if you are in the field. If technology isn’t your thing you don’t stand a chance. That’s why we help people out at home too.
KW: As one of the leading lights of tech businesses in Lincolnshire, what do you think needs to change in the region to attract more businesses like yours? Is enough leadership being shown in the right way at the “top” of the area’s hierarchy? What would you do differently?
Stuart: You’re not holding back with these questions, are you?! That’s a tough one but I suppose that an easy answer is culture. Culture needs to change. Lincolnshire as a county needs to value technology more – people don’t realise how much they need it or how dependent on it they actually are and they need to come round to the idea that it needs to be well-funded and well-defended.
I don’t think it’s a question of national or local leadership that’s the problem – we’ve got the National Cyber Security Centre and we’re leading the field internationally with the Government’s approach to how we tackle cyber issues.
Lincolnshire County Council were actually giving grants of £1000 to businesses who wanted to enhance their cybersecurity so it isn’t like the incentives aren’t there for businesses in Lincolnshire.
When it comes to businesses, that’s where we have the culture issue. In fact, I might be so bold as to say we’ve encountered yoghurts with more culture than some businesses that are handling personal data within Lincolnshire and that’s a terrible place for us to be as consumers. We often have no clue how businesses and organisations we deal with protect our data and we’re not in the habit of asking.
Boards and business owners need to be proactive about this rather than just assuming that whoever is looking after IT has it covered. We’re back to “trust but verify” again, aren’t we?
On a small number of occasions, we’ve actually been prevented from testing a business because someone at the top of the business didn’t think it was a good idea or that it was “ridiculous” to think that a bad guy might use a particular means to get sensitive data out of them – despite the tasking from the person in that business who is responsible to the board for protecting their data. How utterly insane is that?!
When you’ve got people like that at the top we know it is only a matter of time before that business will be severely done over and I always put good money on the fact that it will be that person at or near the top that will be the cause.
Obviously, at that point they’ll have the “we take cyber security very seriously” statement rolled out by the marketing department but that’s when it is too late and their reputation is in tatters. That’s when they get it. That’s when they wish they’d taken things a bit more seriously. They trusted but didn’t verify.
KW: People joke about emails from Nigerian Princes, but people must fall for the scam, otherwise they wouldn’t exist, how can this be stopped?
Stuart: Disposable email addresses. Yes, these exist. How many times have you been in a shop where they’ve asked if they can have your email address to send you your receipt? I’ve hung around the tills in various shops before and just counted the number of email addresses I can get – I usually aim for 50 and time how long it takes to get there (normally less than half an hour). It’s mental how willingly we give this stuff away.
Now, if we start trusting but verifying, we can trust someone with a disposable email address, like one provided by 33mail, and then we can verify how it is used. Let me explain…
Say you had an account with 33mail and your account name was “wilko”, you’d have ANY email address in the format @wilko.33mail.com, right? So, you could use email@example.com, firstname.lastname@example.org, email@example.com, etc., etc. for the faceless organisations you deal with. These emails get forwarded on to your actual email address by 33mail. If you don’t want to receive emails from them any more, you just block that address – simple! That way you can give AN email address to these people who ask for it (Trust) and then you can see what they send you OR who they sell your data to (Verify). This way you don’t need to expose your own email address, you don’t feel bad at the till for not giving one to whoever asks for it and you also find out how they use your data.
It’s also really important to know IF you have had your data leak out of an organisation because they have been breached. You don’t need to get all geeky and jump onto the dark web for this. You can easily do it through https://haveibeenpwned.com. Pop your email address into the box there and it’ll tell you if your password has been leaked.
For businesses that get these types of emails, it isn’t something that they need to put up with. Zero spam emails per day is achievable. Granted, it does take more than just a filter to do this but we aren’t talking huge sums to make something work. It just takes the will. It just takes the culture to want to do it.
KW: KnapChat is all about relationships, to what extent is the online world damaging or enhancing relationships, in your experience?
Stuart: There’s a book called “The Jungle is Neutral” by F. Spencer Chapman. Having completed the RAF’s jungle survival course, I can safely say that the jungle is as beautiful as it is ugly, as enjoyable as it is horrific. The online world is exactly the same.
For every wonderful person out there there’s a despicable individual to match. For all the innocent children and unassuming adults there are paedophiles and criminals in plentiful supply. We need to remember this – just because we can’t see them or touch them, it doesn’t mean they aren’t there.
KW: They say people are often the weakest link, what can businesses do to mitigate that risk and how can people adapt their behaviour to be less of a liability?
Stuart: The easy answer is speak to us (The Armour Group) on 01673 898001 and we’ll tailor the solution to fit the business and the budget! You knew I’d say that, right?
Seriously, though, we’ve been doing this a long time and have seen stuff that we can’t unsee. We’ve seen how desperate people can be when they’ve found themselves as the victim. Trust me when I say that seeing one person take their life as a result of cybercrime is enough but many more will do it if we don’t stand up to this and change our culture.
We believe that everyone has the right to be safe online and we’ll move heaven and earth to ensure that the people we work with feel safe, feel protected, feel like they have an army behind them on this virtual battlefield. Knowing how the bad guys are attacking them, how the bad guys COULD be attacking them and how they are defending themselves is critical for any business or any home.
Our workplaces and our homes are our castles yet we don’t have moats, we don’t have a drawbridge, we don’t have battlements or even bows and arrows. We’ve got open windows, open front doors and, often, open back doors too.
It isn’t hard to win this war. All it takes are three little words – “Trust, but verify”.
Earlier this year, the BBC reported that: “More than £190,000 a day is lost in the UK by victims of cyber-crime, police statistics show.” There is no denying that online hacking and virus attacks are a huge threat to society, and one that we are completely failing to deal with appropriately and proportionately.
“We’re beginning to feel safe in a warzone,” says Stuart Green, “completely oblivious to how exposed and in the thick of it we actually are.” This was the first in a series of battle-themed metaphors he used to describe the dangers of cybercrime, and coming from a former RAF Team Manager and Airborne Technician, that should really mean something.
If this article can cause even just one of you to sit back from your phone or computer or tablet or laptop and seriously consider how well (if at all) you are combating the threats knocking at your virtual door, creeping through your digital windows and lurking in the dark corners of your online home, then I’ll see it as a huge success.
“Everyone has the right to be safe online,” says Stuart. “And it isn’t hard to win this war. All it takes are three little words…
“Trust, but verify”.