Category Archives: Cyber security

Humans – your weakest link or your strongest shield?

By | Cyber security | No Comments

Humans - your weakest link or greatest shieldThe other day I was in a meeting with one of the UK’s most powerful financial organisations. I’d been invited in to talk to the team about the latest market trends and what I was seeing. We talked about many things like ransomware, the sophistication of today’s attackers, new technology solutions, regulation (like GDPR), and the diversity and talent within our ecosystem. Then I brought up internal threats, specifically people.

I asked them if they’d humour me for a few minutes and they agreed.

“Close your eyes,” I said.

“I want you to step into another’s shoes – someone who works at your company.

Imagine what it feels like to be told that you’re a weak link.

A threat.

A liability.

Imagine what it feels like to have to undergo a standard security awareness training programme once a year, or more, just because of this. To know that if you fail the test you’ll have to repeat it and that you may be penalised because you’ll be endangering the organisation. Behind closed doors, some people may even be talking about you and muttering, “You can’t fix stupid.”

Chances are you’ll find this irritating, or it may even worry or upset you. Maybe these words or phrases will go through your head before or after.








Their faces were solemn, their bodies were slumped in their seats and they all nodded their heads in agreement. I continued.

“Now let’s flip the switch.

Imagine what it feels like to be told that you’re valued.




Someone who can help an organisation protect its assets, defend against cyber attackers, act as a shield, and be effective.

Chances are you’d be feeling much more open to engage, learn more, and help.”

Once again they all nodded their heads but by now they were smiling and sitting more straight in their chairs. I continued.

“Let’s knock it up a level.

Imagine what would happen if you were given a voice, had an opportunity to feedback to the organisation – the security team – and suggest improvements.

The dialogue is now open.

There is no them and us.

You’re on the same team and part of something together.

What if you could be rewarded for your efforts too?

Chances are you’d be feeling much more empowered.


Maybe you’d even be interested in learning more about cyber security – a topic that’s pretty cool right now.”

I asked them to open their eyes. By now their faces had lit up, they were fidgeting, and desperate to talk. The room was energised. They understood what had just happened, and we reviewed the human risk element, and how security awareness training programmes are being implemented.

I explained that it’s easy to get lost in our ways, to follow the crowd, and to say or do what everyone else is saying or doing. But, if everyone is thinking alike, then is anyone really thinking.

It’s much harder to challenge the status quo, and to look for better solutions. Yet, that’s what we must continually do if we’re to perform to a higher security standard, and achieve better results. We must collaborate, and use our resources more effectively, rather than divide, build walls, and maintain silos. Communication can help us do this, as it draws on language, which is where change really begins. Add in images, visuals, and sound, and you’re on your way to creating something that’s powerful, simple, and effective.

Here’s my high-level advice.

Tip 1: Define your objective. To begin, consider your objective and what you’re trying to achieve. This sounds obvious, but you’d be surprised how many fail to do this. The reason I know is because they can’t measure and evaluate the results of their security awareness training programme afterwards. Imagine how delighted the Board would be if you could communicate this as a value.

Tip 2: Assess user group profiles. Once you’ve established your objective and how you’ll measure it, look at your user groups, and their risk profiles. Go through scenarios for each group, as not everyone has the same training needs. A questionnaire, which can gauge their level of security competence in accordance with their role often helps. Spending time training users in the same vanilla way, which is usual, not only bores them, but it’s costly too. It means that they’re not being productive elsewhere in the organisation. Tailored programmes, on the other hand, maximise engagement, and their overall understanding of the problem, which enables you to deliver and measure a much more effective security awareness training programme that produces immediate value.

Tip 3: Plan your communication. Consider your communication methods, particularly your training modules. Over the years I’ve seen high quality security awareness training videos that are extremely amusing. I’ve cringed at the scenarios, and laughed a lot. They’ve made me smile, and lifted my spirits. However, although they reached me emotionally, which is what you need to do, the end result is that they often just leave everyone feeling like this – amused. Few remember what the learning lessons were shortly after. All they remember is that they laughed, which kind of defeats the objective. So, test the modules with a select and diverse user group to get their feedback prior to purchasing.

Tip 4: Adopt an entrepreneurial mindset. This means being open-minded, rather than fixed when you’re implementing the programme. Test, tweak, and get feedback from those using it. Connect with your employees, empower them, make them feel part of something, and find champions or ambassadors who can help you evangelise. We don’t know it all in security, and there’s no shame in admitting this, it’s what strong leaders do. We can always improve, and being receptive helps us avoid being blind sighted. By making your employees your strongest line of defence and telling them this, you’ll end up creating a security culture that’s onside, that innovates, adapts to evolving threats, and strengthens.

Now I want to hear from you…

  • Tell me what resonated, what you’re going to do differently, and if you’ve got more advice please let me know and share it here.

To find out more…

Please watch Microsoft Office’s Modern Workplace Episode 307, Cyber Intelligence: The human element, and hear from Dr. Jessica Barker, a cyber intelligence advisor, and Phil Ferraro, the CISO for Nielsen, on the human risk element.

Jessica will share simple steps you can take today toward motivating your organization and helping to keep security threats at bay. Phil will share five common security myths you must avoid to help keep your data secure. Together, these experts will give you insights on how you can best strategise to meet your most urgent security needs as it pertains to the human element. Plus, explore features of Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection that will help you stay a step ahead of a potential threat.

Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and this is one of them.










My top 5 breach prevention tips – would these be yours?

By | Cyber security | No Comments

My top 5 breach prevention tips

Working in cyber security for the last 19-years has been an amazing experience. Watching the sophistication of cyber attacks, and the frequency of breaches increase, has not.

I was discussing this with a few senior cyber security leaders the other day. As we talked, we each reeled off a load of statistics, like how Lloyds of London has estimated that cyber attacks cost businesses as much as $400 billion a year, how Juniper research has predicted that the cost of data breaches will increase to $2.1 trillion by 2019, and how the World Economic Forum says the true cost is actually unknown, as industrial espionage grows, and access to confidential data goes undetected.

We also discussed how cyber criminals follow the money trail, and how SMEs make for rich pickings, as they’re typically less secure and under resourced than large organisations. According to Symantec’s 2016 Internet Security Threat Report about 1 in 40 small businesses are at risk of being the victim of a cybercrime, and attacks are intensifying.

And, then I said, “Of course it’s only when a C-level gets fired, or scrutinised in the media that everyone takes notice.” Suddenly, one of them thumped the table, and said; “You’re right. This may not be a stat, but it’s relatable!”

Although not an everyday occurrence, things like this happen. Few in the UK could forget the barrage of criticism Dido Harding, the CEO of TalkTalk Group received in 2015 when she handled a data breach, which affected about 4 million customers, who’d had their personal details stolen. But, what about the CEO and CFO of FACC, the Austrian aerospace parts manufacturer who was fired in May 2016 after a cyber fraud incident resulted in a €40.9m loss? Then, there were the CEOs from Sony and Target who were fired after hacks in 2014, and I can still remember how tongues wagged in 2011 when Betfair’s Security Director left just days after an 18-month old data breach was announced in the press.

We all agreed, but the question many of us pondered was whether this was going to worsen, especially considering new legislation, such as GDPR. Furthermore, what could be done to mitigate risks, and ensure more resilience, as cyber security isn’t about “if,” rather it’s about “when,” and whether “it’s already happening but we just don’t know about it.”

With these thoughts in mind, here are my top 5 high-level recommendations.

Read More

Related Posts Plugin for WordPress, Blogger...
What's NOT working in your business? Find out now