Authority Magazine
Published in

Authority Magazine

Jonathan Wood Of C2 Cyber Security On 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Back up regularly and use anti-malware. Make regular backups so that even if you do have a breach, you won’t lose all your data. Using anti-malware will prevent it from infecting your device and also from spreading.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Jonathan Wood.

Jonathan Wood is CEO and Founder of C2 Cyber Security, a leading provider of risk management solutions. Wood has 20 years’ experience in operational intelligence and believes companies need to look at their ESG along with cybersecurity compliance to succeed in the long term.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Growing up, I always had an interest in computing and I loved playing games. It was around the time when people first had computers at home, and my dad ran a PC company, so we had a mainframe in the study. I didn’t really have any of the little computers, I had NASA-grade stuff that looked like big, massive heavy boxes, which is fascinating when you compare it to what we’ve got now. It was quite a big bit of kit! Looking back, I can see where my interest came from.

When I left school, I was a weapons engineer in the Navy for 12 years before joining BT where I ended up running the security side for clients and then I founded C2 in 2017.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It was sorting out the problems created by Edward Snowden that persuaded me that actually, what we were doing needed to be applied to the private sector as well to make private sector data safe. And that was in the time of GDPR being in consultation, so everyone was focused on privacy and questions like “Where is my customers’ data and who’s got it?”.

We’ve been growing C2 ever since and now local councils, retailers and luxury fashion brands rely on us to secure their supply chain.

Can you share the most interesting story that happened to you since you began this fascinating career?

​​I suppose the interesting thing is, if you’re starting a business, and you’ve got a lot of information about your customers, their customers and suppliers, you’re doing the same thing as you want your customers to be doing. So, you’re racing along at a million miles an hour, starting projects, building systems, hiring people, and you’re trying to do all of that in the secure, safe way that you’re testing all of your clients on.

So, are you doing background checks on people and are you putting two-factor authentication on your platforms — and all the six-digit codes that you have to keep typing in? Are we doing that in the business properly? That I think is quite interesting, and we’re constantly playing catch up with that.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Success is a moving piece, and as a start-up disrupting the market, we need to be agile. The leadership side of that is that we don’t have any room for passengers — we haven’t got any fat on the bone. I’ve learned in the last five years that if you race along you have to make sure your staff know where you’re going, so always be clear in your aims.

I think one of the principal things is never be too busy to talk to people in your business. That comes with some handrails though, so I try to put open hours in my diary, but it’s not simply that anybody can wander up to my desk and interrupt me at any time. They come to me with a more disciplined idea, rather than wandering over with a hare-brained thought they’ve had while they’re pushing a coffee out of the machine. If they have an appointment, they have time to structure that idea.

I read a book recently and it struck a chord — something that I’ve tried to do, but I’ve never seen it rationalised in print before. I think you’ve got to reserve the right to be arbitrary in the CEO role. You can take all the soundings you like and have as many senior leadership team meetings as you want. But at the end of the day, it’s me who has to go and explain to the shareholders why something went well or didn’t. I think if ultimately all the accountability and responsibility is mine, then I also retain the right to just make my own decisions.

I think scarcity has a value when you’re a leader. I’m talking to you from home today and my staff know I’m still working. Even if I’m not in the office, I’ve got investors on the West Coast and East Coast of the US and over in Singapore, so my timings are all different.

Are you working on any exciting new projects now? How do you think that will help people?

I’ve got an interest in renewable energy and sustainability and I’ve got a Masters degree in renewable energy systems, so at the moment we’re pivoting the business towards ESG. We want to make sure that we can manage the ESG posture of our clients, their supply chains and their investments. That means that information security is just part of governance, so a well-governed company will potentially suffer fewer cyber security breaches.

Rather than just focusing on vendor risk management and supply chain risks, we’re looking at ESG risks and how companies are positioned for the next 10 or 20 years.

The key way to do this is to combine human knowledge with the intelligence in the platforms that we’ve built, and C2 Cyber sits between the two. I don’t think you can just use machine learning to decide whether a company is safe or not; you’ve got to look at people, processes, training and awareness and you’ve got to talk to people.

The ideal situation is to have a hybrid approach, which is our managed services proposition, and it scales quite well. We’re working in the health sector to make sure that patient data is safe, and when it leaves a trust and it goes to a supplier or a data modelling house, that data is being treated with the right safeguards and respect that it deserves.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

Well, I have 20 years’ experience in the field but I guess, like any other company, C2 Cyber is subject to these threats. Within ten minutes of one of my team changing their employment to C2 Cyber on LinkedIn they’ll get an email purporting to be from me saying: “I’m in a meeting, I’m really busy. Would you mind going and getting me £300 worth of Google Play vouchers and sending me a photo of the code?” The fraudsters know it’s a small business, so the CEO will be in quite close proximity to the new employee, and that happens every time!

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

There are two main types to watch out for: phishing and spear phishing. Phishing is where somebody will send you a generic email, for example: “I’m a Nigerian prince. Click here to receive £10,000” and that will go to 50,000 email addresses.

Spear phishing is when the attackers have done a bit of research on you, so they can be more specific. They’ve looked at your Facebook, they know what your favourite type of dog is, your favourite colour, where you shop, what you buy and they know what you last posted about on social media and where you went on holiday. And then you’ll get an email that’s precisely tailored to you: “Hi, I haven’t seen you since we’re on the beach in Koh Samui. The kids miss each other. I can’t afford to visit, please send £300”. Or “Click here to look at photos from the holiday”. You click on the link, and all of a sudden your computer dies. With spear phishing the fraudsters absolutely know who you are and they’ve done the equivalent of sitting outside your house in a car, except they’re watching you online. That’s quite common and it’s becoming cheaper to do — now it’ll cost a couple of hundred dollars to target an organisation, and that price is coming down all the time.

The fraudsters are able to do very specific things to make their attack look legitimate, like the email address it comes from will look realistic — it could be somebody you did meet or somebody who liked a photo of yours. And why would you not trust the email and click on that link?

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Private individuals often keep everything in the cloud, so unless they lose control of their cloud provider, whether it’s Android or Apple, they’re not going to lose their photos. And if they lost control of their email address, the attackers can’t do much with it.

But if somebody got hold of my business email and sent a note to my CFO saying: “Please send £10,000 to this sort code and account number”, he might do it. If I lose control of my business account, then an attacker gets access to all of our customer data and they could also send a request for money. An example of this is a big retailer in the UK that sells tobacco in their kiosks worth millions of pounds a year. Somebody emailed their procurement people and said: “Please send the money to this new sort code and account number”. So, they did as they thought they were paying for their monthly £2million’s worth of tobacco products, but actually the money was going to a fraudster. Six months later, the tobacco supplier phoned them up and says: “Would you mind paying your bill? It’s six months overdue.” All that time, they’ve been wiring £2million a month to someone else, and you see those sorts of things happen a lot.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

For the UK businesses, take a look at the National Cybersecurity Centre’s website, which will advise you on how to triage it. If you’ve had a ransomware attack, it’s often the computer that’s been locked up. I think that’s quite rare at home — I don’t know many people that it happens to. If you’re at work, you phone your IT department. Always keep the laptop as it is and don’t try to fix it yourself, because forensically it might have evidence on it.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

Firstly, you must tell your customers. A breach is notifiable, depending on the size of your business, so you must inform the Information Commissioner’s Office (ICA) within 72 hours, and then you need to tell the people that you think have been compromised.

Should a victim pay the ransom? Please explain what you mean with an example or story.

That’s a difficult question! For example, the Irish health service was locked up for months last year after an attack and during that time they had no access to patients’ records. Did people suffer health-wise from that? Probably. And therefore, should you pay the ransom even if you don’t want to, in order for patients not to be hurt by the process? I think it’s a difficult one. Would you pay the ransom if it was, let’s say, a nuclear power station?

Last year, a water treatment plant in Florida was hacked, and all of the levels of chlorine were changed. If the operator hadn’t noticed it being done remotely, it would have killed everyone in the town that was supplied by this plant. What if that had been a situation where ransomware had been used? Would you pay the ransom in order to save the town? Because that’s really what you’re asking, and the answer is not that simple.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Using insecure means of moving data between places is a common one, for example emailing spreadsheets with no password on them. Anyone could download a tool off the internet and crack a password on an Excel spreadsheet in about nine seconds, so using a file transfer mechanism is safer — you encrypt it, upload it and then somebody downloads it at their convenience at the other end.

We discovered one organisation where 100,000 employees were offering a salary sacrifice to a charity, so every month they’d email all their payroll data in an Excel spreadsheet without any password protection. As they opted in for Gift Aid, that spreadsheet contained all the employees’ home addresses, their National Insurance numbers and dates of birth. If a fraudster wanted to apply for a credit card or a passport, all the information they needed was in that spreadsheet, and we see many examples like this.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Training and awareness, for both colleagues and suppliers. This might seem like a luxury or a generosity to suppliers but in reality they also hold your organisations data but commonly with less resources for information security.

The UK Government (NCSC) is doing a terrific job making it less likely we’ll be phished/lured into doing something detrimental but using tools to protect your IT estate is crucial. This is something that most companies already have in their possession as they are integrated into your subscription to Cloud office suites, so please make sure to turn them all on.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why?

1 Use password manager — and keep your passwords safe.

Make sure passwords aren’t reused and are difficult to guess to avoid problems. I use a password manager called LastPass, and there are others available on the market. It creates a really difficult password, which your iPhone will do for you as well when you register on a new website.

2 Keep your privileges tight

Deny administrator accounts as with them you can do anything you like, so make sure that only people that are in need of administrative rights actually have them. There was a phase when everyone had an admin password for their machine, but it’s pointless as they shouldn’t need to make changes. Instead, there should be a process that’s quick and responsive if any changes are needed, so people will use that rather than trying to work around it with an admin password.

I’ve got an admin account as the CEO of C2 Cyber, but it’s a completely random string of digits and it doesn’t have any access to customer data. That means I couldn’t send or receive an email — like malware emails — if I tried. But if you’ve got an administrator who can receive emails you need to manage processes, people and technology carefully. You need to put together a list of approved suppliers and manage it so that if somebody phones up and says: “We need to change the bank details for you to pay for your tobacco”, like in the previous example, you’ll phone your supplier to check instead of just accepting a request done via a random call from an 0207 number. Putting in that process isn’t arduous, but it’s about forcing people to think before they follow the instructions of the charming person on the other end of the phone.

3 Use two-factor authentication

Turning on two-factor authentication is a really simple step to protect yourself. Adding in the need for a code or text message gives you a second layer of security.

You can also look at MFA, which is a multi-factor authentication. This security comes under one of a few categories: what you know (a password or phrase), what you are (biometrics — thumbprint or face ID) and what you have, which might be a key card or a six-digit code. MFA will combine a couple of those, making it even more secure.

4 Back up regularly and use anti-malware

Make regular backups so that even if you do have a breach, you won’t lose all your data. Using anti-malware will prevent it from infecting your device and also from spreading.

5 Plan for an attack — and test it

How often do you run a test? Take a laptop out that’s critical or take a person who’s a single point of failure, put them in a room and tell them they can’t work today, then see if the business can cope without them.

Business continuity plans (BCPs) are terrific, but most of the ones we saw after COVID struck did not envisage people being banned from the office. A lot of companies in banking and financial services have a backup site in case the office is unavailable, but during lockdown people weren’t allowed to get to that either.

Most traders don’t have laptops and they’re not allowed to have their mobile phones on their desk. Instead, they work on big trading desks with lots of screens and phones. So, when COVID struck thousands of traders couldn’t go into the office and they had no laptop at home — at a time when suppliers weren’t delivering. In desperation, they had to use whatever they had at home, which could be personal laptops used for some “private”, and I am being polite here, browsing. So they’re basically connecting their personal laptops up to their corporate LAN and amazingly enough, all the malware that you quite often get from those questionable websites, ends up in the bank. That’s a case of Business Continuity Plans that caused a lot of ransomware attacks.

One other thing is to make sure you’ve got multiple copies of vital documents on physical media. For example, a USB stick that’s taken home by the executive assistant is not a bad plan, as long as it’s encrypted. Online backups are great, but what if the data simply gets taken out? You need physical resilience as well as logical — logical being if it’s on a different drive. If both drives are in the same building, then it’s not going to help.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I think we need to decarbonise our lifestyles. We need to move away from burning fossil fuels, not just for political reasons, but because it’s fundamentally not a very good plan.

The movement I would like to see is a critical evaluation of the choices we make and to give people the tools to make those choices better. So, for example, buying an electric car in the UK, when, particularly in winter, all of our electricity comes from natural gas, doesn’t help. Natural gas is burned in a power station, and you’ve got about 50% transmission losses because the electricity is pumped from the natural gas power station to your house, and then you put it into your electric car which weighs twice as much as a diesel car. That is probably worse for the environment than the diesel car was.

You might feel great because at the point of use there is very little pollution, but are you doing more damage in the long run? The big question is how do we get rid of these polluting cars, and how do we produce the electricity to power the shiny new EVs? If everyone on my street bought an electric car, the transformer that powers them all wouldn’t cope.

We need to decarbonise so that we can leave the planet in a slightly better state, but we must do that in an intelligent way, without knee-jerk statements and political greenwashing.

How can our readers further follow your work online?

You can connect with me via LinkedIn — https://www.linkedin.com/in/jonathanrwood10/ and follow my company, C2 Cyber, on LinkedIn, https://www.linkedin.com/company/c2-cyber/ and Twitter — @C2_CYBER.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Thank you, it was a pleasure!

--

--

--

In-depth Interviews with Authorities in Business, Pop Culture, Wellness, Social Impact, and Tech. We use interviews to draw out stories that are both empowering and actionable.

Recommended from Medium

Analysis of the Tether/Bitfinex NYAG Settlement

The Importance of Code Auditing — Why it Matters?

Us Armed Forces Is Privately Developing A Brand-New Generation Of Jamming Weapons

Current Status Report on Crypto Ingots Involved in Cryptid Wars

KEBAB — BNB LP is now part of PrivacySwap’s newest Vault features that assure boosted revenue

CodeX: Global Integrated Development

Are your employees expensing same bill twice or thrice or … even more?

How to Hire a Cybersecurity Expert (Before It’s Too Late)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Authority Magazine

Authority Magazine

Authority Magazine is devoted to sharing in-depth interviews, featuring people who are authorities in Business, Pop Culture, Wellness, Social Impact, and Tech

More from Medium

Budgeting for Remote Living

Cryptocurrency is the future.

30 Days of June: Day 9 "My mindset about the Holy Spirit and how to receive him wasn’t so accurate.

Post-Grad Finances: The Post-Grad Scaries Series