THE STATE OF CYBER SECURITY IN THE UK

Vanessa Eyles, Detective Superintendent of West Midlands Police

Previously Director of the Cyber Resilience Centre West Midlands

Vanessa understands that the police can’t arrest their way to ending cybercrime, as a result pre-empting attacks is the focus for The Cyber Resilience Centre (TCRC). With fraud & cybercrime combined, they make up 39% of crime in the UK, and Vanessa’s strategy to address this is with prevention of cybercrime rather than cure. With the TCRC West Midlands, she aims to raise awareness, offer businesses support, and show businesses that their assumption that cybercrime will be treated like other crimes when it comes to accountability and insurance is wrong.

Listen above, on any podcast platform you choose, Spotify or Apple Podcasts, or watch the in studio video below:

Transcription
Prefer to read along? No problem. We've transcribed the episode below for you:

Dom:
Hello, I'm Dom Wetherall, your host at the F5 podcast brought to you by Intercity.
Today I've got the privilege of being joined by Vanessa Eyles, who is the Detective Superintendent in West Midlands Police and also the Director of Cyber Resilience Centre for the West Midlands (at time of recording).
Welcome to the podcast, Vanessa.
Vanessa:
Hello.
Dom:
How are you?
Vanessa:
I'm very well, thank you.
Good to be here.
Dom:
Thank you very much for joining.
I'd like to just kick off and love to hear about your experience, how you've got into this role and this career.
Vanessa:
So my journey to here today has been a little bit different to many people within the cyber sector.
So I joined West Midlands Police 30 years ago and I went through the ranks. I've done a number of different roles.
I have been the senior investigating officer for attempted murders, shootings, and kidnappings across the whole of Birmingham. 
And then I got promoted to chief inspector.
So I was the DCI in charge of serious and complex child abuse.
So that's paedophile rings and suspicious child deaths across the whole of the Black Country.
And then I got promoted to detective superintendent. And the chief constable asked me to run the cyber resilience centre, which is a business on behalf of policing.
And it was a real aha moment. Because I'd never run a business before.
However, the chief was very aware of the fact that I've been passionate about crime prevention for over two decades.
And so he saw that a number of my skills absolutely suited this.
And so two and a half years ago, I entered the cyber world for real, but very much with the angle of preventing cyber crimes for businesses, as opposed to trying to put the pieces back afterwards.
Dom:
Is it something that you're exposed to during your police career, cyber crime and fraud in general?
Vanessa:
So it's interesting, actually, because when I was an inspector in charge of neighbourhood policing for the Northfield constituency, I actually volunteered to be the cyber lead. But that was more for general members of the public.
So passwords and make sure you've got antivirus software, that sort of stuff. Wi-Fi hotspots. Yeah, just the real basics. But not in relation to business crime.
That was just general because I was a community policing inspector. So I saw the potential then.
And so when I came into this walk of life, this sector, actually, I was very aware of the risks that people and particularly businesses were faced with.
Cyber crime being so prevalent and rife across all sectors, industry sizes, regardless.
Dom:
What do you think are the massive trends in in in 2024 that people should be aware of?
Vanessa:
So at the moment, what we're seeing is that if you put fraud and cyber crime together, it counts for 39 percent of total crime across the nation. So it's really prevalent.
And we've got to get on top of it because some of these fraudsters, these cyber attackers are making a lot of money and we are losing a lot of money.
So patterns for 2024. Sadly, I think that the number of cyber attacks will increase, particularly phishing emails, because cyber attackers, they used to be able to send out, you know, maybe 100 emails in a day.
Whereas now with AI, they can send out 10,000 in a day. So we've got to be really aware of that. AI is helping the cyber attackers.
And so we need to make sure that we get our basics right. And maybe that we start to use AI to defend ourselves. But that's a whole special in itself.
Dom:
It is, just on that, though.
So how are they really enabling the scale up of their attacks through AI?
Vanessa:
Yeah, so there's a couple of things.
So first of all, the AI skills are helping cyber attackers to make their phishing emails far more convincing, far more plausible.
So they're able to get the branding right, if they're pretending to be the post office or whatever.
They're able to get their grammar and their spelling correct.
And they're able to be able to sort of link in different links or different websites or whatever to facilitate these attacks.And so that's part of it.
AI also helps scammers and cyber attackers to research where the weakest spots are within a business or where the biggest gains would be within the business sector.
And so it will identify, actually, that's the lowest risk and the biggest gain. So let's target there.
And AI is learning from its own mistakes. So it makes a mistake, comes back, learns and then goes back again.So it is a phenomenal piece of development, but we need to make sure that we get our basics right and that we start to use it so that we are playing on an even field.
Dom:
Do you have any examples of those AI aspects where it's searching and using an algorithm to look for that lowest point of entry, that easy open door?
Vanessa:
So that's pretty niche at the moment. And that's the sort of stuff that doesn't really get reported, is my honest answer.
And that's the problem with organisations is they don't want to put the red flag up and say, we've suffered a cyber attack.
And those specialist investigators don't really want to put the red flag up and say, actually, we found this. But these are the thematics that are coming out.
And there are many experts within the AI world who are sharing these messages.
It's out there and we've got to make sure that we keep up.
Dom:
There's also the impact of AI from a positive perspective and how businesses can utilise that to enhance their defenses and awareness around cybersecurity.
Vanessa:
Yeah, so AI is being used more and more.
Obviously, it's being used for increasing efficiency within businesses and organisations, which is fantastic.
But it's also being used to boost the ability to monitor what's going on across an organisation's network, to spot unusual behavior, unusual activity, and then to feed into security systems so that actually those triggers can be clicked straight away.
And somebody within an IT team can really hone in on something and really unpick it and find out what's going on.
Dom:
Having the right security in place is obviously paramount for any business.
What do you think is the core baseline of what a business needs to have in place?
Vanessa:
The best mindset to have is it's not if I'm going to suffer a cyber attack, it's when.
If you start thinking like that, then you will be more defensive and you will be getting things in place so that you are in a stronger position.
Get the basics in place.
So it's boring things like making sure that you have strong passwords and you have a strong password policy and you dip sample and you audit or making sure that you don't allow your staff, your team to have access to free public Wi-Fi, as you described earlier on.
So that there are basics that you can get in place, but sometimes these are rather tedious and boring.
Multifactorial authentication is hugely important but can slow down productivity a little bit. And so sometimes your team will try and swerve it, work around it.
And that's where, again, it's about having policies in place, dip sampling, checking, testing.
So those are some of the things that you need to do and you need to remember that actually cyber attackers most of the time, not all of the time, but most of the time will go for the low hanging fruit in easy targets.
Dom:
Yeah, if they're trying all the neighbours and everyone else has got their door locked and you're the one that hasn't, then yeah, we know which one they're going to enter.
On that point that you mentioned, which is interesting around that slight pushback maybe from a workforce in terms of productivity or frustration with certain systems.
But ultimately it's that communication and culture across a business that's got to really embrace and understand it because a little bit of frustration and building a new process can be the difference between trading and not trading.
Vanessa:
Absolutely. I mean, that can't be reinforced enough.
And so what we are encouraging is it's all good and well for a board or managing director to say you've got to do MFA and have strong passwords.
But if you don't create that culture where it's accepted, it's embraced, then people will swerve around it. They'll work around it.
And so that's where things such as security awareness training are really helpful because you educate your team about why these measures are being put in place.
What you then find is if you do that security training effectively and I don't just mean an email to them or click through the next screen, click, click, click because that's just a tick box. Yeah, that's just a tick box exercise.
But if you do it properly, effectively, you'll find that your team, your organisation will become spotters for you and they will be those eyes and ears.
Dom:
The human firewall.
Vanessa:
Absolutely.
Also what you'll find is that they will be thankful because they are safer outside of work and so they get on board with this.
Dom:
Businesses have often relied on insurance.
Again, picking up on what you said then, Vanessa, with tick boxes, I've got this piece of software, I'm going to tick a box, I can go and get my business insurance now.
So if and when I do become under attack from a cyber breach, I'm OK because I'll just claim my insurance.
That landscape has changed massively.
Vanessa:
It really has. Yeah.So if you if a smaller business takes out cyber essentials, so if you if you get that accreditation, then you get some free insurance with that accreditation.
It's not huge, but it's a great start, particularly for a smaller business.
But what we're what we're learning is that insurance companies are becoming far more strict in relation to the conditions, the rules, the the way that an organization is running online.
So they will have stipulations such as you must have cyber essentials or you must have ISO 27001 or you must follow the instructions of a CISO.
Now, this is all technical stuff, but basically what the insurance companies are saying is you must do more and more to be able to actually become qualified to have cyber insurance.
And I really don't want to take away from insurance, but insurance companies will say no if you haven't complied with all of the small writing within the policy.
And that's why insurance is a part of the picture.
But we we really recommend that people do the basics so that hopefully they don't need that that insurance.
Dom:
Have you heard or seen examples recently of cases not being successful?
Obviously, we completely anonymised, but is there cases that you could speak to in terms of people not being successful in claiming against insurance?
Vanessa:
Yeah, definitely. I mean, the big one was there was an insurance company.
I think I'm going back a couple of years now where they said if there are any links between your business and China, then we won't pay out.
And in some ways, that's quite difficult not to have any links whatsoever through to be somewhere down the supply chain.
And the same could be said for, you know, we an insurance company may not pay out if there is any connection to a war scenario.
Well, we've got two wars on the go at the moment, and I'm not getting into the politics of war.
However, sometimes insurance companies will make exceptions.
And so that's where preventing a cyber attack from happening is definitely the best way forward.
Dom:
Vanessa, you're the director of the Cyber Resilience Centre.
I'd love to hear about the importance to you as a person of why it means so much to you to help individuals and businesses alike.
Vanessa:
It sounds a bit bizarre, but in an ideal world, I would love it if we didn't need to have police officers because there would be no crime.
However, just speaking a little bit more personally, when I had two and a half year service in the place, I was severely assaulted on duty.
And I had two fractures to the skull, one to the jawbone, and I was left unconscious.
It was a gang of 10 armed men.
And I if a police officer could have prevented that assault from happening to me by diverting those men away from a life of crime, I would shake that officer by the hand and call him a hero.
So I see today that cyber crimes are attacking people and businesses and they are devastating those businesses.
They're devastating those businesses irrevocably and people are losing their livelihoods, their passion, their lifelong work.
And that's awful. That's just tragic. And so that's why I'm so passionate that let's not have a cyber crime happen.
Let's prevent it happening. Let's stay cyber resilient.
Dom:
Could you tell me a little bit more about about the Resilience Center?
Vanessa:
Yes, so we are called the Cyber Resilience Centre because in some ways you can't be 100 percent cyber secure if you are working online.
However, what we want is we want businesses to be safer online and we want to give them some basics so that they become safer.
And I describe it and it's a little bit cheesy, but I describe it a little bit like the NHS Health Campaign couch to 5K. And you can see where I'm going with this, can't you?
What I try to do is take businesses from the couch and get them to 5K in relation to their cyber security.
And when they get to 5K, metaphorically speaking, if they say to me or Vanessa, you know, which company should I go with in the long term so that I stay cyber safe?
I will rub my hands together in glee and think my work here is done because the Cyber Resilience Center is just about helping those businesses get going.
Get the basics right.
We give a free half hour consultation, which helps businesses because actually who are you going to talk to about cyber security?
You're not going to go down the pub on a Friday night and talk about cyber security.
You're probably not going to go to a coffee shop and talk to your mate on Wednesday morning over a blueberry muffin and chat about cyber resilience.
So who do you talk to? Well, we're coppers trying to prevent crime.
And so that's where we can help when they get those businesses get to 5K and they say, Vanessa, who should I spend my money with?
I'm not allowed to recommend businesses such as Intercity because we're coppers.
However, I do say to people, have a look at who we work alongside and you can make that choice.
Dom:
Thanks, Vanessa. Appreciate that.
Vanessa:
We've also worked together previously because you helped us and support us with our cyber assessment framework event that we ran at Edgbaston Cricket Stadium last year.
And you brought a lot of those insights with you. And I know our audience were extremely enlightened and found it really insightful. 
You mentioned earlier, it's not an if, it's a when.
Talk to us a little bit about who's at risk.
Vanessa:
Yeah. So first of all, the event at the cricket ground was fantastic.
I thought Intercity really did a great job there. It was it was good fun as well.
So who's at risk? So one of the worst things for businesses is if you're at risk and you don't know you're at risk and a lot of businesses convince themselves that they're too small to be at risk.
So what we say is that every, every person who is online and every business who's got anything connected to online activity is at risk.
And as I mentioned earlier on, cyber attackers are looking for the low hanging fruit most of the time because they're easy.
So even if you are a micro or a sole trader business, you're still at risk from a cyber attack.
A lot of businesses also think that because they haven't got very much cash in the bank, which is understandable, they think that they are not at risk of a cyber attack.
And sadly, that's not true because data is a new gold and it's really valuable. Now, who's also at risk?
Charities and people who've got information, particularly information in relation to vulnerable members of the public or sensitive information.
So if you imagine if you've got information about children and a cyber attacker gets information about those children, names, dates of birth, home address, they've got that information and it's out there for sale on the dark web for 70 years potentially.
If it's about vulnerable children, then those children could be pursued by cyber attackers for 70 years.
And that's where we've got to get the basics right.
That's why cyber essentials. That's why cyber resilience center work is so important because this is affecting people's lives, livelihoods and their safety.
Dom:
Have you got examples you could talk to?
Vanessa:
So we had a cyber attack that took place on a school teacher.
They hacked into her laptop and as a result, they were able to send out lots of emails from her email address out.
Now, we managed to catch it quite quickly and we reported it to the school.
And as a result, they shut down her laptop and managed to not quite nip it in the bud, but stop too much information from getting out.
But the benefit in that scenario is that she didn't have very much in the way of children's data on her laptop.
If she had, then those cyber attackers would have had access to that information.
And what can then happen is they sell it on the dark web to somebody else who wants to use it either for fraudulent purposes or to blackmail maybe the parents or the school or the child when that child gets older.
So there's lots of different scenarios and the dark web is where this information, this data will be sold and bought.
Dom:
Vanessa, we've previously mentioned the importance of a security led culture within a business and how that's communicated.
Where do you think the responsibility lies?
Vanessa:
That's a really interesting discussion.
I spoke recently with a large group of board members and I explained to them that actually if there is a cyber attack on their organization, it won't be the IT team who are held to account because they will undoubtedly have an audit trial of emails requesting this or that or please can you do this or that.
And they recommend this action and that action, these policies. So they'll be watertight.
The board will be called to account and this is where they need to make sure they have an audit trail of implementing not just rules, but actually ensuring that this becomes a culture within their organisation. And so it must be top down that they reinforce these messages.
This is where board members do need to really understand a bit like health and safety, a bit like diversity and equality. It's about those positive cultures.
They will be held to account. 
Dom:
A personal liability becomes very real at times like that, doesn't it?
Vanessa:
It will be on your lap, at your desk.
You will have to justify what you've done and justify what you haven't done.
And that's where we want to help people.
Dom:
So we spoke about the Cyber Resilience Center and the resources that are there to provide help to businesses.
How can more businesses get involved and how is that scaling up?
Vanessa:
That's a great question, actually.
So obviously the best cyber resilience centre in the world is the West Midlands Region one.
However, I'm saying that very much tongue in cheek. We are part of a national network, so we cover every part of England and Wales, which is fantastic.
We're all police led, part of the office funded and not for profit. And that means that as a network, we meet up. There's a great rapport. We work really well together.
We make sure that we communicate about issues, thematics, and we hand over businesses to the right area.
And that not for profit is hugely important because we're police officers. We're not here to make money.
So we have a website where you can go. There's a postcode finder, which is really helpful for businesses.
So it's the NCRC group, the National Cyber Resilience Center group. You can go there, find out where your business head office is or where you want your cyber resilience center to be the one that you work with.
We are a partnership of police, academia and businesses.
And what we're finding is that businesses want to work alongside the police to tackle this really pervasive problem of cyber attacks.
So those businesses work alongside us, Intercity and many other businesses. We have some membership packages. We have some positions within our governance.
So there's our advisory group and our board. And that's the same within all of the centres. And then there's the national ambassadors who work with the National Cyber Resilience Centre.
Those organisations like the NatWest Bank, the very group KPMG, MasterCard and many more.
Dom:
We'll make sure that we add that link into the comments for NCRC so everyone can easily access all those great resources.
So I've got one final question for you before we close out.
If you could see us cover another story or topic or have someone as a guest on our podcast, who or what has influenced you?
What would you recommend?
Vanessa:
So just thinking about the skills gap nationally, but also thinking about something that's really true and dear to my heart.
Equality, I think that's something that we all need to be striving towards equality for all.
And I think that there is so much talent across the whole of Britain.
And sometimes we don't tap into that talent because we go for the stereotypical person that we want to recruit or work alongside.
So diversity, equality, that is something I'm really passionate about.
And I think what's really very relevant to the cybersecurity sector is the neurodivergent community.
And I was absolutely thrilled a few years ago when somebody went on stage and said that that they're from the neurodivergent sector community and they have superpowers.
And that absolutely hit the nail on the head for me. So we really need to tap into neurodivergent communities and make sure that they are supported so that they can deliver their best in what is a huge problem.
I think that they are untapped resources at the moment.
And I think that that's something where we should really, really embrace a lot of those people.
Dom:
Couldn't agree more. What a powerful message.
Great recommendation.
Vanessa:
Thank you.
Dom:
Vanessa, thank you very much for joining us today.
It's been really interesting and insightful to hear about the threat, who's who and when not if.
And then also the people that are going to be accountable and responsible for looking after those businesses and making sure that we can still trade and keep us all protected from from cyber crimes.
It's been really interesting to hear your side and hear your stories.
So thank you very much for for sharing those with us today.
Also fully aware that you're on call today during this recording of the podcast. I was awaiting a dramatic exit at any point.
So thank you for staying for staying with us and talking to us today.
Vanessa:
You're very welcome.
And I haven't had a call just yet. The week is young.
Dom:
Thanks a lot.
Vanessa:
Thank you.