Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

How Dundee’s ethical hackers are helping businesses combat the growing menace of cyber crime

Hackers got access to the company in 2020
Hackers got access to the company in 2020

Michael Alexander speaks to two young ethical hackers based in Dundee who recently worked with the CyberScotland Partnership to create videos aimed at opening up conversations on cyber security.

It is the digital revolution that now touches almost every area of our lives.

According to Datareportal”s Digital 2021: Global Overview Report, as of January 2021, there were an estimated 4.66 billion active internet users worldwide – 59.5% of the global population – 5.22 billion unique mobile phone users and 4.20 billion active social media users.

An estimated 300.4 billion emails were sent and received every day in 2020 and 2.27 trillion SMS messages were sent through the year.

Our society is now almost entirely dependent on the continued availability, accuracy and confidentiality of its information and communications technology, whether that be for economic health, the domestic machinery of government, for national defence or for day-to-day social and cultural existence.

Opportunities bring risks

But while digital connectivity brings great benefits, the opportunities also bring risks.

From stealing bank details or valuable intellectual property from companies, to the distribution of terrorist propaganda, cyber security has been ranked by the UK government as a threat to national security alongside the likes of war, terrorism and natural disasters.

Foreign states, criminals, “hacktivist” groups and terrorists can all engage in cyber espionage and computer network attacks.

According to a recent UK government survey, 39% of UK business came under cyber attack in the first quarter of 2021, with many incidents causing significant damage.

The specific costs depend on the sophistication of the attack and how well executed it was.

Attacks could range from systems being offline for a few hours, creating a frustrated workforce and unhappy customers, to an attack that infects an organisation’s systems with ransomware that cripples them for days and weeks.

As well as the loss of data, the cost of recovery alone could cost millions of pounds, plus the risk of reputational damage.

The seriousness of the threat to national security was underlined recently when the UK government confirmed that its cyber-attack agency, known as the National Cyber Force, will be based in Lancashire.

The organisation aims to counter threats from criminals, terrorists and hostile states and brings together officials from MI6, cyber-spy agency GCHQ and the military under a unified command for the first time.

However, at an organisational and individual level, there are certain things that can be done to reduce cyber security risks.

Role of ethical hackers

One way that the resilience of computer systems are being tested is through ethical hacking – also known as penetration testing – whereby hackers are employed to legally break into computers and devices to test an organisation’s defences.

The Courier spoke to two young ethical hackers, based in Dundee, who have been employed to identify vulnerabilities in companies’ systems.

Twenty-year-old Allena Matheson-Dear, who has just gone into her third year of an ethical hacking degree course at Abertay University, and 23-year-old Abertay University ethical hacking graduate Declan Doyle, both work with the SBRC (Scottish Business Resilience Centre).

Allena Matheson-Dear
Allena Matheson-Dear

Allena, a former Linlithgow Academy pupil who “always knew” she wanted to study ethical hacking at Abertay, has been working part-time with SBRC since January.

Meanwhile, Declan, a former pupil of St Mungo’s High School in Falkirk, joined SBRC part time in January 2018 and is now SBRC’s head of ethical hacking and client services.

Declan explains: “Ethical hacking is basically hacking with permission in order to identify in an organisation where you could be hacked. Literally the best way to do this is just to get hacked.

“So rather than waiting for a hacker to hack you and steal your money or your data or anything like that, they’ll ask people like myself or Allena to hack into them and then produce a report based on the ways that we did it.

Declan Doyle
Declan Doyle

“Then we’ll say ‘right here’s how we hacked in and here’s how you stop it’. You are basically plugging the holes before there’s a leak by using the same techniques that a criminal hacker would use.”

Basic threats to business

Allena says the first thing many organisations think about when it comes to hacking is money being stolen.

However, it’s vital to think about data as well – particularly with tighter rules on data storage and management now in place under GDPR, where fines of millions of pounds are possible. Another area for organisations to consider is potential reputational damage.

“Even if it’s a hacker taking down a web application or a web site for a day, people are going to remember that,” she says.

“If a website is your business, when people are choosing what website to use they are going to remember a time when the website was down and potentially choose someone else.”

Allena says one of the things that attracted her to ethical hacking is that there’s always something different to learn.

The reality is, she says, that organisations are “never going to be completely secure”. The key is to be “one step ahead of the hacker and making it as difficult as possible”.

At the same time, however, Declan says there can be a misconception when it comes to cyber security.

While it’s true there are always going to be risks, the truth is that for the vast majority of small and medium businesses, it’s not the super sophisticated hacks that catch them out.

It’s basic oversights such as not keeping computer systems up to date or not having a strong password.

Phishing is another problem with something like 80% of cyber attacks due to “human error”. For example, employees opening an infected spam email.

Businesses might think won’t be able to keep up with ways to stop hackers when the reality is that perhaps they’ve not been taking simple measures in the first place such as having extra password security protocols or training staff how to spot a phishing email.

Building resilience

“When businesses think ‘oh I’ll never be able to keep up’, the truth often is they weren’t doing it in the first place. They were never even at that level,” he says.

Declan explains that SBRC is a non-profit organisation with the purpose of improving the resilience of organisations across Scotland.

“As you can imagine a lot of that involves cyber security these days,” he adds.

“There’s a mad statistic that over 50% of crime committed in Scotland is cyber crime which is mental to think about. A large part of what we do is making businesses and organisations more resilient to cyber crime.

“Things like making people more aware of phishing, raising awareness of cyber security and the fact that it’s not the job of the IT person – although cyber security is often tied in with IT and it is very much a computer based topic.

“It’s computer based in the way that everyone is using computers now – for example, using Teams. So equally it’s everyone’s responsibility to manage cyber security.”

‘Hands on’ at Abertay

Abertay created the world’s first ethical hacking course in 2006 under Colin McLean. Declan says there are more universities offering somewhat similar degrees nowadays, but where Abertay shines, he says, is that it’s  a very “hands on” course.

As part of their assessment, for example, students will hack a uniquely generated website or network and write a report as if submitting to a client.

Because students are being taught the same techniques criminals would use, students are asked to sign contracts at the beginning of their course declaring that they should not be used for illegal purposes – or face being kicked off the course.

Simple mistakes are made…

Declan is still amazed, however, how many companies can make simple mistakes.

For example, he says, one of the most obvious areas companies overlook is when they outsource the management of a printer or buy in a cheap IOT kettle or camera. The reason they are cheap, he says, is because they can be “easily hacked”.

Declan doesn’t think the increase in home working during Covid-19 increases the risk of cyber breaches per se.

Problems might arise if employees are working remotely and are a bit more disconnected.

Ethical Hackers

Perhaps then they are more likely to fall for a phishing email. So long as organisations have a core message about cyber security, however, he does not think they are more at risk.

…but don’t panic!

For him, the message he likes to get across is that organisations don’t need to panic. But they can help themselves by following some simple advice such as that included in the series of new bite sized SBRC videos.

“I always say to people, especially if they are reading something like this – people think ‘oh my god cyber security is something we need to panic about’,” he says.

“I say don’t. There are so many resources out there. SBRC has huge free resources available. There are organisations up and down the country that are similar.

“The UK and Scottish Government offer resources too. It’s not something you have to worry about by not knowing where to go.

“Things like using two factor authentication and not looking at confidential documents on a bright screen via public wi-fi in a coffee shop can make all the difference!”

To see more SBRC cyber awareness videos go to www.cyberscotland.com/sbrc/cyber-awareness-videos/