“Security isn't just my job, it’s my hobby. But anything is easy when you know how to do it,” starts our conversation Saskia Coplans. Saskia is a founder of cybersecurity consultancy Digital Interruption and she believes that security isn't as complicated as people tend to think it is. Coplans started her career studying economics, then worked in the film industry for several years, eventually finding her passion in cybersecurity. Learn more about her story and security advice for startups.
Her path to cybersecurity
“When I left the film industry, I worked with regulators, governments and NGOs developing professional standards to support different industries. As part of this process we looked at how information is used, transferred, stored and secured. Learning about Information Security from the regulator and standards perspective got me into security,” says Saskia.
“The security industry is only around 20 years old. It’s been monetised but it hasn’t really been professionalised yet. Many people in cyber security fell into it, because they had a desirable skill set. Being in security can be like being an old fashioned bounty hunter in the wild west. Without professional and ethical standards, and a coherent career pathways, the industry isn’t consistent for its customers. It relies on skills, not competencies,” says Saskia.
Saskia had always been a contractor before setting up her own company with Jahmel Harris in 2017. She has worked with several organisations helping prepare them for the General Data Protection Regulation (GDPR) and worked with NHS providers to lead the initial design for an Integrated Virtual Clinical Hub, a new concept to securely share medical records, connect patients with medical and social care professional and share knowledge between medical services.
Making a change in the industry
Saskia wishes there was more diversity and empathy in the industry. She thinks that security isn’t the most welcoming place for women and underrepresented minorities.
“I’ve worked on stunt units so I'm used to being the only woman in the room and shouting to be heard but that shouldn’t have to be the norm. Now I’m established in the industry, I want to hold the door open for the other women.”
Gender diversity isn’t the only problem Saskia is passionate about. “I have deep concerns about how mental health is handled in cybersecurity and tech in general. People get burned out very quickly in this industry. There is an expectation of high utility and onsite work for consultants and amount of hours that people are expected to work in tech is really worrying,” says Saskia. “With “Digital Interruption” we want to be part of the solution, not part of the problem so we have published pledges to our people and push for ethical business practices.”
I also help run three different community groups: Saskia says that none of her days are typical. “I'm not one of those founders who get up at half past five and does yoga. My mornings are usually rushed and coffee dependent. My working day usually consists of preparing proposals for clients, doing research, GDPR audits and advising clients on how to secure their businesses. The InfoSec Hoppers, a group of women confronting the gender gap in InfoSec by working together to highlight diversity issues in the industry and make conferences, events and meetups more accessible through their buddy programme. Manchester Grey Hats, a community group in Manchester that runs free workshops and events, working to teach security skills to those looking to move into security roles. OWASP Manchester, part of an open community dedicated to enabling organisations to conceive, develop, acquire, operate, and maintain applications that can be trusted. When I need a break from security, I spend time with friends and family, outside in the fresh air, I love gardening and generally being in green spaces,” says Coplans.
Cybersecurity advice to startups
Saskia’s daily activities at “Digital Interruption” focus on defining how to make organisations more secure, and advising on regulations and operational security. She shared some advice on how startups can approach cybersecurity and improve daily operations.
Reserve a budget for security
Ask yourself what your budget would be to not be in the press. It’s risky and expensive to think about security only when there's a problem. Setting a budget to train yourself as a founder or your employees to understand more about security can be really beneficial for your business success in the long run.
Think about the security of applications early on
Security is often neglected at the early stages of the product development. It might be due to the lack of knowledge about security, or a lack of understanding that security is needed. Selling your product to an organisation can prove tricky if it hasn’t be penetration tested. Only relying on penetration testing, and just before deployment, can be very expensive as it can highlight issues that are complicated and time consuming to fix.
Understand the requirements
GDPR and Data Protection Act are the first ones to look into. There are many companies that deal with personal data and aren’t registered with the ICO, which is now a legal requirement. There is a lot of information available about the regulations, but it can be very high level, stating only that security should be embedded in business processes and reasonable measures should be taken to secure personal data. Startups often need more tangible support and information about what they actually need to do to keep information secure. It’s challenging for organisations that want to take security into their own hands, but don't have the budget for a security team.
To start thinking about about security for your business - Saskia suggests to answer these questions:
How important is your data to you?
Have you thought about potential risks?
What would happen if all your data disappeared tomorrow?
How often do you backup your data?
What tools do you use to backup your data?
Do you have a disaster recovery plan?
Where do you store your data? Can it be trusted? Is the service secure?
Have you checked out what information providers will store for you, as some won’t take responsibility for certain types of sensitive data?
If any of the information would go missing, who would be held responsible?
Steps towards a more secure organisation:
Check default settings on your hardware
Make sure that your devices are hardened and secured. You may think you’re safe because you use Apple products, but this isn’t the case carte blanche and many features, such as firewalls, need to be enabled.
Separate work and personal
Avoid using work equipment for personal activities. And if you do only use trusted sources.
Check out Cyber Essentials
It will help you learn more about cyber threats and how to protect yourself from it. It’s an affordable way to give your business and your customers peace of mind that you take security on board.
Use two-factor authentication
2FA is better than no FA. If you work at a small organisation, add as many additional security elements as you can.
Use a password manager
Many organisations don't have good policies in place to cover password management and use weak passwords. Re-using passwords is risky as previously breached password can be shared on the internet and then used to attack other accounts you might have.
Training and learning
It’s not all about attending an expensive course to obtain a security certification. Look into awareness training and secure application development. It will help to ensure your code is secure.
Embedding security tooling
There are many free or low-cost security testing products that you can bring in-house, where you have the expertise available or the time to learn. Some of these can be fiddly to configure, so you may need some initial training or support.
Go to free meetups and conferences
If you’re in a startup and want to learn more about security, go to meetups or join cybersecurity groups on Slack such as Manchester Grey Hats, it’s open to those who want to upskill on security. Ladies of London Hacking Society run great events and have recently expanded to Norwich. There are DC Groups, OWASP Chapters and (mostly) free Security BSides conferences in cities all over the world. If you can’t make these in person, many video talks and post them on Youtube. Security people really like talking about security.
Saskia’s reading suggestions
Want to expand your knowledge about security? Check out these reading tips from Saskia and discover a ton of valuable information.
The ICO website contains a vast amount help and support on legal requirements.
Humble Bundle has a security bundle where you can access and discover security books.
No starch press publishes books focus on open source/Linux, security, hacking, programming, alternative operating systems, and science and math.
Daily Swigg: covers the latest hacks and data breaches; web application vulnerabilities and exploits; new security technologies and solutions; cybersecurity policy and legislation and other industry news and events.
Vice, Motherboard - has a valuable section on security.
OWASP - is a free resource, ranging from the OWASP top ten to free security tooling like Zap Proxy.
Saskia adds that if you have people in your organisation who are interested in security take the time to foster this. The skills they learn will be an asset to your business.
You can reach out to Saskia on https://www.digitalinterruption.com/ and @ms__chief on Twitter.