Sharon Johnstone
Head of Cyber Security and Director
Academic Centre of Excellence in Cyber Education at the University of South Wales (USW)
___________________________________________________________________________________________________________________________
Sharan Johnstone, who is head of Cyber Security and Director of the Academic Centre of Excellence in Cyber Education at the University of South Wales (USW), explains why it’s not just the tech experts who need cyber knowledge.
While the whole world was seemingly locking itself away because of the Covid pandemic, a quiet revolution was happening in the cyber world.
The almost instant pivot to online working brought with it many changes for millions across the globe, as they learnt how to carry out their roles and daily activities online. As Teams and Zoom calls became the norm for many employees of larger businesses, and we all realised how vital IT systems were to our everyday existence, in other areas of the economy the need for reliable cyber systems became key.
For many small organisations, what had been a useful tool before Covid hit became vital to their continuing operations – doctors’ surgeries, dentists, and food outlets, to name a few, were suddenly faced with moving their operations online, with little time for training and implementation.
While offering numerous benefits, the move online into the cyber world also came with a critical drawback – the human influence.
Online operations suddenly meant that businesses of all kinds had access to what could be hundreds of pieces of personal data about the people they dealt with, details that are ‘sacred’ and had to be protected. And there is a good reason for small businesses to be making sure they protect data, as in the UK businesses which have been found to have breached the Data Protection Act (2018) can be fined up to £17.5m or 4% of annual global turnover – whichever is greater.
But how many owners of SMEs would understand the inner workings of the Data Protection Act, or the General Data Protection Regulation, and what threat to breaking these regulations could be posed by ‘rogue’ software or apps, or by individuals? We all unconsciously carry out acts that can put our organisation at risk – have YouTube on in the background whilst we're working, use a USB stick to take a file home to work on, or download a bunch of photos that somebody has sent us.
While often benign acts, they have the capacity to introduce ransomware and malware into an organisation’s IT systems, and have a major impact on operations. And this might not be right away, these ‘Trojan horses’ can often sit there for many months or years waiting for the right time to spring into life and cause chaos, while key-loggers can be installed which can record passwords and other vital information that hackers can use to their benefit.
This is why having an understanding of cyber isn’t something that just the IT experts have to be responsible for. When the worst happens, large organisations can lose business continuity because their vital systems no longer work. In the past everyone might have looked at the IT department to get their operations back up and running, but it now impacts many more departments, and we need to bust the myth that cyber is just a tech back-office role.
When an incident occurs that affects operations and business continuity. An organisation’s Incident Response team will activate protocols and policy, which, in addition to the technical response teams, will include the public relations team to deal with reputational concerns, the internal communications team to inform staff so they can be aware and able to respond appropriately to customers, and the business resilience teams to be able to activate protocols to keep the organisation functioning with minimum disruption and impact on its reputation.
But, for small business owners, they would have to juggle all of the above themselves and its unlikely they would have an Incident Response plan, which is likely to result in damage to their reputation and a loss of business.
That’s why we are helping people to understand cyber and their responsibilities from a young age. Cyber Awareness is now a vital part of ‘life’ training, and something we take very seriously at USW. It’s not something we teach only to those who study for their degrees and postgrads at the University, but as much-needed skills and knowledge that we consider to be key to everyone. Not only for their own online safety, but also for developing the Cyber Skills Pipeline.
This ‘Cyber Skills Pipeline’ education starts at a young age. As the first university in Wales to be recognised as Gold standard by The National Cyber Security Centre (NCSC), which is a part of Government-run GCHQ, and having been named Cyber University of the Year for four consecutive years between 2019 and 2022, we were the first university in Wales to deliver outreach activities, designed to raise aspirations and awareness of cyber in younger generation.
From our collaborative partnership with Thales in the National Digital Exploitation Centre, to leading the Cyber First Schools and College Wales programme, with collaborative partners Swansea and Bangor universities, our outreach activities with schools and colleges help embed how vital cyber is to them personally, and how it could become a career for them to follow.
Part of this is demystifying cyber and busting the myths that it’s just a ‘techy’ role, encouraging both girls and boys to look at cyber as a viable career, not least because there is a huge worldwide skills shortage in cybersecurity personnel.
Cyber is everywhere, across every industry sector. Manufacturing, engineering, health, aerospace, insurance, anywhere where you hold or process data.
Cyber is exciting as it constantly evolves and diversifies, which creates new roles and opportunities which are far removed from the stereotypical ‘cyber expert’ you can often see portrayed on the TV and film.
Beyond the support and development for younger people, USW is also involved in the programmes through our free Cyber Community Clinic, with partners such as Newport City Homes. This supports more mature individuals to grasp the opportunities offered by going online, and train them in how to stay safe while ‘surfing’ and carrying out their day-to-day activities. It’s also possible it could inspire them to think about a career in cyber – it’s never too late. Our work within the newly-formed Cyber Innovation Hub allows anyone to acquire the skills needed to follow an exciting career in cyber.
We call this a ‘pipeline’ because it’s not something that is static. It stretches across generations and is something we see as vital – making cybersecurity and digital forensics part of everybody's life so they not only think about a potential career and how they could shape the future of cyber, but to also make them more aware of their responsibilities and accountabilities when accessing the internet.
