It’s my second year of my cyber security apprenticeship with Nominet, which operates at the heart of the UK’s internet infrastructure, and it’s been better than I expected. But then it’s hard to know what to expect in the world of cyber security until you’re in the thick of it. The apprenticeship course content encompasses a real breadth of topics, from policy and risk auditing to technical areas like coding, while working in a company gives you first hand insight into how it works in practice. I’ve learnt that I enjoy the more technical aspects of cyber security best, delving into something deeply and fully mastering it. Eventually I will specialise, although I don’t know what in yet.
A highlight of my year has been introducing the Beauceron platform to the business, which helps us train staff and keep them engaged with cyber security best practice. Usually, if we’re doing our job well in cyber security, no one knows we are even doing it; we’re only likely to attract attention if things go wrong. Beauceron has given us a way to engage with staff more regularly and has shown me that it’s not as complex as you think to create a sense of shared responsibility for a company’s cyber security. Just give people a ‘score’ and they soon become competitive.
I’m also beginning to recognise the importance of clear communication when the cyber security of a business – and its reputation – is at stake. If you want buy-in from senior management to implement changes, you need to make sure you present a proposal that articulates the value it will bring. It’s also important to deliver information in plain English for the non-technical among us, yet not make the details so simple that the techies switch off. It’s about finding a balance. Equally, we don’t want to alarm people unnecessarily. Some figures we see as normal – such as the number of attacks we block each month – can appear concerning to a finance manager who might only see the figure on a bar chart once a quarter.
Part of my role involves working on our Domain Watch anti-phishing initiative. This tool suspends domains at the point of registration if they are suspected (via automated and manual checks) to be intended for phishing, e.g. typos of high street banks like Loyds.bank.savingss.co.uk. Each month I compile the stats and share the data with an internal group. I enjoy the way Domain Watch reminds me of the tangible impact that our work is having. When we suspend domains that are likely to be used for phishing, I think of the millions of pounds that people haven’t lost to a scam. It makes the work we do on a daily basis more meaningful.
One trend in the world of cyber security that worries me is the increasing prevalence and size of ransomware attacks, as well as the changes in the way they are being carried out. Whole cities are being hit and it’s a constant reminder of the risk associated with attaching data to the internet without protecting it properly. The criminals have also started combining data leaks with ransomware attacks; they swipe a copy of the data and then encrypt the company’s copy so they can demand money for both. It’s two attacks in one and can have a devastating impact.
Cyber security is so important. As (almost) everyone has a computer, and so much of our daily lives are lived online, cyber security is central to almost everything we do. It will only grow in importance and I think it helps if you understand what is happening and why you need to take protective measures. For example, around sale season, lots of people fall victim to online shopping scams. If you understand even a little about how criminals work and what they hope to achieve, you are better equipped to protect yourself and less likely to fall victim or respond in the wrong way if caught out. For example, it’s much safer to visit a retailer’s website directly rather than click on links in promotional emails.
With an eye on the future, my plan is to apply for the cyber security apprentice degree programme when my current apprenticeship ends. I definitely want to continue studying and training as I’m only 20. Plus, I would like to earn a degree as I think it could make the difference when applying for jobs. I am very fortunate that Nominet will allow me to continue working with them and will support my studies for the next few years. And I certainly don’t feel I am missing out on the ‘uni life’ experience by doing an apprenticeship degree. I’d much rather be earning and working while I learn rather than getting myself into debt like many students today.
I would urge anyone considering a cyber security apprenticeship to go for it and approach the opportunity with an open mind. Many large multi-nationals offer apprenticeships, but so do smaller and medium sized companies like Nominet; all can provide different and very interesting experiences. Also, there is so much more to cyber security than many potential candidates realise. The apprenticeship course content provides a broad introduction to many different areas, so you can find something you really enjoy. You certainly won’t be pigeonholing yourself with cyber security, and as the sector grows, so will the opportunities available to you.