We spoke to James Griffiths, Co-Founder and Technical Director of Cyber Security Associates (CSA), on the need to improve partnerships between technology companies and the government.
James Griffiths began his career early, joining the army at the age of 16 – straight out of school – where he worked as an apprentice. He worked in radio communications, and in many other areas, during his military service. Since leaving the military in 2014, Griffiths has built and grown Cyber Security Associates along with his business partner Dave Woodfine. The two founders have a great deal of experience in a variety of sectors, including financial, critical national infrastructure, cyber security, and security operations, in the government sector as well as in commercial businesses.
Key areas for the government to improve
During our conversation with Griffiths, we asked him about the key areas the government could work on when it came to cyber security. One of the main points Griffiths mentioned was how things have changed over the past three or four years through the creation of the National Cyber Security Centre. This brought the previously hidden GCHQ government space into the limelight and began to help businesses understand the risks and potential threats.
In turn, it’s also helped the government to improve its cyber security internally, through the National Cyber Security Strategy, which will guide and educate not just the government but also local councils, and even schools.
Advancements in AI and machine learning
We asked Griffiths about how advancements in AI and machine learning could affect the UK job market, and he pointed out that, “Artificial intelligence and machine learning is a route to simplify some of the tasks that we do continuously, on a day-to-day basis. And by using that kind of technology, and that kind of capability, it means that we can then focus our efforts on other things that we were maybe not having time for, or not having as many resources to be able to put into.”
However, there will always be the need for a human element with any of these programs, as they need to be managed, maintained, and audited. These programs will also need to be created in the first place, with the next generation being actively trained in coding so that they can build towards machine learning and AI algorithms that can improve our quality of life in the future.
The NCSC CyberFirst program
CSA became involved at the very beginning of this program when it was being tested, with Gloucestershire chosen as “a kind of incubator area to trial the program out, to get industry involved, to help go into more schools, to be able to enthuse and inspire the younger generation.” The program itself is meant to train children in both technology and areas surrounding STEM subjects like maths, science, and technology, and Griffiths notes, “there was nothing in the national curriculum with regards to it, so this is where the Cyber Schools Hub, that then became the CyberFirst program, was born from.”
The CyberFirst program offers not just training but also services like cyber graduate placements and apprenticeship schemes, to help these children enter the tech sector in the future. There are also industry leaders that go to speak at careers days and talk about the opportunities within the cyber security and information security sector. These have proven informative to not only the children but also to the parents, who were previously unaware that these things were available.
Potential security threats from government and security firm partnerships
From a government perspective, Griffiths explains that everything “goes through a vetting process and a clearance process.” However, when organizations do this, it does open them up to risk – they’ve got to trust that that organization has the same level of security, to ensure that nothing can become an insider threat.
Some jobs can’t be completed by the government alone, so there is a need for help from outside businesses. There’s a lot of promise in new start-ups which the NCSC can help to grow and gain access to funding or to help find investors to take the product to market. There will always be third-party security risks, but that is a necessary part of the process that has to be dealt with, regardless of company size.
Griffiths does point out that from a security point of view, you can “flip that the other way around, though – from a business risk perspective of someone working with the government, then obviously it opens you up to the government potentially having more access to your systems or more access to your resources than you would normally allow from an external organization.”
The role of ransomware protection in both government and businesses security
CSA often deals with organizations that have been hit by ransomware, mainly from an incident response perspective. Griffiths recalls one example when, “the IT director had just started in the role, and he’d been in less than a week in the organization, and they got hit.” This global incident was then dealt with by CSA. In many cases like this, businesses believe they are too small to be hit, and therefore safe from hackers. However, Griffiths warns that attackers won’t care about the size of the company if there is a potential way to gain access.
- Plugging the tech industry skills gap
- Taking the first steps toward a hybrid-first cybersecurity environment
- What should organizations do instead of paying a ransom?
- From reactive to revolutionary: The top 5 trends powering CX transformation in 2022
A lot of government resources have been put into supporting businesses, to help them recover when an incident happens. It’s a good idea, however, to have an insurance policy – a lot of existing policies now require companies to have two-factor authentication enabled as a minimum before they will write the insurance policy.
These insurance companies are trying to put the emphasis back on the organizations, to spend a little bit of money to save them a lot more than they’d lose if they suffered a ransomware attack. Many of these attacks can be avoided through proper education, such as ensuring systems are patched correctly and identifying phishing emails.
If you’d like to hear the full interview with James Griffiths, the podcast is available to listen to here, and also on Spotify.