This month we meet Callen Gibbs from Capital Network Solutions (CNS), based in Cardiff who has sat down with the WCRC to talk about what he does, cyber resilience and what being Cyber Essentials certified actually means.
· Tell me who you are and what you do within CNS?
I am one of the lead cyber security engineers and penetration testers within Capital Network Solutions. I currently scope, perform and report on penetration tests for our clients, whether this be infrastructure / network testing of their office or a new web application they are looking to rollout. I have also been an IASME certified Cyber Essentials assessor for several years involved in both the self-assessment and CE+ audits for our clients.
· How did your career in cyber security begin?
After spending nearly a decade working in the 2nd and 3rd line IT support area I realised I had started to lose interest in the role. I had started to play around with homemade firewalls and security testing products, finding a new passion for it. This prompted the move over to cyber security, specifically with the aim of penetration testing areas.
· What’s the best thing about working at CNS?
Every day, every job and every client are different. There are never two penetration testing engagements that are the same, it is a constantly changing and evolving landscape to help keep you on your toes. I enjoy meeting new people, discussing with them their requirements and then working on the options best suited to me their needs.
· What size companies do you work with?
CNS varied capabilities means we are equipped to work with companies of pretty much any size but our main focus is supporting small and medium-sized enterprises (SME). The cyber security team have worked with everything from one-person companies based out of a single room through to huge multinational organisations with thousands and tens of thousands of users for both penetration testing and Cyber Essential requirements.
· What do you see small/medium companies and charities struggling with in terms of cyber resilience?
Having an in-house IT security team is not often realistic from a financial or logistical perspective meaning their internal capabilities are stretched or lacking. Even small businesses must navigate the increasingly complex assortment of compliance regulations and if in-house experience of implementing and maintaining IT standards is lacking this can be really tricky to handle. Charities are a popular target for cyber criminals and are particularly vulnerable to disruptive attacks such as ransomware due to the critical nature of their work.
· What is Cyber Essentials and why should companies get Cyber Essentials accreditation?
A government-backed scheme to increase a company’s baseline security levels. At the simplest level, the standard ensures that companies are taking basic steps to increase the overall security of their business-critical systems. Companies should attain Cyber Essentials to protect against common cyber-attacks, reducing the risk of attack by up to 80%. It also demonstrates to customers and vendors that you take cybersecurity seriously and are commitment to improving your cyber resilience.
Becoming Cyber Essentials certified can help you establish the trust of clients and partners, giving an advantage against competitors. Cyber Essentials is also a great first step in helping businesses to achieve GDPR compliance.
· What three tips would you give a company with little knowledge of cyber resilience?
Understand your data to understand what is at risk. If you don’t know what you have that is at risk, you can’t even start to prepare. Secure it and test it regularly. Once you know what and where your risks are, you should ensure that your security measures are tested at least once a year. This is where penetration testing helps find any holes they may not initially be apparent. Ensure there is a plan and that staff know and understand it. A disaster recovery plan is great on paper, but if the staff involved don’t know it or it has never been tested it will soon become apparent that it is likely to fail.
· 98% of charities believe cyber security is important but often feel overwhelmed or don’t know where to start. What simple tips can you give charitable organisations to help them get started?
Ensure all staff are using strong passphrases rather than passwords
Enable multifactor authentications
Back up your data
Train staff to recognise common phishing attacks
Get expert help in establishing a strong baseline security – Cyber Essentials
· And our final question – what is your favourite view/ landscape in Wales?
There are many great views in Wales, I have several favourites in North and West Wales. Although one of my top will always be the Brecon Beacons. When I have been out travelling around the UK, driving over the mountains home and getting a glimpse of the Beacons always give a sense of being home.