Community Outreach: Reflecting on my role at CRC for London
Community Outreach Officer Alberta reflects on her first 6 months working with the Cyber Resilience Centre for London.
How I came to be in this role
After completing my masters in cyber security at Northumbria University, I saw this advertisement on LinkedIn for a Community Outreach Officer. I applied for this role at CRC for London because I knew I would be successful with the skills that I gained while doing my master's. I knew that role was so different to what I am used to. My background is in education, and I have taught in schools and colleges combined for over 15 years.
This role is about visiting small to medium independent businesses and informing them about the best practices in cyber-security. The purpose of this role is that businesses that we visit can be protected from cybercrime or similar.
I am writing this blog because I have been employed with CRC for London for over 6 months now and I would like to share my thoughts and experiences and reflect on what I have experienced while visiting these small to medium businesses.
I suppose I’ll start off by answering the question:
Was it what I expected?
This was initially difficult for me to answer because although I had browsed the CRC for London website, I wasn’t quite sure what I was getting into because they offer a lot of services. However, this role was different because I was working in the community and meeting different people daily. Now that I am part of the team and it has expanded with many positive reviews I can see the impact that we make at CRC for London.
Now, I had the opportunity to visit different businesses. Looking back, I was excited to speak about something that I was very passionate about and this was about the best practices in cyber-security.
Nevertheless, shadowing Hannah Khoo gave me the confidence and insight that I was looking for before visiting businesses. This is because of the body posture that she used such as giving individuals space so they do not feel stifled whilst still making them feel comfortable. However, this turned out to be what I enjoyed the most, as I enjoy speaking to people.
Questions for the community
One question I always ask individuals when I visit their businesses is “Who is supporting you with your online social media such as Facebook, Twitter and Instagram?” The reply I get quite often is “I do not use it for transactions, and it is not active because it is only used for advertisement purposes.” It’s important that people know that even though they’re not using these platforms for transactional purposes, they still need an extra layer of security such as two-step verification (2SV). I usually get a big thank you for that suggestion!
My observation is that smaller business owners cannot afford the cost of paying extra money to outsource their website or to get an external IT contractor, so when you report it, Action Fraud will build up a report of all these activities and it will make it easier for them to have a report of these cyber criminals and bring them to court and in some cases they may get back the money that they have lost- do contact the bank if money is involved to prevent further losses.
When I am in the community, I always make sure to include all types of business even those that I think may have their own IT resources such as their IT being outsourced to an external organisation.
When I ask businesses about staff training I may get a blank look because not all businesses train their staff. Training staff will save a lot of money if staff are aware of cyber-security best practices and how to spot fraud. If employees are trained they know what to do if they get a hyperlink that they are not sure of and if they are in doubt they should forward any hyperlinks to their IT manager/IT department.
I asked these businesses about the best practices in cyber-security and the reply I would get is we have everything in place because we have our IT outsourced. I will then ask when the last time you reviewed your Incident Response Plan. I will get a blank look and the manager will ask me what is that? I will explain to the managers that this plan is very important, and you should have been involved with the IT manager at the initial stage and it is important for you to review this plan often. The manager was not aware of this. My observation is that most of the time managers will give IT full control over to an external organisation and not get involved with any decisions which can be detrimental if any incidents happen as they did not review the incident response plan or what they have in place. When I inform managers about this, they will thank me and say they will phone the IT manager and ask them about their Incident Response Plan.
Reflecting on the last 6 months while writing this piece, I realise how much I have achieved in that time, I wonder what I’ll have to say in another 6 months' time.
Watch this space for more blogs!