Glimpse of Sensei is our new series of interviews with some of the highly experienced and trained professional we work with - delivering you raw views and insights from their exciting fields.
Martin de Bruin is a certified GDPR trainer that has 20 years of experience in information technologies, data management, cyber compliance and security. He has worked for the UK government and the UK national security services.
He holds accreditations in Project Management, Risk Management, DevOps, Agile Project Management, CISMP, Six Sigma, Information Security, ISO27001, IAPP's CIPP/E and CIPM.
De Bruin is also a Senior Trainer and Consultant with Sensei Club.
Sensei Club: What is cyber compliance?
Martin de Bruin: To some people it means technical controls, it means ISO27000, but to me it also means data protection so it's not just one.
SC: How did you get into that?
MdB: I would say it's been 20 years when I first started doing technical controls and programming firewalls, which is considered the very basics of cyber security. In those days the threats were primarily clicking a bad link in an email, or someone doing denial of service attacks. It is now expanding too much more complicated attacks. When I started working in the national security services that's when I started to learn more about cyber threats and more recently of course about DPIA or data protection.
SC: How did you make the move from cyber threat?
MdB: It just seemed like a natural way to go. Rather than doing it, teaching people about it. It is a progression that I took, because the other road was much more technical. For compliance you need to be technical and managerial, it is far more wide ranging and than purely technical.
SC: What are today’s threats?
MdB: Threats are becoming, in general, more sophisticated to the point where we’ve now seen this last year ransomware where they’ll encrypt your hard drive and ask you for money to decrypt it.
This year were seen much more low tech [threats]. For example: “We’ve downloaded your customer database if you don't pay us we're going to make it public.” So now you have this massive penalty threat from the supervisory authorities where people would go “I should probably pay them, so they don’t release the data.” These are such low tech attacks.
SC: But how is getting someone’s customer data low tech?
MdB: Well that is the thing - a lot of people are saying that they don't even have it, they just claim that they do. So as a company you now have to figure out “was I really hacked, did someone actually get my data,” or are they just spoofing me, just lying to me. It’s becoming very interesting, its a direct consequence of GDPR [General Data Protection Regulation]. If I say to you “I have your whole customer database and if you don’t give me 10,000 euros or dollars I’m gonna make it public.” You don’t know whether you’ve had a breach or not.
Of course, you also have your state actors. A constant threat, but they have been around for years, that’s not new. They are just using better tools, becoming more targeted and focused, and people are ignoring the old threats such as SQL injections, not creating strong passwords, inappropriate access to documentation, easy escalations of privileges to databases. These things have existed for 20 years and we still have the same problems.
The threat are not new, we are just becoming more aware of them and rebranding them as cyber threats, rather than what we used to call them as internet threats or hacker threats.
SC: Any good ways of actually dealing with those risks, mitigating them?
MdB: Yes, of course. There are lot of technical tools that people have implemented. There are hundreds of vendors out there that will sell you technical solutions, which are aimed at preventing intrusions, cyber attacks, etc. But companies are failing at the fundamentals, which is getting their information management system up to date. Making sure information security is a company wide problem is not just a technical problem. Every person in the organisation is a potential threat. Every single person could make a mistake, could lose data inadvertently. This is where we have to start training and awareness. Making people aware of the situations they find themselves in. The best technical solutions in the world can be outmaneuvered by one person that makes a mistake.
To me technical solutions is part of addressing the problem, but its not the solution.
SC: So raising awareness and getting staff trained mitigates some of the risk?
MdB: Yes, absolutely. But people think because they’ve gone through ISO 27001 it makes them GDPR compliant. There is no such thing. It only addresses a part of what's required by the regulation. The closest you are going to find to being compliant to GDPR and what the regulation requires is to have BS10012 implemented. Which is personal information management system. A lot of organisations have gone through the “let’s follow ISO 27001” or let's follow “Cyber Essentials”, but this does not address all of the requirements.
SC: Why is that Cyber Compliance and Cybersecurity awareness and knowledge is not at a higher level these days?
Any particular factors?
MdB: Part of getting security right is changing a company’s culture. If you’ve got a bad culture, it doesn’t matter what technology you implement, it doesn't matter how much money you spend on a good information security management system.
For example, allowing other employees to swipe in with my swipe card. Or I get a visitor and I swipe them in with my swipe card, which is a clear breach of our policy to only allow people in, once they’ve been signed in by security and perhaps better that they are even allowed to be in the building.
The reason we do that is that we can lock down, they can’t get more than one or two floors using their swipe card. You know, I’ve done it in banks where I’ve been a guest and I leave my swipe card where I was working so I can’t get back to bathroom. So someone comes by and I go “Do you mind letting me in? I left my swipe card on the desk,” and they go “No worries,” beep-beep and I’m in. They don’t know who I am!
I could be anybody in that building. Gaining access to potentially a secure area. That’s a cultural thing. You have to change it - to be able to challenge people, to say “Sorry, who are you?” or “You’ve left you card on your desk? Fine, I’ll escort you to security and they’ll issue a new one.” Instead of “OK, I’ll let you in,” no matter how nicely I smile at you.
Humans love to be part of a pack, so if we get to a company and cyber security is poor, or there’s poor culture - it doesn’t matter how good I want to be, eventually you become part of that pack. Because you don’t want to be the one whos singled out.
If directors leave their laptops unlocked and walk away, other people would go “Well, if she does, why should I not do the same?”. Or a clear desk policy, instead of having potentially confidential information laying about.
This can be done gradually, through awareness, through training, because threats don’t work very well on people. Saying if you don’t do this, you’ll get a penalty and so forth. They just go “You’ll have to catch me first.” So it’s ongoing awareness, ongoing training on all levels of the staff.
A lot of people forget you also have people who work in say the receiving end of the business where you get post delivered and packages, and there is zero security around there. Anyone can walk in: “I’ve got a delivery for John Smith! Ah yeah, off you go. He is on the 3rd floor,” and the person is in the building.
We’ve secured the front entrance. We’ve got swipe cards, sign-in ledgers and we phone up before someone [comes in], but the backdoor where deliveries come in is not secure. It’s those kind of things.
End of the day, I’m not a penetration tester. They have ways of preventing those types of things, but if you don’t have a security aware culture - you know stop and challenge people - explain why you are putting policies in place. We don’t usually like writing policies, we do them for a business reason.
SC: Can you think of an organisation that is contributing significantly to the sector in the right direction?
MdB: I don’t want to comment too much on that. I think most of the vendors have their product set in mind. They try to sell you an intrusion prevention system, they’ll create an element of fear, on the one hand, and then “but look how we can help you,” on the other, not necessarily guiding anyone to be honest. I mean the internet is full of articles and stuff. Personally I follow a few people who I believe have got valuable input and are sincere about what they do, rather then trying to promote the book they’ve just written.
Honest genuine advice is far and few between. It’s always related to a product someone is trying to sell. So their focus will be very limited to a specific product or service they are trying to sell. Their statistics will [tell you] about what would go wrong if you don’t have their thing. Their examples would be this: “How much someone saved by having our product and not being hacked.”
SC: But that’s good way to sell it, isn’t it?
MdB: We’ve sold on fear in the technology world for decades now. It’s nothing new. You guy were around for the Y2K thing in the year 2000. That was a big thing. We sold a lot of hardware that wasn’t needed but at the same time we don’t actually know, because we fixed everything so there may have been negative consequences, or things may have gone wrong if we hadn’t. But fortunately airplanes didn’t start falling out of the sky and cars still started in the mornings, and microwave ovens didn't explode.
SC: Better safe than sorry?
MdB: I think the entire industry did what it had to and knew which databases needed to be updated, fixed or patched, and it was done. Before that deadline.
I don’t think what we do nowadays is similar to that. Even GDPR, some people are linking it to Y2K, it’s not the same thing. One is a regulation, the other one is a bug in the code of machine hardware that had to be fixed.
I saw something funny earlier on the British Standards Institute they are calling GDPR “Global Data Protection Regulation”. Unbelievable that they can get that wrong. You can quote me on that. It’s not a “Global Data Protection Regulation”, there’s no such thing.
You still have to ask the question how would you apply penalties to companies that have no presence in the EU. I look forward to seeing them try.
Find this story on Medium.