Speakers: Rich Dale and Luke Appleby
[00:01] Rich Dale: Hi, folks. I’m delighted to welcome Luke Appleby from Equilibrium Risk to the Made to Grow podcast. Welcome, Luke.
[00:09] Luke Appleby: Hi. Thank you. Thanks for inviting me along.
[00:11] Rich Dale: Yeah. Thank you. You know, I’ve been really looking forward to this conversation because security is probably on the top of a lot of people’s minds with these high-profile hacking incidents. And meanwhile, for many manufacturers, it’s probably not necessarily the thing that’s at the top of their list, but it’s maybe an itch that’s becoming more and more necessary to scratch. But rather than me make assumptions, could you give the listeners an overview of yourself and what you guys do?
[00:50] Luke Appleby: Yeah. Sure. So we are a security management company. We specialise in providing tailored security solutions for manufacturing. And that can be physical security solutions, so from your CCTV cameras, which everyone wants to buy, to your bricks and mortar gates, barriers, that sort of stuff, through to the cyber element. So the cyber consultancy, Cyber Essentials, that sort of stuff, through to the IEC 62443 sort of infrastructure. So we’re creating a secure environment, in essence, for a manufacturer to thrive and grow.
[01:32] Rich Dale: Excellent. Speaking of environments, I mean, the environment is changing, particularly with AI and bring your own devices. I know that’s not terribly new, but the world we live in is ever more complex. We’re offering ever more surfaces potentially for risk, whether it’s – you mentioned physical security, there’s subcontractors, there’s devices. So what does the perfect environment for security incidents to occur look like?
[02:10] Luke Appleby: Yes. That’s a really interesting question, actually. So it’s a combination. If you have a lack of security measures – so a lack of cyber security, a lack of physical security – and interestingly enough, that’s where the majority of people will focus 90% of their energy. That’s where they think, well, let’s spend more money on more security measures. But the actual fact is, that makes up one small element of what I would class as the perfect environment for a security incident to occur. Opportunity is the biggest driver for something to occur.
[02:51] Luke Appleby: So the opportunity for crime. So leaving a username and password, for example, on a Post-it note next to a monitor, in itself is not a security risk, but it leaves the opportunity for that to be used for nefarious reasons. Leaving waste product in a skip by an open gate, for example, leaves the opportunity for someone to drive on and nick that. So that’s another major driving force for security concerns.
[03:21] Luke Appleby: And when you combine that with a lack of security measures, then it becomes a really great indicator for something to go wrong. The last element is the motivations of an attacker. So if you have got a motivated attacker, which generally, as a business, we can’t control, but we can influence. And if you combine those three elements – so we’re talking about a lack of security measures, we’re talking about the opportunity for something to occur, and we’ve got a motivated offender – when those three overlap, you know, your Venn diagram, that bit in the middle there is the perfect scenario for something to occur.
[03:53] Luke Appleby: So from a business point of view, while we can’t control the motivations of an offender, be that somebody within the organisation or somebody external, there are things we can do to influence it. But what we can do is we can control the opportunity, and we can control the level of security measures we use. And if we control those two elements, then the chances of a security incident are far reduced.
[04:33] Rich Dale: I mean, one of the things that encouraged me is that you touched on this – you have inadvertent security risks and openings, and then you’ve got the malicious side of things. And I suppose the robustness and consistency of the application of policies will help both. The inadvertent Post-it note with passwords, trying to stamp that out, or indeed the opportunistic kind of skip at the gate.
[05:04] Rich Dale: But also if policies are being monitored and managed and enforced, then the opportunity for malicious, pre-planned stuff makes it harder to pre-plan. And maybe, obviously, nobody wants to have employed somebody potentially who comes in with the intent of stealing something or ripping you off, but if it’s going to happen eventually or potentially…
[05:31] Luke Appleby: Well, I think it’s slightly more nuanced than that, to be honest. If you look at what wrongdoing is, wrongdoing is a continuum. And it starts at one level where it’s sort of low level, and there might be a tendency to be dishonest, for example. So they might steal stationery from a cupboard or something like that. And at the other end, it’s being dishonest – so stealing company property, fraud, that sort of stuff.
[06:00] Luke Appleby: But the actual fact is, everyone’s on that scale somewhere. Some people live all up at the top end. There’s that nature versus nurture argument. They’re born into an environment where it’s perfectly natural and normal to steal company property, to commit fraud, that sort of stuff, for lots of different socioeconomic reasons. And they’re quite happy living out there. And then there are some people that wouldn’t even consider jumping a queue, for example, down the other end.
[06:30] Luke Appleby: But the reality is people will move up and down that line consistently. So if the reward, or perceived reward, is high enough, and the risk, or perceived risk, is low enough, people will fluctuate. So when we talk about a motivated attacker, for example, and opportunity, it’s about controlling that – reducing the reward or anticipated reward, and increasing the risk, or even perceived risk. And if we can control those two, then we are in control of our security as a business.
[07:07] Luke Appleby: If you allow the little stuff to go – so people nicking a ream of paper from the stationery cupboard, for example, or waste product, offcuts of metal, for example – which would allow people to take that for their own personal use, it’s kind of a signal to say, well, that’s okay. And there are occasions where the biggest stuff is accepted as well, if that makes sense. And I realise that every business is different. But in actual fact, if we can control the little stuff, then we have a much greater chance of stopping the big stuff as well.
[07:46] Rich Dale: Yeah. Well, as a parent of two – one teenage boy and one almost teenage boy – I definitely know about that. Yeah. Nothing like nipping things in the bud.
[07:55] Luke Appleby: Exactly. Yeah.
[07:56] Rich Dale: So just in terms of that piece, what does good look like in terms of a company that wants to, on the one hand, have a culture of trust and engagement and buy-in, but also have that clear line drawn in the sand? How do you go about affecting that? And what does good look like?
[08:21] Luke Appleby: Good looks depends on the business, but I think with any culture it’s about communication, isn’t it? So from the top, being very clear on what your policies are and your procedures are, what the moral compass of the business is. So what are the standards that the business wants to aspire to? So we know what those are. And then we disseminate that information down so everyone’s aware of it.
[08:57] Luke Appleby: But then also having the bottom-up communication strategy, so people are aware when things aren’t quite the way they should be going, and they’re able to report that or communicate their feelings upwards.
[09:08] Rich Dale: Mm-hm. There’s a way of doing that in a way that they feel is secure in itself.
[09:17] Luke Appleby: Absolutely. But if you look at security – if you understand that the business has got to deliver the product, whatever it is, right? One of the security strategies you could have is you can have a replacement. Right? So if something on your automation line breaks, have an immediate replacement so you can automatically switch. The production line can keep going, but you practise it. So you know it works.
[09:45] Luke Appleby: But then when you go in to practise it, you talk to people and say, right, does it actually work for us doing that? So you’re involving them in the discussion of how we can make sure that the business continues to operate. Because at the end of the day, that’s what security is about. Security is about ensuring the business can operate and it can make money, so then staff can be paid and potentially get more money from the business being more efficient.
[10:04] Luke Appleby: So it’s about engaging with people and making sure that people are doing the right things, and what they are doing is right for the business. And if they see people that are doing things that are against those policies and procedures, those morals that we talk about, then they have a way of saying, actually, you’re acting not in accordance with the way the business wants to operate, and you could be affecting the business in a negative manner, which in essence means the employees earning less money.
[10:43] Rich Dale: Mm-hm. Taking it back a step, in terms of how you engage with a manufacturer – most of us have a lot of common sense, but you’re the expert in certain things. So that skip set up at the gate is a good example where it’s been there for years and, you know, for years has never been a problem until that one time it became a problem. But how do you engage with a manufacturer to effectively do the gap analysis between what you think is going to be a robust and comprehensive environment and where they are today? What’s your process?
[11:28] Luke Appleby: It’s understanding what the business wants to achieve, is the short answer. So understanding where the business wants to get to and drilling down to what it uses internally – so resources, partners, processes – to get to where it wants to go, and then making sure that that is the priority of security.
[12:03] Rich Dale: Who can’t remember…
[12:04] Luke Appleby: …who said that. But it’s getting rid of all the noise and saying, this is what we need to concentrate on to make sure the business gets to where it needs to get to. And then making sure all your security solutions are aligned to that.
[12:40] Luke Appleby: When I mentioned we can’t affect the motivation of an offender – security incidents occur for all sorts of reasons. But if they don’t derail the business, then there is a level of tolerance that we’ll accept and say, well, that’s just within tolerance. We’re not going to spend any money or waste any time doing that because it’s not going to stop the business achieving what it wants to achieve. So we can just carry on going.
[13:08] Luke Appleby: And that comes down to understanding what is within that bracket. So what is important that the business has to do or can’t allow to happen that’s going to take it off its rails, to stop it achieving what it’s going to achieve.
[13:41] Luke Appleby: So while we can’t affect the motivation of an offender, we can’t stop someone trying something. But what we can do is we can stop them achieving their aim. So their aim might be to encrypt some data, therefore in some form of ransomware to sell it back to us. Right? We can’t stop them trying, but what we can do is we can stop them achieving that aim by using security measures to ensure they can’t reach that data. And there’s lots of different things from a process point of view, to a people point of view, to a technical point of view, to ensure that they can’t achieve that.
[14:11] Rich Dale: So, you know, in some cases, I’m thinking of – there’s a building near our former office where they, I think it’s the Royal Mail, manage all their cash. And there’s about three fences and several security gates and dozens of cameras. You know, that’s a level of security to guarantee the risk that they have, which would be a sledgehammer to crack a nut for an entirely more simple operation or something that’s not holding valuable stock or whatever. But maybe that’s just too basic an example.
[14:50] Rich Dale: But one of the things that we do in Flowlens that resonates with what you said is that, you know, in terms of the data piece, our customers need their team to be able to use the data in Flowlens. The whole principle behind Flowlens is that it’s the one place for all of our business data. But there is that inherent risk then.
[15:15] Rich Dale: And the way we do it or handle that is that the system allows you to limit who has access to download and extract data from it.
[15:25] Luke Appleby: Yeah.
[15:25] Rich Dale: But it also shows you the reports that people are running and the audit trails and things like that. And, you know, as soon as you are letting somebody go, or they’ve resigned, you can obviously remove them from the system completely. So those are the sorts of things you’d look out for in software.
[15:46] Luke Appleby: Absolutely. You’re exactly right. And then you sort of look at the data and think, well, you’re making sure that only the right people can see the data. But then, obviously, you’re making sure you secure it where it’s stored, but also in transit. I mean, if you don’t encrypt the data in transit, then you’re inviting people to intercept that and jump in.
[16:13] Luke Appleby: I think one of the biggest mistakes is businesses say, well, if it happens to us, it happens to us. Or you’re not going to stop somebody from hacking us or stop someone from breaking in. Well, you’re not going to stop them trying, but you can stop somebody reaching their aim. Like, I mean, that example you gave where they’ve got three fences and they’ve probably got security-rated fences for storing that amount of cash – you can’t have half a fence around your site and then say, well, if they’re going to break in, they’re going to break in. You can prevent – you can’t stop them trying, but you can prevent them reaching their aim.
[17:07] Luke Appleby: It’s like, there’s no point having data and having people on their laptops that take it home and it’s not encrypted. Well, you’re just inviting things to go wrong. There are good practices that you can instil and good practices you can follow to back it up.
[17:07] Luke Appleby: You can argue that state-level hacking is a different level, and possibly we can’t have much influence on that. I mean, if you look at the recent M&S and Co-op incidents, the Legal Aid Agency that have been hacked recently, is there things that could have been done? Possibly. But I think that’s probably a different level.
[17:42] Rich Dale: Yeah. Although we never know where – and this is where it comes down to common sense things like not using the same password on every login, having multi-factor authentication where it’s available, making sure your laptop and your phone have a passcode, you know, that the phone goes to sleep and you can’t just open it up. Because those are the little cracks where whether it’s a state-level malicious act or a more localised level thing, those are the cracks that people slip through. Or they’re looking for those cracks. And as you say, if they’re motivated, they will eventually find them. So enacting those policies is at least the table stakes for knowing you’ve done the standard.
[18:17] Rich Dale: Coming on, it would be good to talk about Cyber Essentials, and how that fits into – and more specifically in terms of the security framework. Could you give an overview for those who maybe don’t know what it is and what you do for companies on Cyber Essentials?
[18:57] Luke Appleby: Yeah. So Cyber Essentials is sort of the government-led standard for securing your cyber environment from attack. It’s good practice. I mean, it’s a step up from the one you alluded to earlier, which is the sort of cyber-aware stuff – the very low level that everyone’s supposed to use. So we talk about unique passwords for your email, for example, multi-factor authentication, updates. That’s the sort of stuff that everyone should be using, because it’s individuals and their passwords – that’s where the majority of things get through.
[19:31] Luke Appleby: How many businesses can say, yes, all my employees are cyber-aware or are cyber-aware compliant, if that’s the right word? I’m not sure there’s that many. But the next stage up from that is Cyber Essentials. So it’s a government-backed accreditation where you prove that you comply.
[20:05] Luke Appleby: On the basic level, there’s two parts. There’s Cyber Essentials and there’s Cyber Essentials Plus. Cyber Essentials is a self-certified thing where you fill in the documentation, you tell people what your actual processes are, and you send it off. And as long as you comply with it, you get the certification. And the other one is Cyber Essentials Plus, where you do the same again, but then you get an external organisation to test it, to say, actually, yes, it is as it’s supposed to be.
[20:30] Luke Appleby: And it’s just good practice. So I think it’s five elements. Firewalls – making sure you’re using firewalls, how you as a business access the internet and making sure that’s secure. Making sure you’ve got secure configuration – so all the machines you use, laptops, are secure. Any software that you’re not using is disabled. All default passwords are changed. It talks about user access control for data – so you talked about making sure only the right people can see the data they’re supposed to see. So it’s talking about how you control that and how you ensure people can only see the data they’re allowed to see.
[21:11] Luke Appleby: It makes sure that you have malware protection – some form of antivirus software on your machines, or on all the machines that you use. And lastly, it talks about what they call patch management. So if you can imagine, software is very dynamic and it becomes out of date. So it’s making sure it’s updated regularly, and it’s updated when these patches get released.
[21:47] Luke Appleby: Have you ever heard of the term “zero-day”? So a zero-day attack. What happens is people – hackers, be that red hat or blue hat – test this software and they’re looking for vulnerabilities. And if a vulnerability comes about, a zero-day attack is somebody exploiting this vulnerability before there is a fix that’s been published. Once it becomes known and things like Microsoft and all these other software providers become aware of the vulnerability, they then put out fixes to reduce it. And that’s all it’s about. It’s about making sure that the software you use is secure, basically.
[22:31] Luke Appleby: And when we talk about beyond support – so when software becomes out of date, people stop supporting it. They stop putting out fixes to address vulnerabilities, which means the software is inherently vulnerable to attack. And these vulnerabilities are known. People find them and they put them in these online “bins” where people can find them and they can be exploited. Not all of them are used for nefarious reasons, but people put it out there for all sorts of reasons.
[23:10] Luke Appleby: So it’s important that the software that we use is secured and maintained securely. And if you can prove that – you fill in the documentation, prove that, you send it off to the certifying body – you can get proof that you’re complying with Cyber Essentials. And it’s done every year.
[23:38] Luke Appleby: And it’s what’s needed if you’re using government contracts. If you want to work with MOD, aerospace, that sort of stuff, then you’ve got to comply with Cyber Essentials.
[23:50] Rich Dale: And how do you help manufacturers with Cyber Essentials?
[23:54] Luke Appleby: So we can help manufacturers complete it. We will conduct a gap analysis, find out where they are, and find out where they need to be, and then help them achieve certification in the simplest way possible. And we can help them do Cyber Essentials Plus by getting an outside agency to conduct a penetration test to test they actually comply with it. So yeah, from zero to hero, I suppose is the phrase, and help them fill out the questionnaire.
[24:26] Rich Dale: Like, most manufacturers aren’t experts in Cyber Essentials. They’re hopefully experts at making their products and serving their customers. So it’s another thing, you know, that it’s quicker to bring in expertise like yourselves, get the job done, find those gaps quicker. Not only are you protecting yourself, but the Cyber Essentials…
[24:52] Luke Appleby: And I completely agree. But that’s why I said at the beginning, when you said what does good look like, security has to align with the business. You have to understand what the business wants to achieve, because there are a thousand and one different ways to secure a business, both physically and from a cyber point of view. But you don’t want to waste your money on things that aren’t going to support the business’ main aim.
[25:18] Luke Appleby: You want to make sure that the security that you utilise supports the direction of travel of where the business is going. Everything else is just a complete waste of time, a complete waste of money, and that’s it.
[25:32] Rich Dale: Normally, I ask guests to leave our listeners with one succinct piece of advice. I’m feeling you’ve just done that. But because that was a very great way to summarise that, is there anything else that you would leave listeners with just as we wrap up, to consider, having listened to this episode?
[25:55] Luke Appleby: Yeah. I mean, I think my one bit of advice would be to drill down and understand what you use to achieve that aim. So what resources you use – be that software resources, machines, people, partners. So who are those partners, and the data. Importantly, the data. Where is that data? Do your partners have data that you need? It might be proprietary. It might be essential for the value you offer, but you need to understand it and where it is. And if partners have it, is it in the public domain, for example?
[26:56] Luke Appleby: Just drill down to understand what those bits are that you need as a business to make sure you go in your direction of travel, and then look at what it is you need to do to protect that and secure that. And then once you’ve done that, then everything else is just noise, if I’m honest.
[27:24] Rich Dale: No worries. Luke, I really appreciate it – that’s been an excellent overview. I’ve enjoyed the conversation. I’ve learned a lot, actually. How do listeners get in touch with you if they would like to get some help?
[27:41] Luke Appleby: Yeah. Sure. So our website is equilibriumrisk.com. We are on LinkedIn. My name’s Luke, there’s a logo there – please find me on there. But yeah, best way is equilibriumrisk.com and just drop us a message, and we’ll get back to you.
[28:02] Rich Dale: Brilliant. We’ll include all that detail in the show notes as well. And you can also find you through the Connex portal because that’s how we know each other.
[28:12] Luke Appleby: Yes. Exactly. Yeah.
[28:13] Rich Dale: Through the Connex network as well. I would be remiss if I didn’t finish this episode with a short plug for the book that we’ve recently released, which is Fearless Digital Transformation. And at the end, that final chapter – last but not least, in this case – is a chapter that summarises some of the key elements of cost manufacturers need to consider around securing their digital transformation.
[28:49] Rich Dale: So just to mention as well, if you haven’t already downloaded the book, you can get it from flowlens.com. But yeah. Once again, Luke, thanks very much. I really appreciate it. And have a good day.
[28:59] Luke Appleby: Yeah. Thanks for having me.
