Michelle Kradolfer is a Cyber Development Officer at the Police Digital Security Centre. In 2014 Michelle was an intern at INTERPOL, with the Research and Innovation team within the Cyber Innovation & Outreach Directorate. That internship sparked an interest in cyber crime and cyber security, and wishing to pursue a career in this field she moved to London a few years later. In 2019, Michelle successfully completed a course on blockchain forensics by CipherTrace and was accredited as a CipherTrace Certified Examiner (CTCE).
Michelle graduated from Middlesex University in December 2019, with a Master of Cyber Crime and Digital Investigation (with Distinction). She wrote this blog during her studies, having completed a placement at the Police Digital Security Centre where she learnt about the organisation and how it operates.
If there is any quote that has stuck with me more since commencing my Master’s in Cybercrime and Digital Investigation at Middlesex University, it is the following by Donald Rumsfeld (2002):
“There are known knowns; there are things that we know we know. We also know that there are known unknowns; that is to say we know there are some things we do not know. But there are also unknowns unknowns – the ones we don’t know we don’t know.”1
As confusing as this quote may seem at first, this concept of risk assessment is straightforward and can be easily applied to the world of cybercrime and cyber security. Currently there are cyber threats looming around that we know exist, such as phishing scams, data breaches and ransomware viruses to name a few. Although these threats are known to us and we may have tools to protect ourselves from them, one cannot predict when another ransomware attack will occur, the type of method the hackers may use, or the level of damage it could leave behind.
Technology is developing at such a rapid pace and cyber criminals are taking advantage of this by being right at the forefront in enhancing their skills and potentially creating new forms of cyber threats that are completely unknown to us. Therefore, to ensure that our cyber space remains secure, I believe it is critical that organisations, governments and individuals alike must put preventative measures in place and continuously update them, as well as being trained to be prepared and resilient to any potential cyber threats, whether old or new.
PDSC seem to share this same principle and are a leading example in providing SME’s with support and information on how best to protect their businesses from a potential cyber-attack, which is why I was drawn and intrigued by the work they do. As part of my master’s programme, I am partaking in a work placement module, which allows me to join an organisation in the cyber security field to shadow and work with them. I wanted to have a first-hand experience in analysing whether the policies and theories of cyber security were being implemented out in the real world and any challenges organisations may face doing so. Therefore, being given an opportunity to undertake a work placement at PDSC is a great way to experience how such a not-for-profit organisation aims to reduce the vulnerability of organisations to cybercrime. PDSC enables organisations to take steps to becoming digitally aware and digitally resilient by providing them schemes, as well as delivering a range of accredited Cyber Security training courses to them.
According to the NCSC ‘Cyber Security: Small Business Guide’, 1 in 2 SME’s could experience a cyber security breach, and the cost of such an attack could be up to £1400, which can have a devastating defect for some SME’s.2 In Hiscox’s ‘Cyber Readiness Report 2019’ they found that 55% of UK firms reported an attack and that overall small to medium size firms are increasingly likely to suffer more than one attack.3 At this point it is not a question of ‘if’ an organisation will get breached, but rather a question of ‘when’, which creates an urgency in ensuring that all businesses, regardless of size, are protecting themselves sufficiently from any future threat. What some seem to forget is that a breach into an organisation’s network does not only cause damage to themselves and their clients/customers data, but it can create a chain reaction of further attacks.
For example, in 2012 Dropbox suffered from a massive breach which resulted in 68 million user’s personal data being leaked online. The reason why hackers were able to breach Dropbox and enter their corporate network, was due to an earlier hack into LinkedIn.4 Hackers managed to access a LinkedIn account belonging to a Dropbox employee and figured out that they were using the exact same password for their LinkedIn account to that of the Dropbox account.5 Although these companies are much larger than the organisations PDSC focuses on, the principles remain the same and SME’s are just as vulnerable to such attacks if someone is using the same password for different online accounts. There are several steps SME’s can take to secure their businesses, such as training staff to identify phishing emails and how to report them, testing the organisation’s security network and safeguarding all the devices being used. All of this and more can reduce the risk of falling victim to a cyber-attack and in turn provide a strong cyber security for the organisation and its members.
This goes to show that there are two key factors that I believe are essential in building a secure digital world around us: education and awareness. Without being aware of the dangers and educated on how to protect ourselves, our businesses, governments and the public from a cyber-attack, we will remain at risk to both known and unknown threats in the future.
2 National Cyber Security Centre (2017) Cyber Security: Small Business Guide. Available on: https://ncsc-content.s3.eu-west-1.amazonaws.com/cyber_security_small_business_guide_1.3..pdf (Last accessed: 14 June 2019).
3 Hiscox (2019) Hiscox Cyber Readiness Report, p. 4. Available on: https://www.hiscox.co.uk/sites/uk/files/documents/2019-04/Hiscox_Cyber_Readiness_Report_2019.PDF (Last Accessed: 14 June 2019).
4 Gibbs, S. (2016) ‘Dropbox hack leads to leaking of 68m user passwords on the internet’, The Guardian. Available on: https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach (Last Accessed: 14 June 2019).