The Integrate Agency CIC presentation for Cyber Safe Southwark in partnership with Community Southwark on 23 May 2017

2. Eoin Heffernan | Founder
The Integrate Agency CIC

3. What Do We Do?
Managing agent and support services to provide access to
funding, particularly government contracts including
Business
development and
bidding services
Removing Barriers
Capacity building consultancy
(data security, management
structure, marketing, business
strategy)
Partnership
brokering
Contract
management

4. Case Study - Integrate South East
Four local charities (£7.5m turnover, employment programmes expertise,
young people, mental health expertise, local expertise and network)
Opportunities
Special purpose vehicle – honest broker
Community Interest Company (CIC) for the benefit of the South East
Asset lock – no profit leaves the community, contract package area
Shares allow for ownership and investment
Each partner in SPV has ownership 25% of Integrate South East CIC
Shared horizon scanning, opportunity sharing
Shared back office services to create scale and efficiencies
Shared purchase of a hotel on Isle of Wight
Consortium to bid for local social services contracts
Collaborative solution design – millennial veterans programme

5. Case Study - Mencap
£191m turnover, market leader
National strategy for Department for Work and Pensions
(DWP) contracts
Assessment of strengths for contract delivery

6. Case Study – Silent Secret
November 2014 startup, social enterprise, social
network
Turnover £17,360 2014-15
Sourced £386,000 new income in 22 months
(£17,580 per month)
Won 2016 EIB European Social Innovation
Tournament in Slovenia (300+ entrants)
Selected for 2017 NHS mental health digital
innovators accelerator
Developed strategic partnership with Mind

7. Capacity Building – Cybersecurity
Cyber and data security
Boring, technical but vital
Expensive to source expertise
Cybersecurity consultant day rate £540 UK
median, “Intro to the GDPR for VCSE” £195-£495
This project intends to develop and share learning
and case studies – recording today’s session

8. How to be a digitally savvy organisation
Kevin McLoughlin

9. The aim of this presentation is to raise awareness of information &
cyber security and security implications regarding:
1.Personal Data
2.Sensitive Personal Data
3.Principle 7 (Data Protection Act 1998)
4.Organisational Data
5.Cyber Security
6.Protecting Against Cyber Threat
AIM

10. So what time is it any way..!!

11. Prevent Unauthorised Access
Review the Process, Procedure
Stop: Loss, Theft, Compromise of Data
Simple or Complex..!!

12. Group Discussion…

13. 1.Personal Data
Data which relate to a living individual who can be identified (name, address, D.O.B, National
Insurance etc.)
2.Sensitive Personal Data
Makes special reference to information defined as "sensitive personal data" which refers
specifically to information such as;
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the
disposal of such proceedings or the sentence of any court in such proceedings.
Definitions of Importance

14. Principle 7 (Data Protection Act 1998)
“Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data”.
Definitions of Importance

15. • Confidentiality
• Integrity
• Availability (Risk)
Definition of Information Security

16. Governance
The protection of the clients and corporate data is the foremost
concern, and we achieve this in a variety of ways;
1. UK Law
2. Business Obligations
3. Organisational Policy
4. Business Best Practice - Standards

17. •The Computer Misuse Act 1990
•Data Protection Act 1998 & GDPR
•International Standards
• 27001
• 27002
• 27005
• 27032
• Cyber Essentials
The Law & Standards

18. So how safe are you…?

20. 1. Training, Education, Awareness (How often / recorded)
2. Information Security Meetings (Organisational Commitment)
3. Policy / Procedure (Where, when last viewed updated) – (How disseminated)
4. Audit / Accountability
5. Incident Reporting / Management / Response
Questions and Responses

21. 1. eLearning Package
2. Educational emails
3. Organisational Policy
4. Presentations
5. Posters
6. Screen Saver
7. Staff Handbook
8. Information Security Web Portal
9. Bulleting
10.News
11.Induction
Information Security Training

22. Often the weakest link in security is not technology, but the people who use it.
People let their guard down to attackers when they are tired or distracted by
work. Some feel intimidated. Others just make honest mistakes. It is a fact that
social engineering is often what allows attackers to steal the information they
desire. Firewalls, intrusion detection systems and antivirus software are just tools
to improve security. The biggest security risks to any company are its own
employees. Nearly all information security attacks originate from the inside.
The Weak Link…..!!!

23. Demo
Mobile Device

24. Group Exercise…(Part 1)
This is Your TargetThis is You
Attack !!

26. 1. Checking ID/Credentials – Challenging Visitors
2. Clear Desk/Screen
3. Attention to Detail (email, letters, policy)
4. Regular Accountability/Audit
5. Personal Accountability/Knowledge (Digital Competence)
6. Situation/Third Party Awareness
7. Vigilance/Double Checking
8. The Basics (password protection)
9. Clicking links
10.System updates and patches
11.Anti-virus – Encryption
12.MDM – Mobile Device Management
13.Opening attachments
14.Common Sense
Common Failings

27. A. Assume Nothing
B. Believe No One
C. Check Everyhing

28. Group Exercise…(Part 2)
This is Your ThreatThis is You
Defend !!

29. Physical

30. Administrative

31. Technical
The Weakest Link

32. Firewall
IPS/IDS
Web/Mail Filter
Anti-Virus
Encryption
Backup – (Read Only Encrypted)
Patch Management
Access Control
Manage Risk
OWASP
Cloud (PaaS, SaaS, IaaS)
DR/BCP
Prevent, Detection, Deter

33. Social Engineering
The art of manipulating people into performing actions or divulging
confidential information.
Typically trickery or deception for the purpose of information gathering,
fraud, or computer system access; in most cases the attacker never comes
face-to-face with the victims.

34. Social Engineering Techniques

35. Demo
Have I been Pawned

36. !Tu3sd4y!
Passwords
MondayDay 1
TuesdayDay 2
WednesdayDay 3
StationeryDay 4
ProjectorDay 5
?
Dictionary
Attack
(Brute Force)

37. HTTP vs HTTPS
Password:User Name:

38. Demo
Phishing

39. Social Engineering Examples
• Shoulder Surfing
• Tailgating
• Rubbish Bins
• Telephone Scams
• Phishing Email
• Physical (Reception / Door Call)

40. Social Engineering
Phishing

41. > IT Security

42. What the attacker gets

43. Demo
Fake SSID - Portal

44. Incidents
• Lost / Stolen Device
• Phishing / Spear Phishing
• Ransomware
• Social Engineering
• Lost / Stolen Data

45. Demo
System Scan & Hack

46. Incident Management
• Contain
• Isolate
• Minimise Impact
• Report
• Escalate
• Seek Guidance

47. Questions