Dear reader,

In her opening speech at the Channel Islands Cyber Security Conference, Deputy Moz Scott highlighted that so much of what we do is about changing culture more broadly, and that non-technical specialists have a big role to play in that respect. In my talk, I highlighted some of the ways that organisations without a high level of cyber expertise can still protect themselves. There is something we can all do.

The day was well-attended and organised, and I hope that it will continue to build momentum in the future. (If you did attend and would like to provide feedback, you can do so here - it’s always very appreciated.)

At the end of October we launched Cyber Health Check, a service aimed at upskilling organisations even if they don’t have (or can’t afford) a high level of technical knowledge. Over the last 10 months, we’ve developed Cyber Health Check so that it can act as a stepping stone towards Cyber Essentials accreditation, as well as providing a high level of picture of an organisation’s strengths and vulnerabilities. You can find out more (including whether your organisation is eligible for this round) via our website.

Of course, having the right people is also key: that’s certainly something we are mindful of as we build the team for Guernsey Cyber Security Centre (GCSC). I attended the Cyber Security Expo in London with colleagues from the States of Guernsey to ensure we’re able to build a strong team, drive forward our work across the Islands, and better protect the Bailiwicks. We remain on track with our plan to deliver a pan-island service next year, which will allow us to provide a more resilient service in Jersey too.

We have now reached the end of our existing operational plan and will be looking at what we deliver in 2026 and beyond as we look forward to lodging of the Cyber Security Law in the next few weeks. This will require us to operate to a 3 yearly planning cycle, so we will be aligning our planning with that and with the new Cyber Policy Framework due to be published shortly. As we do this, we’d love to have your input and feedback so we can learn from what is most important to you.

As a reminder, you can find more information on the cyber law at jcsc.je/cyberlaw.

Until next time,

PS. If you are planning to pop round our Operations Centre please note that operational commitments mean we can’t always meet up in the moment. It’s really helpful to call or email and arrange a time, so we know we can be free to meet with you and give you our undivided attention.

New advice published: Windows 10 EoL

We’ve recently published a plain-English guide to the end of the Windows 10 support, aimed specifically at small organisations and individual users.

We know from speaking with a range of Islanders that patching is still often seen as a pain rather than a priority, so upgrading an entire operating system (often at cost) can be a challenge for many users.

We published this advice to clarify the risks, and the remedies for these users. You can read the full advice below.

Perspectives from ISF’s Annual Congress

After all the activity of Cyber Security Awareness Month I headed to Prague for a meeting with the Information Security Forum (ISF). The ISF represents a combination of large enterprises and government bodies and departments.

I spoke on Sunday about how we are seeking to learn from the experiences of emergency services and emergency planning in how we respond to major cyber incidents in a coordinated way. This was very well received with a lot of valuable input and ideas.

After my presentation we heard from Sir Jeremy Fleming, the former director of GCHQ, who discussed how we are not going back to the rules-based order we knew before, and how cyber threat actors such as Russia, North Korea, China and Iran are just learning what impact they can have. We have seen play out globally and locally.

Over 80 nations now have some form of offensive cyber capability. We can't expect to be unaffected just because we are a small jurisdiction, but being small and stable may give us some advantages.

The weekend also provided a valuable opportunity to connect with colleagues from around the world: from UK Government to Canadian regions, and from public bodies to global industry leaders. Learning from others is how we do our best work.

My conclusion for us all?

Our current plans, whilst good, were all designed in and for a world that no longer really exists. We will need to rethink whether we are doing enough, and consider what needs to change to protect our families, communities and organisations in the coming years. As UK NCSC said in their recent annual review - now is the time for action.

My key question for us at JCSC and for colleagues in Government:

How can we 'design in security' to our island economy to provide a sustainable competitive advantage for the Island? A much more valuable question than seeing cyber as purely a downside risk to worry about.

Upcoming events

DATES ADDED: Cyber Simulation Events
Wednesday 19 November

We’re pleased to announce that we’re running an extra two Cyber Simulation events this month, in partnership with Soteria Communications, and with kind sponsorship from Appleby.

These free events give participants the chance to experience being part of an incident response team. You’ll have the chance to develop an incident response plan, and get advice from an expert panel.

At the end of the session, you’ll have better understanding of the challenges your business could face in a cyber emergency, and how you can prepare.

We’re running two sessions on Wednesday 19 November

• For people working in Financial Services (10:00 - 12:30)

• For members of the Institute of Directors (14:30 - 17:00)

As ever, these events are free to attend but places are limited. Book your place by tapping the button below

EXTRA SPACES: Lunch and Learn for Small Business and Charities
Tuesday 2 December

A few places have opened up on our next Lunch and Learn session on Tuesday 2 December. Our last session of the year will focus on free, actionable tips that even micro organisations and volunteer-led charities can put into place.

Can’t make these sessions? Want a bespoke session for your organisation or industry? Just email us at [email protected] to request another session. 

Cybersecurity in the news

CISA confirms five new exploited bugs

In the USA, CISA has confirmed that five vulnerabilities are known to have been exploited in the wild, including vulnerabilities affecting Oracle E-Business Suite, and Windows SMB Client. All the vulnerabilities were discovered in the last six months, which is yet another reminder of the importance of regular patching.

Louvre theft reveals use of default passwords

We all think we don’t have them, but are you really sure? How do you know for certain? Time to check, and to get suppliers to do the same. Remember it’s not just Windows operating systems: there’s lots of infrastructure out there.

Guernsey firm fined £100k following cyber-related data loss

We often talk about the link between data protection and cyber security, and a story from much closer to home demonstrates why. Poor cyber security can often lead to data loss and - in the case of this Guernsey firm - a large fine.

UK NCSC Release Annual Review

The NCSC noted that the number of incidents deemed ‘nationally significant’ more than doubled last year to 204. That’s a common picture, with US CISA reporting similar outcomes. Jersey of course is much smaller, but we still have more than we would have expected a few years ago. Their message is that it’s time to act. Now is a good time to hear them!

Jobs in Cyber

Are you recruiting for a cyber role locally? Tell us at [email protected] and we’ll share your job listing with the community.

Assistant Manager Information Security Risk: JTC

This role would suit someone with experience in information security risk and governance, strong technical skills, and knowledge of relevant standards and best practice.

Information Protection Senior Association: PwC CI

This role would suit someone with solid knowledge about information security and data protection, the ability to run control systems, and an ability to investigate breaches.

Tools of the Month

Each month, we provide a round up of tools that our team have found useful, and which could be useful to cyber security professionals. If you’ve found a helpful tool you’d like to share, please email us and we’ll include it in a future newsletter.

Did you know? JCSC can also check potentially malicious files for you in our sandbox, but please let us know before sending them over.