This year was the 30th anniversary of InfoSec Europe and for more than 20 of those years blue goose has attended, joining industry peers to discuss the cyber security challenges facing employees today and tomorrow.
Among the 200 hours of talks from CISOs, leading cyber security professionals and behavioural scientists, two sessions in particular stood out for us relating to cyber security awareness, employee engagement and embedding a cyber safe culture.
The first was probably the most poignant – ‘Inside the Scattered Spider Attacks: A Cyber Hygiene Wake-up Call For All Industries’. Hosted by Jon Abbott, CEO of ThreatAware, Jon led the discussion with Sunil Patel, Information Security Officer at River Island.
Sunil has been in post for more than seven years and before that was Information Security Officer at ASOS so he’s constantly on the frontline of retail’s cyber strategies and his opening remarks expressed sympathy first to his fellow peers at M&S, Co-op, Harrods and others who are victims of the Scattered Spider attacks.
His personal opinion, while acknowledging he doesn’t have inside knowledge from the organisations affected, is that the attacks were subtle and not that sophisticated, going in through some ‘good social engineering’ but he warned:
‘This is a wake-up call for all industries, not just retail and I think this is the first of many.’
Summarising Sunil’s key points and tips, he said:
- Act before it’s too late. Don’t adopt a ‘well it’s fine, it hasn’t happened to us’ mindset
- Constantly ask yourself how can we do better?
- Make sure your cyber culture is right. Be sure staff know the processes and understand why there will be security led questions
- Do the basics right. Make the human element rock solid and protected as much as possible
- Start at the top. The CEO or whoever has to go through the same process as everyone else, for example if they need a new identity badge
The second session: ‘Measuring What Matters – Enhancing Security Awareness through Behavioural Science and Data’ featured Gareth Thomas //BEng(Hons) CISSP GOSI CEH Security Education And Awareness Product Owner at Lloyds Banking Group and Tim Ward , CEO and Co-founder at Think Cyber.
Gareth, who’s been leading security education at the bank for more than six years, focused on his mantra of ‘commitment over compliance’ and developing a culture where people want to do the right thing regardless if people are watching.
‘I can’t express my disdain enough about a phishing test score of less than 5% click rate. Anybody can be phished. What’s important is actually telling the company you’ve seen it.
People who care enough to report it is more important,’ he said.
Added to this, he showed how Lloyds deliver the right message at the right time in the right place to employees through a number of nudge techniques and notifications such as: ‘Check the label: is this highly confidential’; ‘Before you share, is this data ok to upload?’; and ‘Forget something? Lock your computer using Windows + L’ or even a return to work message for employees such as: ‘Welcome back, there’s some items you need to look at such as: Keeping Safe & Secure.’
Such nudge tactics are administered via Think Cyber’s product Red Flags. Tim reminded us of the Ebbinghaus Forgetting Curve which shows humans forget information rapidly shortly after learning it and reinforcing Gareth’s point of delivering the right message at the right time rather than a ‘once and done’ approach to cyber security learning. 90% of information is forgotten within a month if not reinforced – Ebbinghaus study.
Creating a cyber safe culture
Embedding a cyber safe culture which is values led, inspires employees to go beyond, is voluntary rather than mandatory and builds trust rather than creating suggestions of mistrust is all part of the wider blue goose Compliance to Engagement Framework. We use this to shape positive cyber security environments for brands such as Bank of England, Burberry, Computacenter and Barclays.
Ben Watson, blue goose managing director and strategist, regularly instills the belief that sustainable cyber awareness starts with culture.
‘We do know that ‘affective security’ – the desire to protect an organisation out of loyalty to it – is a powerful weapon when it comes to information security.
‘A business that has embedded a positive culture and belief in its purpose, can leverage that commitment to ask for support on a broader range of issues – including compliance and cyber security,’ Ben says.
The importance of culture was reinforced in a separate session at InfoSec with Lastpass CEO Karim Touba, their CISO, Mario Platt and Softcat CISO, Mark Overton where Nick Pegram, Lastpass EMEA Sales VP summed up their discussions:
- Never let a breach go to waste. Learn from it.
- Give employees opportunities to be transparent about making mistakes and create a safe space for that.
- Use the news and media to educate and influence
- Adopt a security first culture but also a positive culture driving productivity
If you want to find out how blue goose help you build a positive, cyber safe culture which changes behaviours and mindsets, then talk to our team of specialists today.
