Cyber Certainty Ltd 'Simply does what it says on the tin'
Home Cyber Concepts Contact Us


Helping business exploit the power of artificial intelligence (AI) generators


AI generators (ie chatbots) are powerful resources available to businesses across all market verticals

Mark Wilson's article in Tech Radar, states ChatGPT "...is now the fastest-growing consumer app in history, hitting 100 million users in only two months." He continues, "These models can understand and generate human-like answers to text prompts, because they've been trained on huge amounts of data."

While the power of ChatGPT is exciting, it's essential that businesses are aware of the potential Cyber Risks...

General consensus: there are very specific Cyber Risks when using ChatGPT or any other AI generator

Key takeaways from Michael Kan's article in UK PC Mag include: "OpenAI is confirming that a glitch on Monday caused ChatGPT to also expose payment details for paid users, in addition to leaking conversation histories..."

Lawrence Abram's article in BleepingComputer adds: "OpenAI says a Redis client open-source library bug was behind Monday's ChatGPT outage and data leak, where users saw other users' personal information and chat queries"

There are some very specific cyber risks with using Chat GPT including:

  1. Question data entered is forwarded on to OpenAI and potentially Microsoft, regardless of the type of account within ChatGPT.
  2. Personally Identifiable Information (PII) contained within query data, may be harvested by OpenAI and could be exposed by inadvertent breaches.
  3. User browser settings including cookies, history and potentially passwords could be exposed while ChatGPT is running.
  4. The data used by ChatGPT is continually growing as users interact with the system. However, both existing and new data may include misconceptions and inaccuracies introduced by human interactions.
Basic recommendations for mitigating Chat GPT Cyber Risks:
  1. Only use ChatGPT on a dedicated browser. One suitable for the purpose is Brave a secure browser that by default does not allow pop-ups and also has a number of ‘secure browsing’ tools built in. Brave can be downloaded from app stores (Microsoft, Apple, Google etc) instead of from their site page, which is a preferrable method of installation.
  2. Get a unique email address to use with ChatGPT. Do not use any email id that you use for normal communications, online accounts or commercial purposes. Proton Email is one option that allows you to create a free email address, accessible from browsers or from mobile devices (again installation of apps from the app stores). You can use that unique email address only for registration of your ChatGPT account.
  3. Avoid using personal or business mobile phones. Note: The phone number you use with ChatGPT is permanently attached to your account. You can get new phone numbers from services like Skype which will allow you to respond to the prompts during setup of your ChatGPT account. Alternatively, a ‘burner sim’ (for instance GiffGaff sells sims with new numbers) can be inserted into any handset. (Caveat: your phone will have to be ‘unlocked’ to use a sim from another supplier, however you can also get Pay As You Go sims from most mobile providers which will work with a handset locked onto their network).
The purpose of the advice and guidance is to improve your Cyber Posture, but Cyber Risk cannot be completely eliminated.

Please be sure you understand the implications of the actions outlined above and the impact they may have on your unique environment.

At Cyber Certainty, we can help...

The business advantages presented by AI have the potential to be game changing. Our consultants understand that advantage as well as the inherent risks. We offer programmes which will help mitigate risks while enabling your competitive advantage including:

  • Seminars customised according to the target audience outlining how to maximise the benefits of tools like ChatGPT and how mitigate risks through improved Cyber Posture.
  • Policy and system reviews to ensure that AI benefits are aligned with the goals of the organisation and risks are clearly identified.
  • Consultant led configuration assistance along with mentoring and training to ensure successful integration and deployment of AI tools.




"Hope for the best, be prepared for the worst..." - a quote by Maya Angelou


Business Continuity

You're in business, you're growing, customers love your products and services. Everything is great, right?

In today's world, businesses are dependent on their reputation. Meet a customer's needs on demand and demonstrate quality and value, and they will beat a path to your door. Disappear (temporarily) from the web, fail to process an order or have to delay fulfillment and your customers go elsewhere.

Planning to meet customer requirements must also include a business continuity plan including things like:

  1. Minimise Downtime
    By having a business continuity plan in place, downtime can be minimised and normal operations quickly resumed helping reduce financial losses.
  2. Protect Reputation
    A company's ability to minimising disruptions and ensure continuity of operations helps maintain their reputation and customer trust.
  3. Regulatory Compliance
    Industries and businesses may be subject to regulations requiring a business continuity plan. Compliance helps avoid fines and other penalties.
  4. Competitive Advantage
    A robust business continuity plan provides a competitive advantage over competitors that do not. If an outage occurs, customers prefer to do business with a company that can quickly recover which gives the company an edge in the marketplace.
All of the steps above prepare an organisation for emergencies. A business continuity plan helps organisations be better prepared to respond quickly and effectively to the unforeseen.

Business Survival Guide for those going it alone...

The following steps are the basics of a Business Continuity Plan ensuring your organisation can continue to operate in the face of unexpected disruptions.

  1. Define your objectives
    Determine your organisation's key objectives and what protection is needed to maintain those objectives. Possibilities include protecting data, ensuring employee safety, maintaining business operations, and minimising financial loss.
  2. Identify potential risks
    A risk assessment identifies potential risks potentially impacting organisations, including natural disasters, power outages, cyberattacks, and pandemics. Rank the likelihood and potential impact of each risk.
  3. Develop a plan for each risk
    Create a plan for each risk including steps to mitigate, respond to and recover from any disruption.
  4. Assign roles and responsibilities
    Determine who will be responsible for implementing the plan and make sure everyone knows their role. This includes identifying an emergency response team and backups for key roles.
  5. Test and refine the plan
    Regularly test the plan to ensure it's effective and refine it as needed including conducting tabletop exercises and full-scale simulations to identify weaknesses and possible improvements.
  6. Communicate the plan
    Ensure that everyone knows about the plan and their role in implementing it. This includes providing training and awareness sessions for employees.
  7. Review and update the plan
    Review and update the plan regularly ensuring it remains current and effective. Updates should include:
    • changes to contact information
    • identification of new risks or changes in the organisation
    • ensuring the plan aligns with relevant regulations and standards
Online links to resources related to Business Continuity planning include: Designing, implementing and managing a Business Continuity plan forms the foundation of Corporate Cyber Posture.

At Cyber Certainty, we can help...

Our Business Continuity Consulting services provide guidance and support to organisations ensuring that they can continue to operate and recover from unexpected disruptions or disasters. Applicable services include:

  1. Business impact analysis
    A crucial step in developing a comprehensive business continuity plan is a business impact analysis. Our consultants identify critical business processes, assess potential impacts of disruptions and prioritise recovery efforts.
  2. Risk assessment
    Our Consultants can perform a risk assessment to identify and analyse potential risks, evaluate their likelihood and impact, and develop strategies to address them.
  3. Business continuity planning
    Our Consultants work to develop a customised plan that includes all necessary procedures, protocols and resources to ensure continuity of operations.
  4. Crisis management
    Our Consultants can help develop and implement crisis management plans, provide guidance on communication strategies and coordinate response efforts.
  5. Disaster recovery
    Our Consultants work with an organisation to develop a disaster recovery plan including backup and recovery procedures, testing and continuous improvement.
  6. Training and exercises
    Our Consultants can design and implement training programs and exercises to ensure that employees understand their roles and responsibilities in a crisis and can respond effectively.
Our Business Continuity Consultants provide valuable expertise, guidance and support to organisations seeking to develop and implement comprehensive Business Continuity solutions.




The European Union law regulating how personal data of EU citizens is handled is the General Data Protection Regulation (GDPR)


GDPR regulations protect the privacy and security of personal data

While it's essential for organisations to comply with all GDPR regulations, these are a few key requirements to get started with:

  1. Obtain consent
    Explicit and informed consent must be obtained from individuals before collecting, processing, or storing their personal data.
  2. Provide transparency
    Individuals need clear and easily understood information on the purpose, duration, and legal basis for processing their personal data.
  3. Ensuring data accuracy
    Organisations must ensure the personal data they process is accurate, up-to-date, and relevant to the purpose for which it was collected.
  4. Enable data portability
    Individuals must have the ability to transfer their personal data from one organisation to another.
  5. Data security measures
    Appropriate technical and organisational measures must be in place to protect personal data from unauthorised access, theft, or loss.
  6. Reporting data breaches
    Any data breaches must be reported to the relevant authorities within 72 hours of your becoming aware of the breach.
  7. Data Protection Impact Assessments
    Data Protection Impact Assessments (DPIAs) must be conducted on a regular schedule for all high-risk processing activities to assess and mitigate any privacy risks.
  8. A Data Protection Officer (DPO)
    Organisations processing personal data on a large scale, or sensitive personal data must appoint a DPO.
  9. Following cross-border data transfer regulations
    Any cross-border data transfers must comply with GDPR requirements.
Once you have made a start on the requirements listed, it's going to be essential that you keep up with the changes to GDPR regulations being driven by regulators across the globe.

A key requirement of a DPO is monitoring changes to GDPR regulations and communicating them at all levels of the business.

Guides to understanding and getting started with GDPR

If you are going to 'go it alone' and begin your organisational alignment to GDPR, you need to start by knowing where to find the current regulations and where updates to the standards will appear. The 5 links below are a starting point for references to the GDPR standards:

  1. Official GDPR Website
    This is the official website of the General Data Protection Regulation (GDPR). It contains information on the regulation, guidelines, and resources related to GDPR compliance.
  2. EU GDPR Portal
    This portal is maintained by the European Commission and provides detailed information on the GDPR, including its principles, rights of data subjects, and obligations of controllers and processors.
  3. Information Commissioner's Office (ICO)
    The ICO is the UK's independent authority on data protection. Its website provides guidance on GDPR compliance, including its principles, accountability, and enforcement.
  4. International Association of Privacy Professionals (IAPP)
    The IAPP is a global organisation that focuses on data privacy. Its GDPR Resource Center provides information on the regulation, including its key provisions, resources, and best practices.
  5. Data Protection Commission (DPC)
    The DPC is the Irish supervisory authority for data protection. Its website provides information on the GDPR, including its key provisions, rights of data subjects, and obligations of controllers and processors.

Once you have an idea of what needs to be done, then you can start creating the programs which will align your business practices to the regulations. The 5 links below are a starting point for building GDPR programs:
  1. Information Commissioner's Office (ICO)
    The ICO is the UK's independent authority on data protection. Its website provides guidance on developing a GDPR program, including its principles, accountability, and enforcement.
  2. EU GDPR Portal
    This portal is maintained by the European Commission and provides detailed information on the GDPR, including its principles, rights of data subjects, and obligations of controllers and processors.
  3. International Association of Privacy Professionals (IAPP)
    The IAPP is a global organisation that focuses on data privacy. Its GDPR Resource Center provides information on developing a GDPR program, including its key provisions, resources, and best practices.
  4. UK National Cyber Security Centre (NCSC)
    The NCSC is part of the UK government and provides guidance on cybersecurity. Its GDPR resources page provides information on developing a GDPR program, including guidance on security, risk assessment, and incident response.
  5. Nymity
    Nymity is a privacy management software company. Its website provides information on developing a GDPR program, including guidance on compliance readiness, risk assessment, and accountability.

At Cyber Certainty, we can help...

Our Consultants understand the complexity of data being processed, security environments and the obligation to protect data.

We can provide:

  • Training which combines privacy and security knowledge with our experience of delivering virtual Data Protection Officer (vDPO) engagements for organisations both inside and outside of the EU.
  • Consulting and Mentoring services based on our experience working with clients, including as vDPO, across many sectors delivering high quality assessments to improve their privacy posture.
  • Virtual DPO services along with experience of working for a Supervisory Authority to be able to demonstrate an ability to understanding the pressure points and risks.
  • Independent reviews of privacy services giving a fair, balanced assessment of each organisation’s current position including roadmaps as applicable for improving GDPR compliance.
  • Informed understanding of the important distinction between sufficient and perfect privacy, we are pragmatic and can help you realise the level of required adherence necessary to achieve your aims.
In addition to understanding requirements (such as policies, Data Protection Impact Assessments and training) we can deliver solutions, not just a list of issues that need attention.




The National Cyber Security Centre's (NCSC) Cyber Essentials is a UK Government-backed scheme that helps businesses and organisations to protect themselves against the most common cyber attacks


NCSC Cyber Essentials offers a set of basic security controls that can significantly reduce the risk of a successful cyber attack.

Why NCSC Cyber Essentials is important:

  1. Protection against common cyber threats
    Cyber Essentials provides businesses with a set of five basic security controls that are designed to protect against common cyber threats such as phishing, malware, and hacking. These controls include securing internet connections, configuring firewalls, controlling access to data and services, patching systems, and securing devices and software. By implementing these controls, organisations can significantly reduce their vulnerability to attacks.
  2. Compliance with regulations:
    Many industries and government contracts require organisations to have Cyber Essentials certification to demonstrate that they have taken the necessary steps to protect their systems and data. This certification provides evidence that the organisation has implemented basic cybersecurity controls, making it easier to comply with regulations and meet the requirements of potential customers.
  3. Improved customer confidence
    Cyber Essentials certification provides reassurance to customers that the organisation takes cybersecurity seriously and has taken steps to protect their data. By achieving certification, businesses can demonstrate their commitment to protecting their customers' information, leading to increased trust and loyalty.
  4. Cost-effective cybersecurity
    Cyber Essentials is an affordable cybersecurity solution for small and medium-sized businesses. The scheme provides a cost-effective way for organisations to improve their cybersecurity posture, without requiring significant investments in expensive security technologies or services.
  5. Competitive advantage
    Cyber Essentials certification can provide a competitive advantage for businesses. By demonstrating that they have implemented basic cybersecurity controls, organisations can differentiate themselves from their competitors and show potential customers that they take cybersecurity seriously.
In conclusion, NCSC Cyber Essentials is an important tool for organisations of all sizes and sectors. It provides a set of basic security controls that can significantly reduce the risk of a successful cyber attack, while also helping businesses to comply with regulations, improve customer confidence, and gain a competitive advantage. By implementing these controls, organisations can demonstrate their commitment to protecting their data and systems, while also reducing the likelihood of a costly data breach.

A step-by-step plan to prepare your organisation for NCSC Cyber Essentials certification

Steps:

  1. Determine your eligibility
    Cyber Essentials Questions
    The IASME Consortium Cyber Essentials readiness toolkit uses your responses to the questions to create a personal action plan to help you move towards meeting the Cyber Essentials requirements.
  2. Choose a method of accreditation
    IASME Cyber Essentials Certification
    The NCSC Cyber Essentials certification can be awarded by several partners accredited as certification bodies by IASME. Choose a certification partner that suits your needs and budget.
  3. Familiarize yourself with the certification process
    Visit the NCSC Cyber Essentials website and read the guidance documents provided to familiarize yourself with the certification process. This will help you understand what is expected of your organization and prepare you for the certification process.
  4. Conduct a self-assessment
    Use the NCSC Cyber Essentials self-assessment questionnaire (see #1 above) to identify your organization's current security measures and any gaps that need to be addressed before you can achieve certification.
  5. Implement the necessary security measures
    Address any gaps identified in the self-assessment questionnaire by implementing the necessary security measures. The NCSC provides guidance on the security measures that are required to achieve certification.
  6. Prepare the necessary documentation
    Cyber Security advice for small businesses
    Prepare all the necessary documentation, such as policies, procedures, and records, to demonstrate your organization's compliance with the Cyber Essentials scheme.
  7. Contact your chosen certification body
    Once you have implemented the necessary security measures and prepared the necessary documentation, contact your chosen certification partner (see #2 above) to arrange a certification audit.
  8. Certification audit
    During the certification audit, the certification body will review your documentation and conduct an on-site assessment to verify your organization's compliance with the Cyber Essentials scheme.
  9. Achieve certification
    If your organization meets the requirements of the Cyber Essentials scheme, you will be awarded the Cyber Essentials certification.
  10. Maintain certification
    To maintain your certification, you must renew it annually and ensure that your security measures remain up to date and effective.

At Cyber Certainty, we can help...

Our Consultants are experts in guiding organisations of all sizes across multiple market verticals.

We can:

  • Assess your current security measures
    Using the standards provided by the NCSC we will help you complete the Cyber Essentials self-assessment questionnaire.
  • Make necessary improvements
    Based on the NCSC guidance to ensure your business is protected against cyber threats we will produce a roadmap to certification and assist with its fulfillment.
  • Prepare any required documents
    To ensure you can demonstrate compliance with Cyber Essentials, showing your customers and partners that you take cybersecurity seriously.
  • Assist in selecting a certification partner
    Choose an accredited certification body and schedule an audit to verify compliance.
  • Provide audit support
    During the audit, the certification body will review your documents and security measures to ensure they meet the requirements of the Cyber Essentials scheme. We will assist in answering any questions as a part of your techical team.

Upon successful completion of the audit, you will be awarded the Cyber Essentials certification, which can be used as a competitive advantage to win new business and build trust with your customers.