This month we met Bron Matthews from excellence IT, in Caerphilly, who has sat down with the WCRC to talk about what she does, cyber resilience and what being Cyber Essentials certified actually means.
Tell me who you are and what you do within excellence IT?
I am a Cyber Security Engineer here at excellence IT. I am the point of contact for our customers undergoing Cyber Essentials/Plus. I work with our customers to ensure they understand the questions/process and implement technical controls to ensure they are adhering to the requirements. The process varies from just marking the assessment, to a fully managed cyber essentials process.
How did your career in cyber security begin?
I started university in 2017 studying software development. Through developing web applications, I learned more about web application security which led me to learn about cyber security as a whole. During my studies, I completed an apprenticeship as a Network Engineer where I got involved with any security issues. As part of my final year project, I completed a dissertation centred on social engineering, specifically phishing, and developed an eLearning site to educate SMEs. Last year I joined excellence IT in my first Cyber Security focused role. Since joining excellence IT in September I have become a qualified Cyber Essentials/IASME Cyber Assurance Assessor and I am looking to complete the Cyber Scheme Team Member exam in March.
What’s the best thing about working at excellence IT?
Because we work with so many different companies, learning about all of them is a lot of fun. When going through the Cyber Essentials process with our customers you get to meet so many new people and learn more about the fantastic work that they do. I feel that we have a very close relationship with our customers and enjoy working with a variety of people. The support from the team has been amazing as I’ve been getting up to speed with things here.
What size companies do you work with?
As a managed service provider (MSP), we work with SMEs in a variety of different sectors including manufacturing, environmental and third sector. Each organisation is different, varying from 5 to 500 employees. For some, we are their dedicated IT support whereas for others we work alongside their existing IT department to provide support in specific areas to allow the internal IT team to focus their resources on what they need to do.
What do you see small/medium companies and charities struggling with in terms of cyber resilience?
For small/medium companies and charities, funding is unpredictable, and resources are limited. Often the ‘’IT person” in a small/medium company will wear many hats and will simply not have the time or resources to put towards cyber resilience. SMEs/Charities often find themselves as victims of ransomware/other cyber-attacks as the attacker assumes that their security posture will present weakness. IT in general is often an area that struggles with funding for many businesses as it is not necessarily profit-focused, so people are often hesitant to invest a lot of time and money into it. However, more businesses are starting to understand that is more so the baseline to any modern business rather than a money maker. A business needs to ensure that every technological investment will bring value to the organisation, and often the presentation of investment in cyber security doesn’t present initial results. It’s only when an organisation is a victim of an attack that they realise how vital it is to have a strong security posture and resources in place to deal with attacks as they happen as well as how to recover.
What is Cyber Essentials and why should companies get Cyber Essentials accreditation?
Cyber Essentials is a government-based scheme that allows an organisation to protect themselves against the most common cyber-attacks. Cyber Essentials advises organisations on the steps they can take to generally improve their security – e.g. enabling Multi-Factor Authentication (MFA), ensuring there is account separation between standard users and admins, and ensuring all operating systems and applications are automatically kept up to date. These simple changes greatly reduce the attack surface of an organisation giving them more peace of mind that their systems and data are safer. Cyber Essentials allows companies to assure their customers that they are working to secure their business and allows them to attract new business with the promise of cyber security controls in place. The assessment gives an overall picture of the organisations security posture and is a great way of pointing out any major flaws that should be addressed to stay secure.
What three tips would you give a company with little knowledge of cyber resilience?
1. Look at enabling MFA on your cloud services where possible. There are over 300 million fraudulent sign-in attempts to Microsoft’s cloud services every day. With this extra layer of security, you can stop sign-ins even if the attacker has your password. You cannot log in with your username and password unless you also approve the sign-in on the authenticator app.
2. Provide suitable training for your staff so they understand what to look for when they suspect a phishing attack or similar. It is important to create a positive security culture, that way staff are not punished for mistakes but can learn and feel safe to report a security issue without the fear of being punished.
3. Ensure any applications and operating systems you are using are always in support and kept up to date. Using unsupported or older versions can leave you vulnerable to unpatched vulnerabilities that can have dire consequences.
And our final question – what is your favourite view/ landscape in Wales?
My favourite view is from the lake in Dare Valley country park, Aberdare. The walk around the lake is great with the beautiful mountains and scenery surrounding it.