The looming presence of a shared problem is, historically, perhaps one of the greatest drivers of collaboration and co-operation known to the world. From fully co-ordinated strategic alliances to the putting aside of differences in views, the oft-quoted “an enemy of my enemy is my friend” mantra undoubtedly holds true. It is far from a surprise then, to see NHS Digital and a number of UK Universities, far from enemies to begin with, working hand in hand to confront their very own elephant in the room: Compliance with Information Governance regulation. The NHS-Higher Education Forum Information Governance Working Group is, in the words of its Chair, Bridget Kenyon, the collaboration built to address these common issues. Describing her role as a liaison between the 35 or so organisations that make up the working group and NHS Digital, Bridget ensures the group’s work on helping NHS Digital in compliance with the Information Governance toolkit is fully understood. We sat down with Bridget, whose role as Head of Information Security at University College London combines with her role as Chair of the working group to make her uniquely qualified on the subject of Information and Cyber Security.
While UK higher education may largely avoid the glare of the average cybercriminal, attacks do still occur, and Bridget’s role with UCL is crucial to the organisation being prepared for this ever-changing threat. Delving into her work on the psyche of the cybercriminal, Bridget mentioned the role of Cyber Security in geo-politics, and emphasised the importance of understanding the motivations of those behind attacks, be it a simple ransomware sting on a company or a politically motivated systems shutdown. Referencing the increasing physical manifestation of digital on our everyday lives, Bridget warned of the risks of a country neglecting its cyber security, leaving it open to a whole host of dangers, ranging from the hijacking of democratic processes to even more chillingly, significant military advantage in the event of war.
A particularly well publicised form of cyberattack is that of ransomware, with high profile attacks such as Petya and Wannacry making worldwide news, and Bridget’s work into the motives behind cyberattacks is also able to give her an insight into this area. Taking a thorough look behind the keyboard of the cybercriminal, Bridget suggests ransomware is often used as the method of attack due to its ease of access and simplicity – both methodology and target selection are done on a risk-reward basis, which presents an interesting conundrum to organisations who find themselves breached by an attack. Pay the ransom and the problem may go away, but, in Bridget’s words, “paying makes you an easy target for the future”. She reasons that the cybercriminal asks two simple questions, “Can I get in? Will you pay up?” By answering the second question for them, you make yourself a more attractive target. Interestingly, such a method of cybercrime may also provide a degree of levity at times, Bridget recalling a ransomware attack that included in its payment procedure a feedback form asking the user to rate and review the experience of being hacked!
Simply knowing the motives of hackers and the assets of your organisation may go a long way to mitigating future risk, but it is by no means enough on its own. Armed with information on the cybercriminal’s motives, and with hands on experience of the sector, Bridget promotes a holistic buy-in process across organisations in order to combat the threats faced. Without top-down direction and bottom-up buy in, Cyber and Information Security will struggle to maintain its lead over cybercriminals, and it is this method Bridget therefore advocates clearly, “it is incredibly difficult to achieve an effective strategy exclusively through a top-down or bottom-up approach, there has to be buy-in in both directions, a pincer movement in order to meet up in the middle and achieve success”.
Join Bridget at the Cyber Security Summit and Expo on the 16th November, where you can hear her as part of our panel: “Shared Lessons: Preparing for Ransomware Attacks and Disaster Recovery” at 3:25pm on Seminar Theatre 1.