How employees transform security from risk to reward

SME catches up with cyber security expert Oz Alashe MBE, CEO following the launch of

Oz, there seems to be a lot of concern about security at the moment – what’s changed?

Most businesses are concerned about security on some level, but they don’t necessarily see how it applies to them. What we’re seeing in the news is a series of high profile cyber security incidents such as the WannaCry ransomware, alleged interference in the US and French elections and non-stop reporting of data breaches. This coincides with a proactive UK government campaign to improve awareness around the issue of cyber and information security.

Although many of these attacks are alarming, they are encouraging small businesses to think about their own cyber security. The next step is for them to do something about it. Case in point, UK Government research published in April polled 1,523 UK businesses to find 72% of cyber attacks originated from fraudulent emails sent to employees. This is insightful research that every small business should learn from – tech fixes like running Windows update and using antivirus software on employee workstations are vital to avoid nasty malware like WannaCry, but the most common threat is a criminal who exploits human nature – which is possible with a simple email.

What makes phishing so effective?

Psychology. Psychology is the main reason so many of us are ‘programmed’ to respond to these phishing attacks. This makes the act of imitating someone with authority within the business, in order to gain access to information, so effective. Ask yourself how many people in your business would share financial information with their finance director or accountant in response to a well-crafted email? Many would at least consider it.

Technology also has a role to play. Phishing, in its crudest form, relies on the law of averages. It’s easy for a fraudster to mass email people in an organisation and request they click on a link that unknowingly installs malware or impersonates a supplier to collect confidential information.

Today, most people have an extensive digital footprint, from CEOs speaking at events and attending shareholder meetings to the sales administrator sharing their life on Facebook. Cyber criminals have become increasingly sophisticated, using this information to analyse trends and behaviour and target individuals with personalised messages. These attempts are harder for security tools to detect and rely entirely on the individual’s judgement – a difficult task when they are well researched and timed.

What should companies do to avoid these attacks?

Start by reviewing the easy fixes – take advantage of any technology that might help you reduce your risk. Make full use of any spam filters provided by your email provider, and endpoint security software features such as inbound email scanning that might help employees spot mass phishing attempts.

The only way to address the human aspect of security is to make sure your people can spot and foil fraudsters, preventing incidents before they cause damage. It is challenging to change behaviour and it takes time. But it can have a disproportionate effect on the reduction in cyber risk your carry. We have discovered the best way to improve cyber security awareness is to help people help themselves. For example, someone who understands that they should check their emails carefully to protect themselves from credit card fraud at home will change their email habits at work, therefore reducing the risk posed to the company. It’s not just email phishing that you need to be mindful of either – there are many other cyber and information security threats but we can help our people be more vigilant and protect our company from all of them.

As the front line of the organisation, encourage your people to question any suspicious or unusual instructions from colleagues, clients, suppliers and even management without fear of reprisal. Some of the most effective cyber attacks attacks involve impersonating senior management – too many people will often take the bait and hand over whatever information is being asked of them.

What should you do if you suspect you’ve been phished?

If a member of your team thinks they may have disclosed any personal or sensitive data they must report it quickly as action can be taken to limit the effects. This requires both awareness – to know you’ve been phished – and a culture where people are clear that they should respond.

The other reason it’s so important that people within the company are vigilant is that social engineering attempts may have several touchpoints before the fraudster achieves their goal, be it stealing information, logins, money etc. As such, the simple act of setting a procedure for staff to report security related activity is a powerful way to nip such attacks in the bud before your business falls victim to a scam.

If a member of staff receives a phone call and has cause to believe that the caller wasn’t the person they claimed to be, ask them to report the attempted attack. If the Finance Director demands urgent sales figures for the AGM using their personal email address, make it clear to the member of staff that they will not be chastised for reporting it.

What is CybSafe doing to address security awareness?

We believe that people are important. And we focus all of our energies, advanced technology and expertise to addressing this issue. We know how hard it is to address the human aspect of security and many businesses don’t have the time, capacity or resource to address it effectively – yet they know that if they could do so it would have a huge impact on their security.

Security outcomes can only be improved if we can improve our people’s underlying security behaviour, so we have combine psychology, behavioural science, advanced technology and effective content to develop a platform that engages employees – be it spotting suspicious emails, rethinking their social media activity or a host of other things they can do to keep themselves and their organisation safe online.

Over the past two years we have developed a GCHQ-accredited program, which is delivered via our website or mobile apps to make it easier for people to complete at their convenience. Companies enrol their staff in the training program on a simple and affordable annual subscription that covers all common security risks and is regularly updated with risks pertinent to their industry. The software is intelligent and applies machine learning technology to ensure information is presented to users in a way that makes it most likely it will be absorbed. We also use clever technology to measure changes in behaviour.

We think it’s very compelling for SMEs because they can protect their company, and also reap the reward of Institute of Information Security Professionals (IISP) and GCHQ-accredited training in demonstrating governance to clients and insurers, so they know you’re protected too. Being a secure part of the supply chain will become increasingly important for companies when they do business with large corporations in the future. Some of our customers have even had their cyber insurance premiums reduced on account of doing CybSafe – just one way in which businesses using CybSafe save themselves money.