Cybersecurity – Page 2 – Oliver Pickup

Silver surfers ride the digital learning wave

Record numbers of baby boomers and older retirees are enjoying the manifold benefits of taking online courses

The proverb “you can’t teach an old dog new tricks” is barking up the wrong tree in 2021. Record numbers of baby boomers, aged between 57 and 75, and older retirees, including care home residents, are taking advantage of digital technologies to acquire novel skills and develop hobbies. In droves, they are turning on, logging in and not dropping out.

The enforced lockdowns of the last year have accelerated this trend. Silver web surfers, unable to hug friends and family, have had the time, confidence and access to technology to embrace digital learning. Indeed, 41 per cent of people in the UK over 55 said they were comfortable learning a new digital skill during lockdown, according to BT research.

Moreover, older generations are expressing a greater thirst for knowledge when compared to younger cohorts. The 2020 LinkedIn Opportunity Index suggested that not only are baby boomers more willing to welcome change (84 per cent) than millennials (74 per cent) and members of Generation Z (72 per cent), they are also more likely to invest time in learning transferable skills (78 per cent) than the two other groups (72 and 74 per cent, respectively).

Rocketing interest in online groups provided by the University of the Third Age (u3a), whose network has expanded to almost 500,000 older adults no longer working full time, supports this data. A year ago, with members forced to stay at home in an attempt to stem the spread of coronavirus, the UK-wide charity, which celebrates its 40th anniversary in 2022, pivoted online, establishing Trust u3a.

“We’ve been excited to see huge numbers of members embracing digital learning and turning to online and social media, sometimes for the first time, to keep their interest groups going,” says Sam Mauger, chief executive of u3a.

Online learning opens minds and virtual doors

Trust u3a’s online offering has attracted hundreds of new members and spawned more than 80 online groups and courses, ranging from Japanese to birds of prey, from cooking to painting. “Digital technology has empowered us to keep learning and active, and allowed us to remain connected with one other,” says Mauger.

“Instead of meeting face to face, photography groups can share images on WhatsApp, ukulele players have turned to Twitch to make music together and ballroom dancers are using Zoom to show off their moves.”

She plans to adopt a blended learning model when lockdown restrictions lift, as going digital has opened minds and virtual doors. “It has removed geographical barriers and enabled members to expand their learning and forge new relationships across the movement, from Scotland to Cornwall,” she says.

Discovering new interests and friends is one of the biggest pluses of digital learning for retirees, according to Amanda Rosewarne, business psychologist and co-founder of the Professional Development Consortium, which accredits online courses. “By learning via live online classes, you can interact with others who may also be feeling isolated and lonely,” she says.

Elderly students enjoy several other benefits. “Studies show that learning new things triggers serotonin release in the brain, which is akin to the effect of antidepressants,” says Rosewarne.

Further, a 2017 study for Age UK, Europe’s largest charity supporting older people, found that keeping the mind active can prevent age-related conditions, such as dementia. Committed learning, rather than crosswords or sudoku puzzles, is most effective, though.

Thanks to a variety of user-friendly devices and online courses, picking up a language, for instance, has never been easier or more convenient for retirees willing to enter the digital classroom.

Trust issues: beware scammers

Birmingham-based septuagenarian John Bishop has attended a Greek class for years. Soon after his course went online in the autumn, with lessons conducted on Zoom, he “took the plunge” and bought a smartphone. Technology is not all Greek to Bishop now; all that is required to join his group is the click of a hotlink. “The ease of access and ease of use are key for my generation when it comes to online learning,” he says. “My advice is keep it simple and provide non-bot help.”

While Bishop is delighted that his lessons can continue online, he is looking forward to returning to in-person sessions. “Zoom is not superior to live lessons,” he says. “Video conferencing requires more concentrated eye focus, because all you are seeing is the screen rather than a room, and student interaction is less fluid. It also lacks the ancillary benefits, like the exercise of walking to and from the class.”

Sarah-Jane McQueen, general manager of CoursesOnline.co.uk, argues the convenience of online learning is hugely appealing to elderly students. “Rather than having to get up early and travel a sizeable distance to learn,” she says, “users can now get the same experience from the comfort of their own home and at a time that suits them, allowing them to easily balance learning around their daily schedules.”

However, McQueen notes the surging popularity of online courses for retirees has not gone unnoticed by those seeking to make quick money. “Particularly since lockdown, there has been a rise in the number of fraudulent courses being offered by scammers who are looking to profit from people’s willingness to learn,” she warns.

“To help address these concerns, providers should make a concerted effort to highlight the feedback and reviews they’ve obtained from previous users that can work as testimonials which assure new users they are legitimate.”

Building trust so older people feel comfortable online, and don’t get left in the wake of technology, is vital. Pleasingly, there is now a vast number of online resources and initiatives designed to boost digital literacy among the elderly. For example, Barclays’ Digital Eagles scheme, launched in 2013, has delivered digital skills training to staff and residents in more than 500 UK care homes.

“There are many retirees who have achieved great things thanks to digital learning, often in fields that were perhaps far removed from what their previous careers encompassed,” McQueen adds.

Clearly, a more apposite idiom for 2021 is “you are never too old to learn” and, with easy-to-use digital technology, there is no obstacle to becoming a very mature student.

This article first appeared in Raconteur’s Digital Learning report, published as a supplement in The Times in March 2021

Fighting fraud in times of crisis

Cybercrime is always distressing for those affected, but when the resultant losses come from the public purse, it must be taken even more seriously

Coronavirus has coursed through every facet of our lives, and society and business have already paid a colossal price to restrict its flow. We will be counting the cost for years, if not decades. And while people have become almost anaesthetised to the enormous, unprecedented sums of support money administered by the government, it was still painful to learn, in October, that taxpayers could face losing up to £26 billion on COVID-19 loans, according to an alarming National Audit Office report.

Given the likely scale of abuse, it raises the question of how authorities should go about eliminating public sector fraud? Could artificial intelligence (AI) fraud detection be the answer?

Admittedly, the rapid deployment of financial-aid schemes, when the public sector was also dealing with a fundamental shift in service delivery, created opportunities for both abuse and risk of systematic error. Fraudsters have taken advantage of the coronavirus chaos. But their nefariousness is not limited to the public sector.

Ryan Olson, vice president of threat intelligence at American multinational cybersecurity organisation Palo Alto Networks, says COVID-19 triggered “the cybercrime gold rush of 2020”.

Indeed, the latest crime figures published at the end of October by the Office for National Statistics show that, in the 12 months to June, there were approximately 11.5 million offences in England and Wales. Some 51 per cent of them were made up of 4.3 million incidents of fraud and 1.6 million cybercrime events, a year-on-year jump of 65 per cent and 12 per cent respectively.

Cybercrime gold rush – counting the cost

Jim Gee, national head of forensic services at Crowe UK, a leading audit, tax, advisory and risk firm, says: “Even more worryingly, while the figures are for a 12-month period, a comparison with the previous quarterly figures shows this increase has occurred in the April-to-June period of 2020, the three months after the COVID-19 health and economic crisis hit. The size of the increase needed in a single quarter to result in a 65 per cent increase over the whole 12 months could mean actual increases of up to four times this percentage.”

In terms of eliminating public sector fraud, Mike Hampson, managing director at consultancy Bishopsgate Financial, fears an expensive game of catch-up. “Examples of misuse have increased over the last few months,” he says. “These include fraudulent support-loan claims and creative scams such as criminals taking out bounce-back loans in the name of car dealerships, in an attempt to buy high-end sports cars.”

AI fraud detection and machine-learning algorithms should be put in the driving seat to pump the brakes on iniquitous activity, he argues. “AI can certainly assist in carrying out basic checks and flagging the most likely fraud cases for a human to review,” Hampson adds.

John Whittingdale, media and data minister, concedes that the government “needs to adapt and respond better”, but says AI and machine-learning are now deemed critical to eliminating public sector fraud. “As technology advances, it can be used for ill, but at the same time we can adapt new technology to meet that threat,” he says. “AI has a very important part to play.”

Teaming up with technology leaders

Technology is already vital in eliminating public sector fraud at the highest level. In March, the Cabinet Office rolled out Spotlight, the government grants automated due-diligence tool built on a Salesforce platform. Ivana Gordon, head of the government grants management function COVID-19 response at the Cabinet Office, says Spotlight “speeds up initial checks by processing thousands of applications in minutes, replacing manual analysis that, typically, can take at least two hours per application”. The tool draws on open datasets from Companies House, the Charity Commission and 360Giving, plus government databases that are not available to the public.

“Spotlight has proven robust and reliable,” says Gordon, “supporting hundreds of local authorities and departments to administer COVID-19 funds quickly and efficiently. To date Spotlight has identified around 2 per cent of payment irregularities, enabling grant awards to be investigated and payments halted to those who are not eligible.”

We need to watch how the technology fits into the whole process. AI doesn’t get things right 100 per cent of the time

She adds that Spotlight is one of a suite of countermeasure tools, including AI fraud detection, developed with technology companies, and trialled and implemented across the public sector to help detect and prevent abuse and error.

Besides, critics shouldn’t be too hard on the public sector, argues David Shrier, adviser to the European Parliament in the Centre for AI, because it was “understandably dealing with higher priorities, like human life, which may have distracted somewhat from cybercrime prevention”. He believes that were it not for the continued investment in the National Cyber Security Centre (NCSC), the cost of fraudulent activity would have been significantly higher.

Work to be done to prevent fraud

Greg Day, vice president and chief security officer, Europe, Middle East and Africa, at Palo Alto Networks, who sits on Europol’s cybersecurity advisory board, agrees. Day points to the success of the government’s Cyber Essentials digital toolkit. He thinks, however, that the NCSC must “further specialise, tailor its support and advice, and strengthen its role as a bridge into information both from the government, but also trusted third parties, because cyber is such an evolving space”.

The public sector has much more to do in combating cybercrime and fraud prevention on three fronts, says Peter Yapp, who was deputy director of incident management at the NCSC up to last November. It must encourage more reporting, make life difficult for criminals by upping investment in AI fraud detection and reallocate investigative resources from physical to online crime, he says.

Yapp, who now leads law firm Schillings’ cyber and information security team, says a good example of an initiative that has reduced opportunity for UK public sector fraud is the NCSC’s Mail Check, which monitors 11,417 domains classed as public sector. “This is used to set up and maintain good domain-based message authentication, reporting and conformance (DMARC), making email spoofing much harder,” he says. Organisations that deploy DMARC can ensure criminals do not successfully use their email addresses as part of their campaigns.”

While such guidance is welcome, there are potential problems with embracing tech to solve the challenge of eliminating public sector fraud, warns Dr Jeni Tennison, vice president and chief strategy adviser at the Open Data Institute. If unchecked, AI fraud detection could be blocking people and businesses that are applying for loans in good faith, or worse, she says.

“We need to watch out how the technology and AI fit into the whole process,” says Tennison. “As we have seen this year, with the Ofqual exam farrago, AI doesn’t get things right 100 per cent of the time. If you assume it is perfect, then when it doesn’t work, it will have a very negative impact on the people who are wrongly accused or badly affected to the extent they, and others, are fearful of using public sector services.”

There are certainly risks with blindly following any technology, concurs Nick McQuire, senior vice president and head of enterprise research at CCS Insight. But the public sector simply must arm itself with AI or the cost to the taxpayer will be, ultimately, even more significant. “Given the scale of the security challenge, particularly for cash-strapped public sector organisations that lack the resources and skills to keep up with the current threat environment, AI, warts and all, is going to become a crucial tool in driving automation into this environment to help their security teams cope.”

This article was originally published in Raconteur’s Public Sector Technology report in December 2020

Seven elearning scams to watch out for

While online learning is booming, charlatans and scammers are looking to take advantage. Cowboy coaches are flooding the market making official accreditation or authenticity essential for individual students and businesses. Here are seven online scams to beware

01 Cloak-and-dagger sales presentations

Online learning can be a crook’s cloak, where the course has little educational content and value and is instead a sales presentation full of commercial advertising. Through advertising and regular email communications, the course is a guise to persuade you to buy a sometimes unrelated product or service.

One anonymous respondent to a CPD (continuing professional development) Standards Office survey says: “I paid to attend a training conference that I thought would genuinely give me some training in beauty and aesthetics for my practice. However, it was a sell, sell, sell session for buying botox and chemical peel products.”

Amanda Rosewarne, chief executive of the CPD Standards Office, advises: “To avoid online scams like this, people should look for training courses listed with many learning objectives and seek out independent review sites such as Trustpilot.”

02 Fake qualifications

It is easy to fall foul of scammers who promise professional qualifications. They hook you in by selling a course, but then fail to provide the correct certificate or licence.

Dr Emma Woodward, a New Zealand-based educational psychologist, says: “I’m concerned by the number of online courses offering training in areas that cross over into fields that are highly regulated, such as ‘diploma in child development’ or ‘diploma in cognitive behavioural therapy’.

“These courses allude to having more gravitas than what they offer, which is both unethical and dangerous as the application to real people is a skill that needs more than a few PDFs online.”

03 Promises of employment

“There are several ‘professional coaching organisations’ we have encountered that promise on completion of their, usually very expensive, coaching ‘qualification’ they will forward clients to you,” says Rosewarne at the CPD Standards Office.

“In this case, the course is not the problem, it’s just that the clients, business development opportunities or guaranteed financial guarantees given at the point of sale, do not materialise, leaving people at a loss of how to make a living, or develop a business, from their new skillset.”

Performing due diligence is critical. Robert Clarke, the managing editor of Learning News, says: “In these times of change and uncertainty, unscrupulous providers are on the make. Recognised training and CPD helps buyers avoid the tricksters and scams, and buy with greater confidence.”

04 Non-existent colleges and academies

“The words ‘college’ and ‘academy’ are unprotected when registering an organisation at Companies House,” Rosewarne points out. Therefore, anyone can set up an online learning course linked to a fake education centre. There are two typical online scams. Firstly, the scammers charge for an expensive and prestigious course before liquidating the organisation. Alternatively, buyers are duped into long-term membership commitments that are impossible to cancel and the content is often freely available elsewhere.

“Make sure it is a well-known provider and check it with a phone call,” says Hilarie Owen, chief executive of the Leaders’ Institute. “Don’t part with any money until you have checked.”

05 Rogue conferences

Scamming global conference providers offer fake event agendas by using the names of top academics, business leaders and talking heads to advertise and sell tickets. Supposed keynote speakers will have “cancelled at the last minute” only to be replaced by lower-grade alternatives.

A Trustpilot ConferenceSeries Review provides an example of this dubious practice. “Attended the fifth International CAM Conference in Vancouver in October 2019. Only a few speakers showed up and the rest apparently had their visas rejected or had health issues. Total fabrication.” There were 44 names advertised originally, but only four speakers attended and there was no one from the organisation present. “I wish I had checked before registering,” the reviewer adds.

06 Poor-quality online learning courses

“This online scam involves a concise overview course for a minimal fee, usually £50 or less, which offers what we call ‘skimpy content’,” says Rosewarne. “Buyers will encounter heavy promotion and sophisticated digital marketing tricks for purchasing a further, more expensive, course, which might be £1,000 or more. Sometimes these courses also lack engagement and are ‘chalk-and-talk’ presentations with little practical application.”

Simon de Cintra, director of Act Naturally, agrees. “Professional training providers know that reputation is key to long-term success and actively encourage well-informed purchasing at every stage,” he says, warning that users should always read reviews before buying.

07 Free online learning

Not only are numerous free online learning courses, peddled by charlatans, a waste of time, but the purported expertise they provide is also substandard and therefore potentially harmful. “This learning often focuses on a specific topic, such as beauty aesthetics, child mental health support, or IT engineering technical training,” says Rosewarne. “Most of the time, the authors have had a single fluke success online and are not at all experts in the topic.”

This chimes with Jo Cook, founder and director of Lightbulb Moment. “A lot of people are jumping on the COVID-19 bandwagon, either as a scam or with little expertise in how to provide quality remote courses and live online sessions,” she says. “Make sure to go to a company with years of experience behind them.”

This article was originally published in Raconteur’s Digital Learning report in September 2020

Hackers smell blood as crisis exposes cyber vulnerabilities

Less than two years ago, in June 2018, when Ticketmaster UK revealed cybercriminals had stolen data from up to 5 per cent of its global customer base via a supplier, it set alarm bells ringing.

The following month, a CrowdStrike report laid bare how ill-prepared organisations all around the globe were against hackers seeking to exploit third-party cybersecurity weaknesses. Two thirds of the 1,300 respondents said they had experienced a software supply chain attack. Almost 90 per cent believed that they were at risk via a third party. Yet, approximately the same number aadmitted they didn’t deem vetting suppliers a critical necessity.

Given Symantec’s latest Internet Security Threat Report, launched early last year, highlighted that supply chain attacks had increased by 78 per cent in 2018, one hopes organisations heeded the warning signs and shored up their third-party cybersecurity policies well before COVID-19 hit businesses.

Experts fear companies that failed to bolster their cyber defences are now even more exposed because supply chains have become fragmented, and hackers, like great white sharks, smell blood. “Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first,” explains James McQuiggan, security awareness advocate at KnowBe4.

To extend the fishing – or rather phishing – analogy: to net the whopper organisations hackers are scooping up the tiddlers in the supply chain, McQuiggan says, as they “may not have the robust security programs and often unable to afford adequate cybersecurity resources or personnel.

“As such, they are potentially more susceptible to social engineering scams or attacks. The criminal groups will attempt to gain access and then leverage the connection to attack a larger organisation.”

You’re only as secure as your weakest link

Predators know when to attack vulnerable prey, and COVID-19 has weakened the cybersecurity of countless organisations. “Coronavirus passes from person to person, and a percentage of victims are asymptomatic, yet can infect others – cyberattacks work in a similar way,” says Matt Lock, UK technical director at Varonis.

“A smaller supplier that’s fallen behind on their basic cyber hygiene can become infected with malware and unknowingly spread it to their business partners.”

Alluding to the issues presented by lockdowns enforced because of the pandemic, he continues: “At first, we were seeing cases where companies took shortcuts to get their employees online to keep their businesses running. Now companies are starting to settle into their new normal. They’re taking a step back, actively trying to rein in access and resolve security issues that cropped up in their race to get everyone the access they needed to do their work.”

Chris Sherry, a regional vice president at Forescout, argues there has never been a more vital time to have a cyber-resilient supply chain. “COVID-19 is the ultimate stress test for many supply chains,” he says. “The demand for critical supplies has never been greater, and it’s the biggest challenge. It’s a marathon to continue with ‘business as usual’ while trying to achieve an output of 150 per cent. Industry 4.0 and the industrial internet of things are driving improvements in operational efficiency, but also leaving suppliers more vulnerable than ever to downtime or data loss if critical processes are interrupted.

“The benefits of operational technology and automation are clear, but they also significantly increase the potential attack surface of any organisation. As bad actors look to take advantage of the crisis, the cybersecurity strategy of any supplier should ensure this is well understood, continuously monitored, and appropriately secured.”

Top tips to shore up cybersecurity

If an organisation’s cybersecurity is only as sturdy as its weakest link in the supply chain, what could – and should – be done in the face of an increasing number of attacks?

“Ultimately, the relationship of ‘trust’ many organisations once had with their third-party suppliers is no longer enough,” says Sherry. “The National Cyber Security Centre puts out a huge amount of guidance on the right questions to ask, as well as the right parameters to measure the security of your supply chain.”

Nigel Stanley, chief technology officer at TÜV Rheinland, agrees that the NCSC is a good source of information, and points to its Cyber Essentials certification scheme, which offers a “base level of cybersecurity assurance”. For him, streamlining supplier assessments is crucial, as is how deeply the supply chain network is traversed.

However, he notes: “Managing this is a challenge as presenting suppliers with 150 questions to answer every month can be a real turn-off. Using supplier contracts to enforce cybersecurity controls can be useful as it links payments and contracts to cybersecurity performance. The problem is how such a program can be implemented proportionately, balancing supplier and customer requirements.”

Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first

The ‘zero-trust’ certification offered by analyst firm Forrester is worth the money to improve cybersecurity across the supply chain, suggests Patrick Martin, head of threat intelligence at Skurio. “Securing the supply chain is key,” he says. “Look for suppliers with certifications like Cyber Essentials Plus and BS 10012 ISO/IEC 27001, and don’t be afraid to ask suppliers and partners to provide proof of their practices.”

Serving up a final piece of expert advice, he adds: “Another great first step is to monitor the deep and dark parts of the web for breached data, credentials and mentions in attack planning scenarios. In this way, businesses can be much better prepared to mitigate an attack if they see it coming.”

Considering Ticketmaster UK’s supply chain breach was almost two years ago, it’s fair to say organisations have had ample time to prepare, but those who failed need to move quickly with the fallout from COVID-19 likely to be long and painful.

This article was originally published in Raconteur’s Procurement and Supply Chain Innovation report in May 2020