 Okay, good afternoon everybody. Welcome to our Recover and Rise Digital Accelerator series today. As you know, we're on series three all about systems and productivity. And we've got Chris White, Police Detective Inspector with us today to talk about cyber security. But before we move on to Chris, I just want to quickly run through our slides to tell you what's happening for the rest of the series, if I may. I apologize because I know some of you who join regularly will have heard this now quite a few times. So do bear with me, but just very, very quickly. I have with me my slides. Oh, here we go. So we're on number six, keep your systems and processes safe online. And then on Thursday this week, we have got our last webinar of this series. And now seven access the experts. Now, everybody who's attended our webinars is entitled to eight hours of tailored one to one business coaching from our digital champions. And if that's something that interests you do come along on Thursday to the webinar because you'll be able to meet our digital champions and just find out a little bit more about the application process, what happens, what you can and can't do, and what sort of support and advice they can give you. So on Thursday, we're opening up our webinar to everyone who wants to find out a little bit more about the digital champions, and also a little bit more about Costa Capital, the business hot house funding, rise funding and low case funding. The slides will go out after this webinar and they have all the details on them. But you can also now book for the next series of webinars, which are going to be delivered by always possible in the new year in January. So if you've enjoyed the last three series, please come along in January. And that's all about growth and expansion and how you can use your digital technology to grow your business and develop. And that's really, really useful come January. And as I say, I have been through these quite a few times so bear with me but business hot house low case and rise three really good companies at the moment offering grant funding, and of course our digital champions. You can access these guys, you just need to go on to Costa Capital onto the website, fill in the contact form, and they will take it from there and that's a really, really easy way of gaining support for your business. So, without further ado, let me flip back through my slides. And welcome Chris White, who's police detective inspector from the cyber innovation at the cyber resilience center. And I've never known anybody with such a long title. I've been practicing it Chris morning haven't I so got that right. And Chris is going to talk to us about how we can keep safe online. And so if you're ready Chris over to you and thank you ever so much. Alright, thank you very much. Can only apologize for that long title. Right, screens up. Okay, hopefully the interest slides there to be seen brilliant marvelous. Yes, morning everyone. Chris White, I'm a Sussex police officer. And I'm currently seconded off to the cyber resilience center for the southeast as head of cyber innovation. Effectively, not many people know about the cyber resilience center for Southeast it's brand new the home office has created it just before the pandemic last year and it got accelerated through because of the remote working, which occurred all over the country. There are networked centers across the country just to throw it out there but I look after the Southeast Center, which looks after sorry Sussex Hampshire by the way, and 10s value. We're not for profit. We're funded by the Home Office and we're supported by bigger companies that understand that the supply chain to cyber attacks is a real risk to everyone. Most of the big companies have access to cyber resources and immediate immediately change things and they have access to experts and skills, and they can respond to the current environment. And it's probably the smaller businesses that suffer somewhat because they don't all have access to, could I say, technical geniuses that know how to operate computers that can configure them correctly, and then can respond to cyber attacks and get back to act behaving how they should be before the attack happened. So we do get support from the bigger companies, and that's how we use the students so I've interviewed plenty of students from all the local universities so we're looking at porcelain Southampton new Bucks Oxford and Surrey, and we're particularly focused on those universities because there's computer science and cyber grind degree courses and we've interviewed the students and they are young talented gifted individuals that know what they're up to on computers they're learning it they've been mentored by our supported vetted and they work with us and they are helping us deliver cyber support to small businesses might pose a medium to large. And we'll go through that later on but effectively I'm just going to cover off who we were with who we cover. There's the universities and the police forces in the areas which I'm covering. So today we're going to talk about cyber awareness cyber security and effectively how we can make you safer to trade live and work online and Western East Sussex. So the cyber security breaches surveys that the last national survey done, whereby a lot of results were recovered across a variety of people. And then those stats they're on screen. It's not really too surprising at the moment, I mean 39% of UK businesses have all had cyber security attack at least once in the last 12 months. Not many of us actually practice for cyber instance, so rather like we grew up in school didn't we and fire line used to go off every Friday morning. We practice how to get out of building safely because fire was a real risk and we've got miles better than that. We can all do first aid cyber is probably the new threat, well is the new threat, but not many of us are practicing so I know we probably haven't done at home, but at work. Have you ever practiced with your staff as a business owner or as the business owner encourage you as staff to know what to do when computer start going wrong who you phone up. And sometimes the IT help desk number is on the very computer that's having the cyber attack and you can't get old right each don't know the number. So, yeah, look at those stats. The one that probably does concern is this one eight and a half thousand pounds average cost of businesses after a cyber attack to get yourself back up and running and that could be anything from repairing computers to lost trade to staff that are now not doing the job they've been employed to do because they're now actually trying to get the computers back online or manually populating databases again. As a result of a cyber attack, just over 23% of people realized that they need to change their cybersecurity to manage the new threat. So, strange stats, but why is it happening, because only what 14% of staff get any training in computers there is a massive assumption out there that we all know what we're doing with computers we all know how to recognize when they're going wrong we will know how to fix them when they're going wrong. But it's a little bit the opposite. Most of the cyber attacks which I see coming in or start with what's called phishing efficient email. And that's about 83% of all attacks come in with a successful payload, the ability to successfully deliver a cyber attack through efficient email. So if we drill down some of those figures into the local crime stats that this, I can't get this drill down to any further than the southeast region at the moment. So when we look at some of these statistics over the last couple of quarters, email or social media compromise will email accounts I understand and I know they're massively important to small business. So if we look at things like Facebook, Instagram, TikTok, all of these social media platforms are the way you advertise the way you gain traction the way you build revenue, the way you advertise your business because small business generally do advertise on these marketing channels. So when you create your account you reserve your business organizational name normally it matches your website and then you have your online footprint and digital presence, and then you're protecting it and then just using it as your sales revenue. So when you set it up you usually apply your email address then your password. Some people go that next stage further and apply what's called two factor authentication which could be that rotating six, six digit code number that's on an authenticator app or you just run a text message being sent from Instagram or Facebook realistically to the mobile phone that's registered to that account. So an email or social media compromise is someone has guessed your password, managed to get into your email account, changed the password kicked you out and now you don't have access to either that email account or that social media platform. So that's what's classed as a social media compromise. And in this particular southeast of England over the last couple of quarters we've seen 38 instances and 35 instance so a little bit of a downward trend but not a massive negotiable notifiable one. A network intrusion. So that's when someone gets into your, I could say office networks they managed to get through your firewall and then now compromised your security and they're inside your systems having a look at what they can see. It's like someone, you know, you get those unannounced visitors or stranger that's in your office to walk around just looking at files and so forth. There's a stranger in the office you would challenge it because you can see it's quite obvious but a network intrusion is when someone gets into your system they probably you probably don't know they're in there but they've compromised and they're having a look around unchallenged to see what they can see. So that's a loss. Denial of service or distributed denial of service. The easiest way I can explain that is if you have a big football match or a concert where all the tickets are released and everyone at nine o'clock in the morning jumps onto the ticket selling website because they want a ticket. Within about a couple of minutes the website falls over because it's just received an unimaginable amount of website traffic in it. The computer simply cannot handle that much of traffic. So too many visitors flood one website and it falls over because it can't handle the traffic. An illegitimate example or an unlawful example is DDoS when you instruct many computers to flood one computer with so much traffic and the computer falls over. So as a small business owner, if I could pay a cyber criminal about $50 an hour to flood your website with so much traffic your computers fall over and then the consequences of that are you cannot then trade until you sort your systems out reset and get them back online. Ransomware. So I've compromised your systems and then I've left some malicious software on your systems. Either it's encrypting all your critical data. So your sales data, your staff payroll pension data, all your intellectual property, all the stuff that you're trying to sell and protect. So ransomware will encrypt it. I'll take a copy of it. You cannot see it. And then there will be one note left on your file telling you these are the instructions you need to follow to try and get your data back. And it normally involves you paying me as the criminal to get your data back. That's the first part of ransomware. The first stage. There's double ransom now sadly. It's called exfiltration. So once I've encrypted the data you've paid me to be anything from thousands of tens of thousands pounds to get your data back. You then do it. There's a 50 50 chance that you may or may not get your data back. But secondly, once you have your data back, I then send your second ransom in sand. By the way, I took a copy of your data. If you don't want to let me publicly release it, I suggest you pay a second ransom. And that's exfiltration and exposure. So I could upload all of your private customer private company data onto the dark web for anyone to see. And then you could understand what goes on there. Competitors will see your pricing strategy and would just permanently try and undercut you. Customers would lose faith in you and wouldn't want to trade with you because they feel that your systems aren't secure enough and they can't trust you and then you just lose customer naturally. So PBS hacking. So that's sometimes you have the bigger business they may have computers so voice over internet protocol you use computers or the internet to make phone calls. So those systems that are specifically responsible for managing your telecommunications or your phone systems, they can get hacked as well. I've seen examples of that where sometimes people hack their systems overnight. And then they just spend all night phone and premium rate international phone numbers. And so you wouldn't know anything's happened because they'd stop the attack before you come to work the following morning. And usually I think most small businesses get monthly phone bills and you would then get a horrendously big monthly phone bill the next month. So pbx hacking is another one of those not frequently used but it is out there certainly to prevent or mitigate against that good examples that I would suggest if you phone up your phone provider on your mobile and your office phone and just tell them to prevent international phone calls by default and prevent premium rate numbers by default. I can't remember the last time I dialed an international premium rate number because you can what's happened FaceTime and do all different free style of phone calls these days so phone your phone provider and just get those things blocked by default and then that's a good mitigation for that one. That's the vulnerability of the main redirection so I could pretend to be you. So if we all pick Google that's a good example, Google's G double o GLE so you know on the if you change that with a Frenchy put the accent over the top of it, and then typing the Frenchy dot com that would take you to a different website. So you've got website redirection and impersonation crime so it's just be wary of that when you type in a website make sure it's typed in exactly the correct out numerical character that you want to visit. So you've got the French O haven't you with the two dots over it that could take you to a different website. Just be wary that data breaches we've probably heard loads of these on the press and the news at the moment they normally occur after your networks being intruded normally occur after ransomware has been left on your system. And then the data breach is where obviously someone stolen the data may be uploaded it so everyone can see the data. Yes, that is a data breach data instant one to be wary of. And then a baseless extortion threat. So examples that is, I've seen various companies that say, if you don't pay me so much money, I'm going to D dos you so at your peak trading hours. I don't know if you run like a fast food company you'd suggest your peak trading hours will be lunchtime evening weekend when a lot of people jump on things like just the Uber and delivery and they order food using your website. That if I decided to D dos you during those peak hours your website is unable to operate or trade so you miss out on that. So if you don't want me to D dos you pay me 500 pound for instance. That's a baseless extortion threat. So who's doing all of this. There's massive range so as you look at these pictures it starts from basic online criminals, all the way over to sadly foreign governments foreign state actors. So, and then we move all the way to the member of staff that had honest intentions didn't know what they were doing press the wrong button and could have deleted a really important database. They didn't do on purpose but they're not trained correctly in computers there's an assumption they know what they're up to. And it all went wrong. Then you've got the militia staff so bottom right there's an example. That was a guy with sunglasses on his head he was a network manager worked for a big insurance company. And I think it must have been a midlife crisis time when he needed more money. He felt like he wasn't being treated well at work. Didn't get the great annual appraisal therefore didn't get the annual increments and he decided to go rogue. And he had administrators access to the computer systems he was looking after, and he just caused all amounts of chaos. So he's what we class as an insider threat a member of staff that goes rogue. So realistically, if you're going to have those meetings without team with your members of staff that sadly they've spent time with your company and their skills and resources no longer needed. If they've got password access to some of your systems and whether they've got administrator access to some of your systems you definitely need to ensure that you've got an exit policy for when staff leave. So rather like you take company uniform company laptops keys phones off of them. You just got to make sure that you refresh all the passwords as well that they're likely to have access to so things like your website your social media platforms. Remote home working they can log into the systems. So you've got to make sure you sever that link when members of staff leave, especially consider any it staff as well that look after your systems that have administrator access you've got to make sure all of the administrator keys are managed as well. If I am going to technical please jump in the chat room. I'm open to any questions throughout this article or explain things any better so please let me know. And you've got then organized crime groups so I guess in the olden days, you can have organized crime groups that would, if you're walking down the street and sadly some people do robberies and they'd steal your mobile phone with the manufacturers have changed some of these so you can stun mobile phones these days so the likelihood of people robbing you for your mobile phone is being heavily reduced now. So you get organized crime groups that are changing the way they create their crime trends so they're now looking to come through your servers. Sadly, again, we don't treat our online security the same we do when we all left the home this morning so where we locked the door sometimes we double locked the door we made sure all the windows are closed. And we set the burglar. Did you do the same sort of routine for your router. So doors and windows are called ports on the router. And if you have any ports that are open today need to be open some ports do need to be open yes so if you've got like a nest doorbell ring doorbell or you have to surf the internet home or kids like to use the Xbox and so forth certain ports have certain functions and yes they do need to be open but they also need to be protected. And those ports that aren't needed close them. And the same works in the business. If you have a router, you don't need everything open, but just check. So how things happening. So when we look at the cybersecurity breacher survey. This is broken down color coded into obviously business primary school secondary schools and further education colleges so we're going to be focusing majority of the audience going to be businesses so we're looking at the blue here. Fishing attacks seem to be the overwhelming method successful method of delivering a cyber attack at the moment so I send you a fishing email. There's about three or four different main types of fishing emails one of them is I want you to click on the attachment the attachment is dangerous bit. I want you to take you to a dodgy website or I want you to provide me with some personal identifiable information. Generally, you got to do it now it's always urgent and if you don't do it now something bad's going to happen. Generally, we don't send those sort of emails doing when you're trying to create business. We do it in a relaxed method we do it when you're ready as the customer. Yeah, I guess there's like things like back Friday and Cyber Monday sales on where if you want to grab that bargain you must buy it by the end of play on Monday. That's an obvious one but you've got a deadline five o'clock tonight to do this or you'll miss out on this it doesn't really happen so if you get some urgency behind of an email to say you're going to get into trouble you'll miss out on something amazing normally it's too good to be true. So then going down this list and the threats others impersonating organization emails so if you own your own business and you've got business email you've got business website. You need to protect yourself from being impersonated. So if I find a business that is doing amazingly well. So if I pretend to be you because you've got a good reputation you've got a good trademark then people are buying stuff off of your time if I just pretend to be you. Send out an email on your behalf to a lot of people saying if you want to buy this I'm doing an extra 20% off because it's you or 15% off so you make it sound rather reasonable. And then press the click here button to send the money to me. Obviously, the genuine company is never going to see that email. The bank accounts not going to be yours it's going to be mine. I'm going to have your branding your logos. I'm basically impersonating you. There are easy ways to stop that. So if you're using cloud email or your own email host facilities there's something called D mark which is D M A R C. It's a part of email security so you need to set up certain policies to protect your own brand your own reputation and prevent people sending impersonation phishing emails on your behalf. So have a look and for those of you that understand that sort of thing. Great. Have a look at your D mark policy and see whether it's turned on, or whether you have a policy for those of you that already gone Chris you're off. That's where the cyber resilience center can help out. So certainly things like this after the call please do join the center and we can have a conversation where we can explain this but you can most of the stuff that I talked about you can Google so D M A R C. And it's part of a functionality where you can prevent people sending phishing emails on your behalf. So have a look at that sort of stuff. Again, I think like we have computers at home these days everyone needs virus and malware protection on their computers. It's a sin not to have it these days. So you need to have it on turn on and getting daily updates. Yes, there is a difference between paid for virus protection products and free virus protection products. But simply if you have a free virus protection product installed operating on your system that connects to the internet daily to get the latest virus or antivirus signatures. It doesn't matter whether it's free or paid for yes, more paid for products come with lots of bells and whistles. But as long as your virus protection is up to date installed turned on and getting its daily updates that is fine. So a lot of windows users I expect on the call if you've got Windows 10 and you've got defender totally adequate totally suitable just make sure it's turned on doing its job and it's getting this daily updates. So as far as accessing the files networks by students again that does work in a business environment so if you work in the sales team you get to see sales data or if you work in the HR team you get to see the HR data sales don't have to see HR and HR don't have to see sales. So you segregate the files your staff only see what they need to see so it's the privilege of least principal. So you get to see and do what they need to do to undertake their role. You don't give them access all areas. So GDPR roughly, we're all aware of our GDPR training, people only need access to the stuff they need to do to undertake their job role to not give everyone access all and DDoS attacks, denial of service attacks, there are plenty of things you can put into place to stop that style of thing. We can talk about that offline but the most obvious one there is Cloudflare but that is a painful service so if someone decides to send loads of traffic to your website, Cloudflare can send it all over the show and protect your website so it never goes down. Hacking, attempted hacking of online bank accounts. I think banks have got a little bit more serious over that and us as NDoS have got serious of that. We download apps now, we have authenticator apps, we get text messages sent to us with codes which we then put in the apps. We don't set up new pays without phoning the business on the trusted number using a genuine search engine to go through the call handling center. And often it's people have said to me that I know I'm getting free to the right company because I've gone through the call handling center and I've been on hold for ages. Normally the criminals will answer their phones so much quicker because they want your money don't they so they have better customer service. I'm accessing a file so that's curious staff the insider threat that just mooch around the systems and having a look at files which they shouldn't need. You can protect that by technically preventing them to do that. I know a lot of businesses have what's called on a policy so you tell the staff please don't do that. You're lying on them not doing it but you can actually put a technical policy in to prevent those that get curious and then try that they then get prevented from doing that. So fishing emails. Look at those figures and 156 million fishing emails are sent around the world every day 16 million of those get past technical filters so that's the firewalls and the spam protection. And then eight million still get opened so this is why the criminals are doing it because eight million of us every day is still open in those fishing emails. So let's see how we can try and stop that. So hopefully that made more sense in a more animated way. So let's start with the quiz show now then or not the quiz show just some some questions. So in the chat room then what's wrong with this email is a fish email what the signs and symptoms that you can pick up on here so I can just test knowledge of everyone. There's one, two, three, four, there's five things which I could see wrong with this email and each one of them I would delete it straight away. So any suggestions like that. So as a punctuation, yeah, spy killer like that. So if we have a look at the emails we go through. So time and date they've been around my house to deliver a parcel at 449 in the morning really I don't think I've ever had to deliver it at that time of the day so have a look at the time date stamp just to see what it matches the kind of service which they're trying to deliver or get you to do. So you know on a computer you can hover your mouse over the title or if you're on a smartphone you can actually press it and it will see it will show you the actual email address behind it. That one comes from ntxresearch.com. So if we go back there, the criminals have made it look as if it comes from ups.com, but you can majority of you can actually change the header to say what you want. So they actually come from ntxresearch.com, which is nothing to do with ups. So that one is going straight to lead on that one. The attachment, we all recognize that certain attachments are particularly dangerous. So .zipfiles.exe, sorry, .rar, generally most attachments could come with an element of danger. So if we look at the Microsoft files, so you've got Excel, PowerPoint, Word, you can hide what's called a macrovirus in most Microsoft files. So a macrovirus, if you press enable macros, or if the Excel for instance opens up in protected view depending on which version of Office 365 you've got. The Safeway is have the macros disabled and all of your Microsoft products open up in protected view because the moment you enable it, you enable code in the background to work on the computer and you can send a perfectly good virus in an Excel. You can send a virus in a JPEG sadly. So just make sure that you've got your malware protection working so it scans all of the attachments and only open up attachments that are from trusted people that you're expecting. And again, I know they're trusted, but you don't know whether their machine actually has a virus on it and they could have sent it to you by mistake. So just be very careful. You don't always have to open up any of the Microsoft stuff out of protected view or they let you do that sort of thing. Again, dear customer, it's vague, isn't it? They should know my name's dear Chris. If they've been around my house to deliver a parcel, at least email me by my name. So if it's vague, they don't know. And then again, punctuation, but we do know they're getting better at punctuation. So here's another one then from Barclaycard.com. Again, hover over the email sender. We know that one's come from Cybermarket24.ru. So that's come from somewhere in Russia. Last time I checked, Barclaycard was not based in Russia. You've got cut and paste errors there. You've got to get started. If you hover across that, you'll see it goes nowhere near Barclaycard. So that's they're trying to send you to a dodgy website there to get your details. And again, it's a branding thing down the bottom. They never call themselves Barclaycard. They are Barclaycard, not Barclaycard. So TV licensing hands up who hasn't had this one. I think everyone's had the TV license in one at the moment. Again, insightbase.com hover over the sending email. You'll see that it's nowhere from TV licensing. And again, set you up a new direct debit. They just want to take you to another dodgy website. So that's the one where it's going to take you. I can't even pronounce that, but I know that's not the UK TV license in website. And again, I know curiosity could count and we always love to know what happens if you do click these things. So I've done it for you. So this is the website. It doesn't matter whether you press pay for TV license, update your details, check if you need one on the left hand side. It will always take you to the payment screen where it wants those details you can see there on the right hand side. So official identity mother's maiden name. Why do they want that because that's quite often password reset question. So they want to get some of these personal identifiable details out of you. I mean, if they you don't have to do the mother's maiden name because you can easily find that on ancestry.com these days. So if it takes you to this website, this is a real genuine website. It's been infected with malware. So we've clicked on one of the folders there, the bit tree column, we can see the blue circle going round. And you just think into yourself now this is a slow website or my machine, maybe it's slow. My own broadband is a bit slow. So you're just waiting for it to load down the bottom there. Windows Security Center turned turned off on the right. That'd be worrying to me. So now your security's been turned off. Why has it done that? But I can tell you it's a little bit too late now. So we're what 35 seconds into this and now the ransomware is kicked in. So that's the sort of screen you're going to see when ransomware is taken over. So that was what 38 seconds from hitting that website to clicking on one of the areas. All of your files on your machine is now encrypted. So you can't access your photos, your Word documents, nothing. The only file that you'll see that you can access would be the instructions from the ransomware actors telling you how to get into contact with them and how much money it's going to cost you to get your data back. So one of the great resilience or great insurances to that is that if you have a backup available, which is not connected to the internet, you wipe your machine to start all over again, and then you restore from your backup. That's the only way you're going to get around this. Yes, there is another way. Obviously, you pay the ransomware threat as the money that they're after, but there's only a 50-50 chance you're actually going to get your stuff back. So the way out of ransomware is to make sure you have a backup. So I know quite a few of you are probably using OneDrive Dropbox iCloud. So they're all good in relation to if your laptop or your computer in the workplace actually physically breaks, then there is the backup being held in the cloud. But if I'm one of these modern-day threat actors, if I compromise your systems, I drop the ransomware onto your systems. I won't do it until I have a look around your systems and see what your storage solutions are. So if I see that you're using OneDrive, for instance, I will delete that as well. So you've got to make sure that you've got your own offline backup available. That could be anything from an encrypted memory stick to an external hard drive that you just, if you're a small business, you just plug into your computers and you just take a weekly backup or a daily backup or a monthly backup. It depends how busy your business is. We just make sure you've got a backup available. So I know that was quite frightening, but effectively, if we go back to a couple of years ago, there was a big incident called WannaCry which affected the NHS. So someone clicked on a phishing email, two hours, 36 minutes later. Some of us can remember that, that most of the hospitals, if not all of the hospitals in the country, will ground to a halt because of that one person clicking on a phishing email and then the ransomware just spread across the whole network. So just bear that in mind. It does spread quite quickly. The sad story of that one is that the security patch that Windows had already created to prevent that vulnerability had already been published, but those computers hadn't been updated. So the cure there is to make sure that your Windows machine, when it tells you bottom right, you get a little orange sign or your iPhone, you get a red circle with a white number in it or your Android phone. It tells you you're due an update. It's not some fantastic new facility. It's telling you it's got a weakness of vulnerability. So download that update, get it on there and make sure you're on the latest version. And if any of you are using XP or Windows 7, they don't get supported anymore. So don't use them or use them, but don't plug them into the internet. They're just vulnerable to the internet. Okay. So passwords here then that's how easy they are to crack. So that's why we shouldn't be using one, two, three, four, five, six or eight, nine or picture or definitely not password is password. That's how quickly you can crack those passwords. They are very insecure because they're so predictable. You can program a computer to do what's called a brute force attack and it would try the most common passwords fast. And those are the common passwords. So if you are still using those sort of passwords, please don't by asking them to tell us their password. And this is how that went. We're talking about cyber security today and how safe people's passwords are. What is one of your online passwords currently? It is my dog's name and the year I graduated from high school. What kind of dog do you have? I have a child of Papillon. And what's its name? Jamison. Jamison. And where'd you go to school? I went to school back in Greensburg, Pennsylvania. What school? Hempfield area senior high school. When did you graduate? In 2009. It's like my cat's name and then just like a random number. Okay. Has he had this cat for a while? Yeah. She's my childhood pet. Aw. And what's her name? Her name is Jolie. Jolie. So like a password of yours would be Jolie and then a number? Yeah. Like number one? Like my birthday. Oh, when is your birthday? June 12th. Oh, nice. What year were you born? Uh, 95. Oh, great. So Jolie, 6, 12, 95. Yes. Got it. So you mean to give my password right now? No, I cannot do that. But we all want to know what it is so we can tell you if it's strong or not. Oh my goodness. Um, um, let me think. Okay. One is Tel Aviv. Yeah. Four, six, eight. And then Israel. It's only three, but it's, you know, it's, uh, for me it's strong enough. One, two, three, four. Gemma. One, two, three. Spell G-E-M-M-A. Well, most of them are Italian. Oh, beautiful. Yeah. So like, like what's a good Italian password? Uh, my grandma's name. What's your grandma's name? Uh, Maria. Maria. So Maria is your password? Oh yeah. Now you know my password. Oh yeah. So I think the key there is that most of those passwords, those people selected were, um, connected to them somehow, whether it's through birthplace or favorite things. So if we can try and move away from password, choose your new password and make it a passphrase. So pick three random words that have got nothing to do with you, bolt them together. And ideally we want a passphrase that lasts around 13 characters long. So you might have heard of, um, a security framework called cyber essentials. They require all minimum password lengths to be seven. But if you can use a passphrase and just bolt three words together and work for about 13 characters long, I know it seems long, but, um, the longer the better. And make three random words, easy spell words and you've got yourself a really strong passphrase. Yes. Some people have multiple, um, accounts. Um, how do you remember all those passwords? Certainly make sure your email password is separate from all your other accounts. So things like Amazon, Facebook, Sainsbury's Tesco's, just make sure you always have a different password for your email account for all your other accounts. Why? Because the easiest way for me to, um, change all your passwords is getting to your email account and then click there. I forgot my password button and then I can reset all your passwords as the reset link always comes back to your main email account. So examples here, things like London Beach Music, if you want to get really advanced, change all the ends to sevens, knees to three, so you've got Allo7DO7B3ACHMUSIC, which is incredibly complex, but London Beach Music is pretty good. But if you want to go that one step further, go for it. So when we talk about cracking passwords, Querti, we spoke about that one, really predictable and simple, takes 15 seconds to hack it, coffee, tiny fish, again, take six hours. If you complicate it and add something on the back and front of it, coffee, tiny fish. So you've capitalized every word. So that is, again, different. Capitalize each word and then put something on the end of it. Can't be hacked for six years. So coffee, tiny fish, easy to remember. Capitalize all the words and add something on the end. You've now got yourself a complex password. Easy to remember. All right. Two-factor authentication. We spoke about this before, where it is accessible. It's mandatory on most banks now. You have to have 2FA turned on because of financial requirements. Things like eBay, Facebook, Instagram, everywhere. It's there. Sometimes there may be sat in hidden menus, but it's certain insecurity menus. Where 2FA is available, please turn it on. Stops. The majority of cyber crime, which I get to see every week of most small businesses, they chose their Facebook or their Instagram account. Their selling pages is something connected to the owner of the business or something to do with the business. I then try to log into the account. I tried to cut the passwords. I guessed right. I then got into their account. I kicked them out of their own account. Had 2FA being turned on, you'd get the text message come to your phone saying, here's your six digit number. If you did it yourself, you'd be expecting the number. But if you wake up in the morning and you've got a 2FA text message notification sat there on your phone and it's your business and you know no one should have done that, that's your hint. That's your reminder to say, someone now knows your password. Then that's your clue to changing your password because it's compromised. There's only two occasions you change your passwords these days. One when you know it's been compromised and another one when you've been told it's compromised. Otherwise, keep really long, complex password for as long as possible, because as long as it's long and complex, if I force you to change one the next time you log in, you're just going to pick a weaker one, aren't you? I know what we're like. Certainly the days where passwords were forced to be changed every 90 days, I think it was. You'd just pick January 1. 90 days would be January 2. Then January 3. That's how our human brains work. So just pick a long, complex password. Cover off data breaches. Have a look at this website. Google it. Have I been pwned, PWNED. So make sure you get the spelling correctly. Otherwise you'll go somewhere else. But certainly have a look. Put your own email address in there and you'll see how many data breaches your email address has been involved in or compromised in. Look through them all and then make sure that you've changed your password since the date of that data breach. So that's a handy tip and then register for future notifications. So if your email address is involved in any future data breaches, you'll get an email from Have I Been Pwned and then again that's your clue, your hints to change your password. So have a look at that one. Definition of a secure device. So update your operating system. Make sure it's on the latest updates. Back up your data. And then when you complete your backup, unplug it from the internet. So it's an offline backup. Make sure your antivirus is on and getting its daily updates. Make sure your firewall is turned on. 2FA, use it where you can. Virtual private network is called a VPN for short. If you're going to go and use public Wi-Fi. So you're going to go into a cafe or a pub or an airport and you're going to use their free Wi-Fi. I need to do it if you're using a virtual private network of VPN. If not, stay on your 3, 4 or 5G phones because it's a far more encrypted signal. So I know there's some reasons why people do jump onto public Wi-Fi, i.e. they can't get a mobile phone signal. But if you can, stay on your mobile phone signal. Use a password manager. They're on your phones. They're in your password vaults or they're on your computers, they're called password browsers. Use them. They can create long, complex passwords. You definitely have a password and that's to get into the password manager. So certainly use the option of a password manager on your smartphone device or a browser password manager on your laptop or desktop. If you've got smart device again, make sure the screen locks are turned on. Whether it's pin, pattern, fingerprint, face or password, just make sure you have a screen lock on. So if someone steals it or you put it down, there's no unlawful use because it's protected. And when it's protected, it's encrypted as well. If you don't have the screen lock on, none of the data on there is encrypted. So make sure that's turned on. At work, separate user for every separate account. You can't have shared team accounts. I know that sometimes does cause issues in smaller businesses, but realistically in accountability, everybody needs their own individual account. And then encryption. So on Windows, make sure the bit lock has turned on. So again, if your shop or office gets broken into and they actually steal the computer, they can't get anything off the hard drive because it's encrypted. So you're not going to fall out of GDPR. So just make sure wherever you save your data, Windows does give you a free option of using BitLocker. So just make sure that's turned on. Cyber essentials, £300 plus VAT it costs to get cyber essentials. However, once you self assess and you change some of your security to start your safe cybersecurity journey, you are entitled to free cyber insurance. So have a look at that. If you don't have cyber insurance, it's probably one to have a discussion with me after, but certainly cyber essentials is a good start for 10 to get your cyber security in your business on the right journey to make you safer. So, quiz time then. So come on in and chat room, let's go. What's wrong with this phishing email? The address. Yes, got it. See at the top, two of these, push together to look like a W, natvest.com or natwestbank.com. Well done on that one. Those of you who've got that one. Number two then. What's wrong with this one? Office 365 has emailed you to say something wrong. What are you going to do? Is it genuine? Should you report it? So it's the email address again. So Eastlink.ca, that's nothing to do with Microsoft. So again, we report this one off to our IT team. Get it blocked. Additionally, if you forward it off to report at phishing.gov.uk, National Cyber Security Center will effectively stop the sender, block the sender, sending it to all those people that haven't received it yet and stop sending it to all those people that haven't realized it's a phishing email. So some people will click on that forms.office.com and then they'll be going to this dodgy website. So that dodgy website will be taken down as well. So forward emails off to report at phishing.gov.uk. They've got another one from Microsoft. Microsoft is rather popular. Can anyone see what the error is on this one? So it's from the account security team, that no reply, accountprotection.microsoft.com. It's probably a little bit blurry on your screens, but yeah, effectively you see the R and the N squeezed up together to look like an M, make it look like Microsoft. Again, forward this one off to report at phishing.gov.uk and get this stuff taken down. So yes, you can get phishing by emails. You can now get phishing by text. So it's called smishing. So whatever you can get by email, you can now get by text. So what do you think of this one? So there's the phone number it's come from. HSBC are trying to contact you to say a new device has been logged onto your account. If it wasn't you, please go to security at HSBC at securepay.com. Well, again, that's nothing to do with HSBC, is it? Always read the internet address backwards. So the last thing you see there is securepay.com. That's nothing to do with HSBC. So it should always end in things like HSBC.com. So if there's anything at the end of it, that has taken you somewhere else. So again, this is a moody text message. It's a smishing text message. If you forward this off to 7-7-2-6, it's free of charge. All of the mobile phone carriers or carriers, carriers, have this service available. So if you forward this text message off to 7-7-2-6, the mobile phone companies on receipt of a couple of complaints will review it and then they will block that phone number from sending it and stop any more being sent out. And also, if it's then sending you to that securepay.com website, they will notify other agencies that then take that website down. So it is a game of cat and mouse and cops and robbers, but the more people report it, the quicker this stuff gets stopped. So 7-7-2-6 is free of charge and all of the mobile phone companies operate it. If you want to know more about it, just Google 7-7-2-6 and you can read all about it. But that is me done. So, no, there's some questions, but it's your turn to ask me any question you want. Please do keep it cyber-related. There's one in there. Do you ever manage to track down these people behind a fishing? Do you ever get prosecuted? So, yes, there's the short version. Yes, we do. Certainly when we set a complaint made to ActionFraud, so in the UK all cyber and economic crime complaints go into ActionFraud and we then investigate them where there's positive lines of inquiry and the end of the investigation goes to countries where we've got diplomatic relations with. Then, yes, we do get those people arrested. If they end up in countries where we don't have that contract or agreement, should I say, we certainly have other disruptive methods which can be taken place. So, yes, UK individuals, certainly in the south-east of England, across the UK, people are getting arrested every day for cyber crime. It is taking place. Just thinking... There's quite a lot of chat there, Chris, but there was one earlier on that was presumably the number of breaches is understated as many businesses do not report security breaches. Is that right? So, your numbers that you gave originally presumably there are minimum? Yeah, so it is wholly under-reported. I think it's just over 30% of businesses do report cyber crime to us. That's very good reasons for that. Yes, in the ideal world, we'd love everyone to report it, but certainly people don't realise it's a crime, actually, so they don't report it because they didn't know. Others would phone their IT teams and they just fix it. So, why would they report it? Because it's been fixed. Others, the bigger they get, would phone Nestle's first and go, should we report this? Others would phone their chief financial officers and go, what's the impact on our share price if we report this? So, there's lots of different reasons and others would just phone their insurance companies. So, fix it. I pay you my insurance, just fix it. And insurance companies do what they pay to do and fix it. So, yes, it's wholly under-reported and I think it's hovering around the 30% of businesses report cyber crime to us, if that makes sense. It's quite low, actually quite low then, yeah. Another couple of questions just to save you kind of going through the whole chat because I've been making them down. Someone asked for a link for DMARC, or DMARC. Is that your slides, or is that something you can pop in the chat or can you forward that to me and Nestle so we can forward that on? Is that okay? Yeah, certainly. I've stopped sharing my screen, never mind. Let's put that back up there. There you go. That's the final screen. So, have a look on the www.secrc.co.uk, call membership, sign up, or just go to the secrc page. That's probably easiest. Sign up for free call membership. You'll get a welcome pack come through to you. And there's lots of different free products and services on there from different agencies, which as a small business you're entitled to for free. And then we can have a conversation after you've digested all of that because it's about 14 pages long. There are pictures in there, so it's not that bad. But yes, if you go onto YouTube, Global Cyber Alliance, DMARC, there's some what's called DMARC boot camps on there. If you're technical enough to do it yourself, then I'd have a look at the Global Cyber Alliance DMARC boot camp. If not, it's one of those speak to me in a couple of weeks time. We can arrange a team's call and we can go through some cyber products and services to help keep your business safer. Brilliant. Okay, that's brilliant. Thank you, Chris. And you had a special way of saying this, but I can't remember what you said. Are there any free DDOS apps that are okay? I think that was from Lisa. DDoS. Yes, that's it. Denial of service. And then when it gets a little bit on a manufactured sale or wholesale scale, it's distributed denial of service. So no, there's not an app because I'm flooding your business website with loads of traffic. So it's to do with your hosting provider that would have anti DDoS technology in place. It might be like a paid for service with your website hosting company. But then if some businesses out there host their own websites so they need their own DDOS protection, depends how big you are or whether or not you've suffered it before. So certainly I've seen examples of a company where they've delivered bad customer service and traditionally people would phone up, phone the complaints department or they'd leave you rubbish Google reviews or TripAdvisor reviews. Now we have seen examples of where a customer just thinks, oh, I'm going to DDOS that company, give them a taste of their own medicine. Yes, it's against the law and they shouldn't do that. And we will catch them and they will get prosecuted. But again, it's the different tactics which people are now doing to annoy, disrupt businesses. If you gave me a poor service, yeah, I could shout on the screen. But now I've got more things I can do as a criminal. Annoying it is and illegal. Yeah, on some occasions shouting and screaming is illegal, isn't it? Thank you. And last but not least, what about if one of your clients or one of your customers gives you a password for you to use and ask you not to change that password? Can that affect your system then? Not quite understanding that one. So if you're logging into, I don't know, to somebody else's Zoom account, for example, with their password that they've given you, can that then affect what goes on on your PC or what goes on on your system? Right. So if you're logging into someone else's system or product with their password they've given you, depends what that product or service is. But certainly there's something called Zoom bombing where if you have a waiting room on Zoom, don't you? You're only letting people that have been invited to the party effectively. And if you've got a gate crash, you don't let them in. That's what the Zoom waiting room is all about. So if someone comes in and then they put stuff on your screen, you can kick them out. But if they then try to take control of your machine and you give them permission to control your machine, then they can do stuff with it. But if you're using someone else's software and effectively at Zoom and you know how to operate it, you don't allow people to do anything with your machine. You don't click allow here or approve this if someone's trying to take over your machine. But if you're simply just logging into their software with their permission, and then that's okay to do. Brilliant. Thank you. Brilliant. As anybody else? To follow up on that, just to clarify on that, when it wasn't me who raised it, but just to give you an example, Chris. So I'm a consultant and I work with lots of clients. So I have lots of things where clients would set me up on things like their accounting systems and give me a password or would set me up on their kind of project management boards and give me a password. Now, I have always then changed my password. So I've never been asked by a client not to change the password because I would want to know why. But I think that's what that question was meaning is, so if I logged into someone else's, say, project management board with a password they'd given me, does that then make my own system vulnerable if someone's attacking their system? That makes no sense. Well, so you know when you get your computer delivered, take it out of the package, plunk it into the power and the internet and then you're using it. Most computers, when they're first turned on, they're on an administrator's account. So you're allowed to do anything you want to do with that computer. So you can download stuff, you can edit, read, delete, you can do what you want. When you first turn on a computer, you need an administrator account and then to complete and undertake all your day-to-day activities, you need to create an additional account called, it's usually titled a guest account, but it's an account that's got standard user privileges. So you do all your day-to-day business on standard user privileges. So if someone is trying to do something to your computer, whether you've given them permission because you didn't realize what you're doing or they've somehow got you to click on a phishing email, if you're a standard user account, every time the computer is instructed to do something particularly important, a box will flash up saying, you need administrator privileges to do this and it won't allow it until you type in the password or whether it's Windows Hello, it's my face or my fingerprint or my pin code. It won't let you do anything. So the whole point is your IT team will always be working on a computer with admin privileges so they can change the configuration of the computer. But when you're doing your day-to-day business, whether you're answering emails, you're changing the website, your process and sales and invoices, only ever do your business on a day-to-day standard user account and there's a lot of safety that comes along with that. So probably have a discussion offline because you start to get a little bit more techy but certainly make sure you're not using your own business account and an administrator account that you get some extra protection there. Thank you, Chris. And thank you once again. That was really, really fantastic. I always learn so much when I listen to you. It's really, really good. Obviously, we've come to the end of our session. So there's a sign up there still on the screen if you're interested in signing up for that. And also Chris has left his email there if you want to contact him directly to ask any questions or queries, then please do so. But all that remains for me to say is thank you once again. Thank you to everybody for attending and we hope we see you Thursday for our last webinar of this series where we'll be introducing our digital champions and talking a little bit more about funding and support. So thanks to everybody. Bye now.