Lee Cramp is the head of information security at the British Red Cross, but unlike many other roles like his, he does not have an IT security team that sits below him. Instead, he works with the IT and organisational teams to ensure that the charity can thwart cyber threats.
“While it is a one man band in terms of the role, I think one of the key skills to have in these kinds of roles is being a conduit between the business and the technical side, so you’re trying to give that perspective and I see myself as a translator,” he tells NS Tech at the Cyber Security Connect UK conference held in Monaco.
“While I don’t have a big team, I have the ability to tap into the infrastructure team, or the IT team or the business partners to ask ‘if you design this new concept, what is it going to look like? Are we going to roll it out? And have we thought about X, Y and Z?” he says.
But British Red Cross is not alone in having less of an IT security presence in terms of personnel.
“If you look across any sector, data is the most valuable commodity on the planet, but if you look at any business you will tend to find that their security and information governance team is the smallest proportion within the business, but yet their job is to protect the most valuable assets,” he states.
Just like any other business, British Red Cross has data, some of which is personal or sensitive data that it wants to protect.
“It would be detrimental both to the charity or God forbid those individuals we’re trying to protect, and that’s what we’re trying to do protect the individuals and their data – our aim is humanitarian. Poor people and those who are most vulnerable and for something to happen to that data, that would just be adding to that vulnerability, so we’re just trying to ensure it is safe,” Cramp explains.
This is a sad reflection of the world today – that criminals would attempt to disrupt a charity that is trying to help people.
But Cramp suggests that it’s not necessarily attacks that are targeting the charity – it may be mass e-mails, and someone within the business becomes a victim of that. Of course, this is dependent on the sophistication and nature of the attack – but the reality is that unlike other crimes, in cyber security, criminals are not always aware of who they are attacking, as long as they get what they’re looking for.
For Cramp, one of the key things he has been working on is demystifying what ‘cyber’ is.
“It’s a bit like a sport, if you don’t understand the rules you don’t engage with it, but if you understood it a little bit more you might be engaged in it,” he says.
Cramp has experimented with a range of different awareness training techniques such as blogs, vlogs and gamification.
“We’ve gamified Frogger to identify phishing, so that people can understand by playing games what would happen if you click on the wrong links,” he states.
Rather than being prescriptive about not clicking links, Cramp wants to show his employees what would happen if they did do this, and what the consequences could be.
In addition to raising awareness, Cramp is looking at introducing DevSecOps into the business, and has already set minimum security standards for any new services introduced in the business. He has also worked on a cyber response plan in place – which is less about stopping an attack, but more about minimising the impact.
“What my job is to do is how to make as minimal impact on our volunteers and our staff and on the people we support as possible, and how do we continue to delivery services while still under attack,” he says.
Finally, Cramp states that the key thing to introduce is the path of least resistance.
“For example, I can tell people not use their laptops on the train because people can do some social engineering with that information, but they’re still going to do it. So then you have to think about helping individuals with that, Now as standard, all laptops go out with screen protectors on to stop it, because I’m trying to help individuals and try to demystify the world of cyber,” he states.