*
Code test at home
*
Onboarded at home
*
Started at home
* Still at home
## Beyond the Edge
* Outside of corporate environment
* Difficult to protect beyond the edge network
* Heterogenous devices
* Difficult to monitor users and their devices
* 60% of data stored on employee endpoints
### The Good
* Cheaper to have people outside the office
* Decentralises physical security - good and bad?
* Easier to concentrate?
### The Bad
* Wider attack surface
* Almost no control over physical security
* Insecure Wi-Fi, use of public networks
* Personal use of corporate devices
### The Solution
* Better training, focus on security
* FixHorseErrorsBetterSecurity
* Privacy concerns around employee monitoring
* Better to focus on network traffic
* Use a Corporate VPN
Note:
Should be no such thing as a security guy
Malwarebytes\: Organisation survey - 18% cybersecurity not a priority, 5% went further -- admitting their staff were oblivious' to best security practices.
Volunteering with charity story
## Head In The Clouds
The great migration to SaaS platforms
### The Good
* Easier to deploy and scale that on-prem
* More economically and environmentally sustainable
* Services rapidly evolving and are updated automatically?
### The Bad
* Limited visibility of assets
* Overprovisioning of access permissions
* Lack of auditing
* Need to consider: provider's security controls, where data is held, what they can do with it
* "Zoom Bombing", Microsoft 365 Supply-Chain Attacks
Note:
Zero-trust cloud?
End-to-end encryption
Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack
"These products would access customers Microsoft 365 exchange servers in order for them to provide security services (backup, spam and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications"
### The Ugly
* Poorly implemented APIs (e.g. Microsoft privileges)
* Crimeware as a service (e.g. Emotet)
* On average, 2.8 cloud security incidents
* Phishing attacks (40%)
* Ransomware et al. (24%)
* Accidental Data Leakage (17%)
* Account Compromise (16%)
* Difficult to track down issues
* Don’t assume anything
### Misinformation
* Phishing - personal and professional (e.g. Lancaster)
* Anti-mask, Anti-vax, Anti-COVID?!
* "Voter Fraud", Lockdown Protests,
Note:
Protests (many violent): South Africa, Brazil, India, Kosovo, Malawi
Lockdown: Yellow Vests Movement in Paris
Myanmar (Burma): The armed forces had backed the opposition, who were demanding a rerun of the vote, claiming widespread fraud
Phishing is the easiest vector
### The Solution
* Monitoring private messaging - can/should we introduce a backdoor?
* Using artificial intelligence (e.g. [Re:scam](https://www.rescam.org))
* Discussions to have
* Platform or Publisher?
* Censorship or Sensible?
Looking Ahead
Artificial Intelligence (Darktrace, CrowdStrike)
Attacks on Industrial Control Systems
Cyber Warfare (e.g. Stuxnet) and Nation State Attacks
Widening influence of China and Russia
Your Career
Cyber is not suffering - over half of businesses have staff shortages [in security] continue to put their organisation at risk"
Cyber is so much wider than you may think
No such thing as “the” cybersecurity qualification!
## [WCIT](https://www.wcit.org.uk)
* 100th livery company of the City of London
* Four pillars of activity
* Charity
* Education
* Industry and Commerce
* Fellowship
* Fantastic opportunity to meet people from all over who work in the IT industry
### Journeyman Scheme
* Get involved with the company early
* Work with a mentor for 3+ years
* Get involved in our charitable efforts
* Dress up fancy and go to dinners!