Working from Home: Did Anyone Think About Security?

hello i've got my new background yeah don't just don't just don't i'm still processing that was so cool [Laughter] and i'm really glad we're a little bit out of sync on the diamonds it's all good um but i'm glad i got the end of lyric's talk as well because um i really wanted to see that but i was in the other track so all is well right we've got a panel coming up now all the panelists folks on please make yourselves known hello hey phil how are you and sam i'm good man how are you very good very good thanks excellent the only one on no no no i'm kidding pete's on yeah hi pete all right

you should have me as well phil hi everybody hi mark everybody's on all right um should we do a little kind of introductions to everybody um and then phil you're going to be leading this right yeah yeah indeed and i've built in some introductions within my questions yeah that's cool that's cool so uh my name's phil jackman i lead on cyber north regional cyber security cluster developed by dynamo northeast these people behind me and supported by accenture in the innovation super network there's 10 cyberfest events on throughout september so please look out for the others in the series so now we're going to go through this panel session with the title of so all working from

home did anyone think about security so i'm going to start with pete that's okay this is the first time that we've met i think and so you can tell us a bit about yourself and you work at pulsant yeah so certainly so um i i am employed uh with impulsion or hopefully everybody in the northeast will know off we're a merely uk data center hosting hybrid cloud company to um technical solutions um i primarily work now i'm an ex-engineer my background is in sort of client service systems networking cisco security vmware esx virtualization that sort of thing but now i work in a small team of technical architects and when business opportunities come in i work

with the sales department to make sure that our solutions are tailored to whatever the client is requesting um be that uh cool cloud private cloud hybrid cloud or on premises we pretty much will tailor whatever we do to the clients requirements and i've been doing that for about nine months uh before that i used to get my hands dirty but no no not so much so if ever there was an opportunity covet must be it and so tell us how's that affected the way that the company's been working um very much so i mean i i'm really i'm really pleased with the way that paulson sort of reacted to the the whole corvid thing um my team

because i've changed roles and been promoted whilst all this has been going on so when this initially started uh in february my entire team was was sent home and took the work from home until further notice um this was pretty much before anybody else reacted so we were we were a little confused at the time because at that time everybody else wasn't getting sent home i think it was more that they didn't want the engineering firm or the engineering element of the business to all go off sick at the same time possibly um but obviously as most of you will appreciate um we are a sort of data center-centric company so um the actual uh

user requests that were coming in for remote access to um either their own uh equipment or their on-premises equipment um went up dramatically and obviously with an element of remote working we've had a massive uptake on things like shared desktop and vdi environments um to deliver sort of core business applications back to those businesses and that that's ramped up dramatically excellent excellent sam i'm going to come to you now if that's okay but before i start just what a fantastic event you must be really proud of you and ben a huge amount of work with the rest of the team into that so you and i go way back i think at least a few months

what's happening to you next to being um once covered struck well you know it's it's been an interesting ride i mean we're all still working from home um there's a few people started to move around if they're in countries where you're allowed to do so um but yeah we moved to working from home pretty quickly we also had um it was it was well publicized on twitter um i i dodged going to rsa this year and one of our employees actually got sick at rsa um and god was very ill with covid so um and we we decided as a company we were gonna i tell people that's what happened because he was working the booth um

so we we got various reactions on twitter around that i mean fortunately he's fine he was like he was in a coma for like 16 days um really poorly and the company um were were incredible on all counts really they did a lot to communicate both what was happening with him but what we were doing to keep the employees safe um to keep the workforce running so um it was it was a big effort but they they mobilized super quick to get everybody you know up and running at home um obviously we all live in zoom right now it feels like we're working very long days very long days i work from home anyway so the only thing that was really

noticeable to me was all of a sudden my husband's at home more and then there was this small child running around so you know we've all had kids and animals on on calls a lot of late it's because it's become like a window into people's lives really but um yeah i think eczema has been awesome both from a um for internal employee point of view but also just kind of pivoting what we do for our customers and how do we how do we help them through this because it's been sucked up zoom call would be the same without a child or small animal so that's an interesting point that you've made because we're talking about

covert from a uh cyber security kind of perspective or a technical perspective but there's a physical security aspect as well okay so do you think that the has this changed the way that x beam thinks about security from a what's from a cyber security support from either yeah i think we've um what we have what we've where we've definitely changed is there was more of a feeling that you know you had to be part of the office in a lot of places if you were working at hq you had to be seen in the office and doing stuff in the office um so therefore you had to be you know living near it so everything says i'm not answering

your question properly i know but i think what it has changed a lot and i think this is for a lot of organizations is now changing like you can employ people all over the place now it's really i think it's going to do a lot for actually diversity and inclusion because people don't have to physically go and sit in an office and we it's been shown that people can work from home um i think i know we're going to talk about a bit later on but there's a whole question now about securing the home versus securing the office so that i think's been a big shift for everybody i won't i won't steal off thunder for

later excellent excellent i'm going to come back to you pete you don't mind it just uh really manage service charity kovic it really plays at this space there beautifully would have thought was there some sort of panic at the start of the of the lockdown line um well only in so far as capacity i mean most people most businesses only really um budget for us quite a small amount of their stuff to be remote working at any time um obviously my background is in sort of cisco perimeter security so we're talking any connect in those sort of remote access vpn solutions typically um a business will only deploy between five and ten percent of their actual

um bums on seats manpower into licensing for remote access vpn um as you can appreciate when there was a massive move from office to home networking there was a massive shortfall in the amount of licensing um so for for a few weeks i was literally jumping from firewall to firewall increasing licensing for these people and early march probably the first two or three weeks that that was solidly what me and my colleagues were doing just just ramping up stuff that businesses already had um so yeah um not so much in the tail end in the last couple of months there we've seen more um a move from um shared desktop type networking that hasn't particularly fared very well

if you've got 40 or 50 users on a shared desktop environment all trying to do microsoft teams meetings which we're all doing at the minutes then it's not very good at all hence the reason why we're moving heavily into reinvesting in our vdi platforms and shared desktops and were the vendors then okay with the licensing demands where they're very strict in terms of uh you've got to be having yeah i mean like i i keep mentioning this it's called because that's my background but we're not solely a cisco house we've got a lot of dune or some fort in it but it's not available yes yeah yeah other vendors are available um cisco moved very quickly

to give people free licensing the model that they have for licensing is they have the they have the ability now on the newer platforms to restrict licenses they give you to a certain time period because they want everybody to go into a rental model so they get recurring revenue but the upside of that is that they were very quickly and for zero charge to the customer be able to re-license all their hardware products to their maximum um per hardware their firewall up router up to their maximum capacity for free for all those users which was for us because we could get the free licenses very quickly and then those businesses that wanted to actually buy the licenses for longer

than 90 days they had plenty of time to sort of catch up okay good and are you see any movement to go back into the office i'm strange you should say that but um i was checking my email just just before this to see if there was anything coming out of this and i got an email from my ceo to stay that uh our newcastle office which is access house in in t valley and they're opening that up on monday the 7th which is this monday coming i believe um but that's more because people have been asking for offices to open rather than they want to drive people back into the office and that's the last

thing they want i think as some said earlier most businesses now are realizing that they really don't need massive glass buildings and meeting rooms with multi-colored bean bags in them and that that thing hopefully if there's one good thing to come out of this situation is that businesses will trust their employees a little bit more and um homeworking will become a little bit more than normal well i'm hoping to go back to some sort of mixed economy where you go to work if you until you stay at home you need to but i think we've seen that like imitating art clearly well i'm somewhat biased because it's a hundred mile round trip for me to get

together if i can work from home i always will okay ex martin i know you've been waiting there very patiently but we've been working quite closely on the nebrc tell us a bit about yourself and this exciting initiative good afternoon everybody uh for those who don't know me i'm police officer um i've worked with phil a number of years on on different things in cyber the last four or five years of my career have been in that sort of cyber sphere but mainly from protecting the individuals and businesses rather than the investigation of it um i've i was gonna say being drugged that wouldn't be the right word kicking and screaming let's just say an

opportunity has presented itself it's probably a better way for isn't it um and i'm working now um i'm seconded into something called the northeast business resilience center which is really exciting it's unlike anything really that gleason's been involved in and what it is it's kind of that perfect blend which we're trying to get right of private sector businesses uh policing and academia coming together to try and help smes the smaller businesses in our area to increase their cyber resilience but it's not just a talking shop it's it's we we're actually doing stuff which is great so where i think the model will be really successful is we're using our local talent our university undergraduates that are studying this

uh stuff at university to um to offer them out to businesses to do vulnerability assessments whether assessments open source footprinting lots of sort of the low level stuff you can do but can make a great difference you know for the foundations of cyber security and the idea is is that the sensor will charge for that but hopefully that cost will be reduced uh the students will be paired and any profits that are made are then reinvested back into the public good um we are one of the first sort of centers in england um we're an early adopter but you can have 10 of these centers dotted around the country and and phil's being instrumental in helping

me sort of drive it and create it forward so thank you phil it's a pleasure it's a pleasure always pleasure to work with the police on the right side of your desk because they would ever play okay and so um how's the center going to be working with this i mean there's nearly 70 cyber security companies in the region how's how's the center planning to work with these companies and the commercial environment yeah at first i was quite nervous about that in all honesty you know um nervous because you've essentially got different companies there that when you look at it our competitors are or certainly they're going to be offering services that the centre itself

will offer and how is all this going to be perceived and how is all this going to work um but what i have seen with i've been blown away we've had companies that are in the same sectors and stuff sat across the table from each other have actually now joined the center to become kind of like our technical arm or our um that offer professional advice we get what's called trusted partners so they're predominantly companies that will certify things like cyber essentials and the idea is is that obviously the work that we're doing with the students is the basics doesn't mean it's not good it means the stuff that we should be doing because experience has taught me and

i've seen it firsthand that when the basics are not done that's when businesses do get hit but there is a limit to what the students can quite rightly do and the hope is is that maybe businesses that for whatever reason have not seen the need to do something with cyber security whether that be a trust ignorance or cost thing can come into the center do some stuff for the students but then evolve evolve into the bigger services maybe understand why they need some of the things that pete's been taught about and all that sort of stuff so that sort of sort of go on and move and grow so i guess the businesses that are that

are with us the hopefully with us for the right reason but there will be a commercial gain from them potentially further down the road i hear that 60 of businesses were hit last year by some sort of threat and well some sort of actual activity i suppose the other 40 percent don't know yet but from the police's perspective has covered made a difference to the online threat absolutely yeah i mean in the real analog world if you like it's made a difference in that there's been less stuff going on you know you close the pubs there's less people drinking too much and hitting each other on a friday and saturday night but there's there's been an increase

undoubtedly on um and online shopping um you know um covert masks hand sanitizer all that sort of stuff um sort of happens but what happens is the bad guys just weave their whatever their scans are they just weave into the new story of the day so from a fishing point of view i've seen a lot of fishing that's been covered based but what we also have seen as well without going into all the details is is companies that maybe have been caught on the hop whereby they've suddenly haven't done much remote working and then they're going to do a lot of remote work and they've maybe turned on rdp for the first time and it's a an out of date versions

nowadays protocol that they're using and then what happens is the bot finds them and delivers the ransomware unfortunately a bit of that's been been going on so i guess the bad guys will suss out what it is we're using and look to increasingly target that um which doesn't come as any any surprise to it so i guess summary we've still got the real world issues going on in the in the physical world albeit and lock down those things till tailed off but we have seen a shift to more stuff happening online thanks mom as if the online world isn't the real world for vegan i'll let you out for that but uh okay i'm moving on

to sam then and uh back to your seven and gonna ask you knowing what you know now that we're four or five months into this do you think he would have done anything different as a company back in march and april i think um it seems really long to say no i think we we're lucky because we we we're cloud first so i it was it wasn't so much of a pain um like pretty much everything's you know some sort of satisfaction we're super keen on like getting the latest tech and the latest thing and it's like here's the new thing for hr this week or whatever it might be um so that wasn't such a problem i think again

where i've seen people suffer and that's what martin was saying is when they've had to pivot really quickly um either because they're in turn on new things or they're you know very quickly moving to the cloud um and they're gonna have to make decisions at the speed of business rather than the speed of security especially if you don't have those skills in-house so i think yeah for us it wasn't so much of a challenge but um i think we're probably one of the lucky few in that case so do you think there are lessons in and you know you said you don't have the technical skills in-house are there lessons to be learned you need

to have those technical skills i'll be able to get older you need to think about better business continuity planning and uh because something like this is going to happen again i think yeah i mean yeah there's so many things that can happen i mean you can apply some level of other bcp to this but um i think it's just the scale of it was was the thing is that like all of a sudden everyone's going home rather than um you know just once one office or something it was you know it was pretty much global right this thing happened so i think the bigger concern now is if people people need to go back and look at the

security of what they've done i think it's okay to make business decisions over security when you need to but as long as you go back and do that retrospective quickly because i think what we're going to see soon if not already is there's going to be a whole bunch of breaches popping up um because people have left doors open um potentially doors they haven't known how to close has been the challenge so um i i see a lot of folks in the community that are able to come and help with that stuff you need to get consultants in or whatever if you don't know the skills in-house like totally do that because um i think there's yeah there's a lot of

gaps right now because of the speed we've had to pivot for covered yeah my concern though is that we've got several other big things coming up below the horizon which uh maple isn't exactly the same boat yeah without getting into politics yes i agree good good good good and peter same sort of question for you and there's anything different that you would have done from your business earlier on

we just really didn't anticipate the massive upsurge um in capacity and bandwidth and requirement that we were going to be um required to present um i think i mentioned earlier we were completely unprepared for the amount of video and voice data that was going to be going in and out of our clients network and ultimately in and out of our network because it's got it it's got a all that traffic still has to go across our core network to be presented out of our data centers um we did meet that challenge however it was a challenge that we that we really didn't expect um it i can't really say that we'd have done anything differently

because there was no way that anybody could really protect uh sort of project that up to pick um i i think we've caught reasonably well to be honest um i i think we forged some really good relationships with our customers now because they've seen that we've reacted very quickly to this so from all i think it's we're in a better place now um and we've certainly got a higher level of trust with our customers now because of the way that we reacted to that but in answer to the question that you asked i can't really see that we could have done anything differently it's nice to be able to comment in on this with a benefit in

hindsight but such a global event um is is something that nobody really could have predicted no no 2020 hindsight's a fantastic thing if you so you know quite often when um the proverbial fitted the fan things like documentation training that sort of acidification go out of the window when we just focus on were you able to keep a handle on that kind of aspect of the business yeah one of the things we are particularly weak at is is we've got because we're a company that's that is like most large companies has developed by buying other companies so for for those of you in the northeast will probably remember knowledge i.t and onyx and people like that they're

they've all been absorbed into interpolant uh and it takes quite a few years after that happens to be properly um properly sucked into that the larger company and have everything done properly that that's that's one of the weakest parts and the biggest challenge is fear source um you'll often find if a customer has a problem they'll say oh they're a legacy knowledge customer and you need to go there to get information for that um so that is something that affects us probably more than most businesses um we tend to have sort of islands of information and documentation um that they're not as joined up as they should be um we are slowly working through that and

curing that and we are we are um on boarding customers into systems that stretch across all our data centers now and so that's something that that is business challenge to us um all the time not not certainly not in light of recent events okay okay that's great well thanks very much for watching and uh come back to you martin now um is the police doing anything differently since culvert and well there are two aspects to that question is have we had to do anything differently is in police and plc and obviously this is in the the sort of construct of 43 different police forces and maybe i can only really give it through the lens of the ones that i

know um like any other business we've had to do things differently or our remote working solutions for those that are in non sort of frontline operational roles um if you think of control rooms they're 24 7 while they're hot desk and are they not and in the background of corvid there's all these things to risk assess and to consider but ultimately you still need police officers to be front lines so um they've still got to go front line with the risk assessment of face masks i'm going to protect themselves but the real sort of encouragement's been for those that don't need to that they will remote work and i think reflecting upon it you know

listening to other people's uh sort of musings on it it's worked quite well in the main and it's maybe opened that door more there's been there can be misconceptions with remote working but for the right reasons it's really effective so i echo the people's views on that um i guess we've been i wouldn't say we've been caught on the hot but a lot of the uh demand from the public in relation to cyber security advice has increased because all of a sudden everybody's using zoom and then there was that ferrari around zoom being unencrypted and all the issues around that was it safe all of the zoom bombings so i found that you know there was a lot of demands

there was a lot of interest from media suddenly placed upon us around the the protecting the home user like these networks our routers are the safe what sort of things should we be looking out for but what was interesting for me reflecting upon it is the advice that i would give isn't any different to the advice before corbett which maybe for whatever reason the messages are not getting through you know the good basic cyber hygiene the good advice around strong unique passwords background information making sure you use anti-malware solution you know the basic stuff is the stuff that i would still advocate now um so those are just some of my thoughts for well actually i

think covered has generally raised people's concerns about security particularly being naive though do people try and hack into police systems um yeah of course there will i know i can't you know you put something on the internet it's vulnerable and we're no different in that regard i mean what i will say is there is a lot of safeguards put into place nothing's unhackable and i don't have any statistics to give you um to see what the prevalence of it is um but as an example through the work i do in the nebrc we're on a completely different computer system which is much more user-friendly but you go back to the police system and it's that all paradigm of usability and

security it's it's it is quite rightly you know bolted right down um so i guess the concern would be is if you were to put people that may be out of sensitive roles in a home environment would that information be at risk well those those safeguards and all honesty we're already there so you can't print you know there's lots of things that you can't do i'm sure if there will be people here that could circumvent it but that comes down to a trust issue does it not and making sure that you you trust people and you try and minimize the risk so do today what we should have been doing before covered anyway that's pretty good message absolutely

100 yeah um excellent yeah so thanks martin sam and again close to the end of time and uh but at the end of time not in general but there you go so we respond a little bit about the customer um how did your customers adapt to the changes in working and was security really a concern for them yeah i mean i was saying earlier the whole kind of they had the business needs um pivoting there but yeah i mean if you all of a sudden you've been working in an environment that's largely you know within the traditional network as much as possible anyway and then all of a sudden everybody's outside of that um getting visibility is tough on a good

day and getting visibility into a bunch of machines that may not even be coming in through the through the vpn because a bunch of folks have challenges just for the vpn capacity couldn't handle all of those remote workers coming in so they've had to kind of bypass that and that that again does that create a new issue um it's trying to get that visibility has been tough so we've been helping people around that and i think the other thing actually goes back to what martin was just saying around home security uh i know cyber insurance is a fascinating topic and i'm about to get invited to all the dinner parties but um the cyber insurance companies

moved really quickly to you know bring out the the new clauses saying you know we expect you to have the same level of security for your homework as they gave in the office um which i think's it does really beg an interesting question and kind of where does that start and finish because you can give somebody a laptop and you can have that reasonably locked down and you can say yeah use the vpn um but you've still got readers iot devices you're dropping it into a home network and maybe that device isn't as secure as it could be and then we've also got you know pick your home assistant of choice sitting there being the wiretap in the corner

um i was watching a great talk at defcon around a guy who bought a camera for his his kitten and is about as secure as a paper bag um so again you know it's it's not just necessarily the device you're working off it's the environment it's in and it's what's listening to you when you're doing your work calls so yeah it is a minefield for sure i'm just looking right at a baby monitor right now actually from where i'm sat it's not turned on i think it's not turned on it is for your child uh no i'm a ben's house so it's actually forbidden

how deep into your supply chain and uh do you think about security i mean did you talk about the people that you actually deal with or the people that they deal with or the people that they deal with how deep do you go into your network so um as a business uh if you look at our supply chain it it's quite shallow and quite wide because we've got quite a wide range of products um and we tend to work directly with the major vendors we do use distribution like just using the uk resellers and stuff but essentially we tend to deal directly with vendors um so from a security perspective um the one thing that

certainly we've seen in the in the last two or three months a big uptake on is sort of horse based intrusion protection systems um distributed security systems log monitoring uh and security as a service solutions um there are a couple of vendors that we use that have got um sort of different different offerings um uh one of those been armor and the other have been alert logic or what sort of major plays um so siem is something that i when i first heard that term maybe five or six years ago i had to google it to find out what it was is something that that gets mentioned on all of the meetings that i have with customers now

um before this not so much if if i'm honest it wasn't really a concern for them but now people are looking at getting pci compliance have to do with the states they need to be hipaa compliance or sarbanes-oxley um i think that there are two threads running through this there are firms that simply want to put something in there so they can get a tick in the box for an accreditation for iso 2700 whatever that may be and there are other companies who actually want um a proper siem installing the want a managed service wrap around where people react rather than just having a pair of glasses they can look at and it'll be half read most of the time

and everybody ignores which which is typically what happens when when companies put a large amount of capex into putting sim in and then don't back that up with the people who are actually looking at it and monitoring it and that's been a problem in our industry for the past 50 to 20 years at least um so that's how i've seen things change uh and and those are the sort of different products that i'm seeing coming through the supply chain now that that that we really didn't see more than nine months ago that's what i'm seeing okay excellent thanks we're up against it for time because we're up against actually a real astronaut but there you go so one last

question which i'm going to ask each of you i start with martin are we going to go back to the way that we worked before the pandemic no do you want me to expand on that if you wish um i i think that um just my private view i've nothing to based on but i just think that this is forced when i say it was the general public business community and home users to embrace the technology and to use it and there are people using it that have never used it before from people in their 80s that think it's they have like zoom zoom wine tasting sessions to to everything and i just think that for

that reason i think people use it also as well i'd like to see um public sector use them all because where we use it well not only do we do our work more efficiently but we actually save money with less time on the road less expenses all the rest of it so um i think there will be positives that come out of this and the positives will be we'll we will all use this technology more for the right reasons excellent excellent thanks sam same question to you are we going back um no i don't think we can um i don't think we should i mean i have to i i hate i'm sending this out i miss

traveling at this point now this is the longest i've been in my house although i'm not in it now um for a very long time um and i think for yeah for the most part this works fine i do get a bit scared when i see people kind of from the waist down i'm like oh legs see those on the screen but um i think yeah we're going to find a balance um and i i think this is a good thing if something good can come with covered i think this will open up opportunity for people being able to work from home uh i think we'll see people coming back into the security industry maybe that haven't

been able to because they've got families or some other life commitments um so no yeah no is the big answer and i'm good so remember you heard it here first leg's going to make a comeback so that's great and pete final same question for you are we going to go back to the way we were yeah everything will go back to exactly how it was before of course of course radical of course it will and neither should it i think i eluded uh following the systems of stuff that uh ben mentioned there not so much in a working environment even we've got uh britain's got talent coming on back and on this weekend and the crowd for britain's talent are

all coming in virtually it's weird that our society is affected that the guys that i work with um are having a virtual gin tasting session next week good friend of mine has had a kidney transplant a couple of years ago so he's been shielding he can't have any any visitors to the house and it's been i've been able to zoom call him on a saturday and sit down and have a beer and a chat with him uh these are things that we we would never have considered doing and i think society is a better place for the horrible things that have happened to us over the last nine months and and neither should we go back to the

way things are excellent well thanks so much i personally want to go back to some sort of hybrid uh economy where you you go where you can add the most value but there you go so look thank you very much martin sam pete my name is phil jackman and don't forget cyberfest there's another nine events throughout september all three look forward to them see you later thanks so much