How To Make Cyber Security Everyone's Business

so good afternoon thank you so much for having me and I hope you've enjoyed besides Bristol so far because I know a lots of things to learn lots of people to see uh my name is Andrea Mii I am the security awareness and education manager at the beachcraft here in Bristol this is a law firm so we don't do anything security per se but we do have a security function um what does that mean I I work with our security team and The Wider it teams to make sure that our College uh our colleagues are educated when it comes to online how to stay safe both at work and at home so you might think that staying safe at at work is

done through all sorts of tools like VPN and firewalls and all sorts of things like that but why should we care about security at home right why do we need a dedicated person to teach people all of that well ultimately we should care because um what we're trying to do is help people understand the dangers help people learn strategies that will help them stay safe long term rather than just like applying a Band-Aid in the moment rather than having them rely on technology um to keep them safe we are trying to teach them behaviors that can help shift the culture and the attitude towards the safe safer approach so what we're trying to do is bring more than

awareness to our colleagues and we're trying to help them understand the impact of their actions and why is their responsibility in staying secure online because the human risk element is crucial in maintaining or our organization safe so what is security awareness and how we can make it everyone's business when we say security awareness we usually reference this F standard definition the formal process of Education educating employees about cyber security best practices to help them better navigate the many cyber security threats they may face at work and at home but what is the problem there because we live in a world where we're all Expos all kinds of cyber threats defining cyber security responsibilities feels almost impossible

and what is the easiest way to define the impossible make it possible by teaching everyone and I mean everyone about their important role in staying secure online so this is the problem who should be responsible for our cyber security because usually the misconception about our industry is that only cyber security people should care about cyber security however if you ask anyone families friends colleagues what do they think when they think about cyber threats chances are they think of this guy with a hoodie in a black room typing away all sorts of things trying to crack your password and steal your data and your money but if you think if you ask them to think about cyber security they'll

see this guy typing away equally furiously trying to protect you trying to prevent that breach from happening so in the grand scheme of things there are hidden dangers that people over look when it comes to cyber security there might be the the chance of tailgating that people don't consider or the chance of someone reading their emails on the train and they're not considering it or someone forgetting to unlock their computer and that's what happens um in terms of the human element because at at the bottom of it this is what's causing all of this we all know that there are nuances to Cy security and cyber security approaches and because bypassing people is generally the easier options for threat actors

they will try to concentrate their efforts to uh by targeting people instead of tools right instead of email security for example or instead of your Cloud um they might be trying to fish your employees or pretend to be a delivered person or pretend to be a contractor you name it because those attempts are generally more successful than just targeting a tool um and while we cannot prevent those attempts with 100% success rate what we can pre prevent is or reduce is their impact on us so what we need to understand is that as long as we have a human firewall full of people who are educated and aware and proactive and ready to take action when something suspicious

just happens we can prevent a major in incident from happening so you've probably seen this step before is the 20 uh 2024 the data breach investigation report by Verizon it was like 84% a couple of years ago now it's gone down to 68% um this means that 68% of data Brees happened because of someone clicking on something or doing something they shouldn't have so basically what the problem is we're we've been trying for the past few years to bring our expertise and knowledge and make cyber security accessible for everyone but how do we make it accessible how do we Define who has responsibility over what and how do how do we make sure that our

colleagues and families and friends are knowledgeable and receptive and proactive and that they are as protected as they need to do to be this is the solution so that's that's what people used still do actually they rely on fishing simulation so to to do we keep throwing fishing simulations at them hoping that they won't click on a link or they won't download an attachment um do we tell them these are the Red Flags check out the spelling check out the grammar um over over links do we tell them make sure you you open the link in a sandbox or something like that do we ask them to make sure that they don't submit their credentials to a

b bogus website what do we do do we do we throw mandatory training at them or bite-size training or nudges because they're they're the new buz word now what is the goal because we can we can do all of that but what is the goal of all of that so going back to the the initial question how's make cyber security everyone's business because ultimately it's not just about being aware people are aware you know but we're not trying to scare people into awareness we're trying to make them understand that cyber security is a shared responsibility and whether we like it or not everyone will make their own choices of how they will contribute to being cyber cyber aware and cyber

secure so how do we convince our colleagues and family and friends to get on board with our efforts with our approach to security because it's often challenging and people have various needs and skills and resources and a blacket approach is R rarely successful so going back to this uh report this is the human element um this is what threat actors see and this is what they know and we've been trying to reduce the number so we've we've managed to get it down from 84 to 68% but this is a long-term go this won't happen overnight and in the meantime threat actors will still have access to people and we'll still try to get them to click download submit

information send money all sorts of things so because our our lives are so intertwin the professional and the personal life we need to to teach people that we're trying to think long term and we need them to get on board to to see the big picture with us so that we can rely on on them to learn those long-term behaviors at work practice them at home and then bring them back into the office and it's kind of a rinse repeat kind of situation where you the more you know the more you learn and the more you do the more you know and so on and so forth and we need to to teach them what security questions

they need to ask what red flags to pay attention to what triggers they need to be aware of this is their buyin because at the end of the day they don't have our big picture but they need to understand why do we want them to get on the same Journey on the long-term approach as we are what we're offering here is a lifelong skill that won't just be useful in the current job it's useful at home it's useful with their family their friends their children their future jobs and many other other instances of their lives so the solution would be to have Reg users talking to cyber security but sometimes there's a mismatch in terms of

the conversation level it's like talking foreign foreign language it's like having two sides of um two opposite sides of the barricade trying to understand each other you have the regular users who need context and need to made be made comfortable to ask questions need to access information they need to submit tickets or questions or queries and from what I heard by talking to people on this side of the barricade is sometimes it is difficult because there is a sense of gatekeeping and that information is not easily accessible to regular users and they don't understand why changes are being implemented the way they are being implemented so what we need to work on is um trying to make people

feel comfortable asking questions trying to make sure that their questions do not come across as stupid because no one wants to be made to to be made feel like they're stupid at the end of the day we need to make it more explicit to them why changes are happening the way they are and how are we implementing security measures and we need to make it easier for them to find information to find policies and guidelines to submit tickets to ask questions in my organizations for example I am the designated person and people sometimes come to me and ask me all sorts of security questions and it's easy because they have a friend in face or I hope so

uh and they get the answers they need and if they have access to the big picture they the more questions they ask the more it is easier in the future to ask few further questions so it's kind of again um a prophecy fulfilled in a way because one thing leads to another and the the balls the snowball goes on and on and on and they accumulate information and then it's easier for them to understand what they don't know and continue asking questions but what happens on the other side of the the barricade because cyber Security Professionals they do have the contest context they have the understanding um they have the answers or at least know

how to find them um they can deal with tickets and queries all sorts of things like that but we need to we need to make space for regular users to come and ask us questions because at the end of the day all the all the Cyber Security Professionals I've talked to they all want to be asked questions the problem is they never know where to start explaining so it's kind of hard to assess someone's level of knowledge so on this side we're expecting people to come to to us and ask us things on the other side the other person doesn't know what they don't know so it's kind of making space for regular users like I

said before to come and be vulnerable in front of us because not knowing something is a level of vulnerability that most people are not comfortable with so what what should we do like now the conversation flows freely between the two uh the two sides of the bar barricade but the reality is it is very difficult to make these two groups talk to each other they need to coexist so closely and at the same time it's kind of hard to find the common language and the common ground to understand each other so who in this room is the IT person in your family for example okay cool um do you have MFA active cool does your family ask you to

activate MFA okay just just just a couple of you why don't you have MFA active on your family accounts why don't you have MFA active on your family

accounts does does it look like this does it look like thises okay cuz usually that's where the problem lies there's a mismatching in understanding there's mismatching language right and you can try hundreds of times to to get them to buy in the security concept and I know that my partner doesn't want themra so it's it's hard I know it's hard but the problem is printer is not working uh I don't know there are security updates that need to be installed on your phone or your laptop someone lost access to an account what do you do because chances are as the designated it person you will have to to do go through that process multiple times and at some point you'll probably

experience that and this is when we need to remember those people they do not have the same knowledge the same information as we do and what we need to do is bring in the understanding and the patience in to help them feel at ease because if you treat them like that they won't come back to to say hey I I just changed my phone and I I lost access to all my bank accounts can you help me because they know they will be treated with that and I'm not shaming anyone because I've done it I I lose patience all the time but what we need to work on is making people feel supported in asking

questions and helping them to get where we are in terms of autonomy if you like because ultimately that's what we want we want people to feel as comfortable as we are in terms of being secure online so like I said the solution share the knowledge be helpful make people feel comfortable asking questions be kind and patient because if people don't feel supported in asking a silly security questions how would they feel if they have to report something do they know how to report it should they report it first of all should they ignore it did should they wait someone else deals with it and it's not my business I'm done with it do they know where to find the

guidance like I said before there's that uh sense of not knowing where information is and not knowing who to ask when it comes to when it comes to that this is why cyber security is everyone's business because people who know what email headers are and what conditional access is need to talk to people who don't know that they can rename their Wi-Fi and they need to find a common ground and maybe a Common Language so how do we do this because we have options we have the easy way we have the the hard way and we'll say oh easy way good great let's do that how how is that easy because you have cimulated fishing accounts every month

every day every you name it people do it in all sorts of various way depending on their organization is that all that is is like mandatory training all that that is like if you have mandatory mandatory training once a year is that good enough to keep people safe to help them learn behaviors rather than the reactive remedial training okay they clicked on efficiently okay they'll see me I'm sure they'll be very happy um you can use internal Communications for that that's that's also an option how useful is that who will sit at their desk and read the newsletter the company newsletter once a month or once a quarter just to find out what's what's new in cyber security the

general consensus is that these points are enough to to provide training and awareness um it depends like if people continue seeing this the red flags the boring mandatory training they they might think okay that's all I need to know I'm going to delete the information from my head and the next 15 minutes and that's it I'll see it next year I'm good because at the end of the day people still need to do their jobs they need to pay invoices and create marketing things I don't know like I've worked in it all my life so I don't know what other people do but like we we don't want to waste their time right so we think oh yeah those

those four approaches they're good enough but is it enough is it the same dry training without ated information the way to go or do we need to do more because depending on an organization I would argue that some people are a bit more inclined to comply with the rules and this kind of approach will benefit them so you won't have people like clicking will nearly all over the place but just like we teach people how to lock doors regardless we need to teach people to form healthy and achievable habits when it comes to their online presence this would require us to think outside the box and understand where where we are on our journey together as an organization what are our

main risks and what our goal is so this is where the hard way comes in because you need to have the long-term Vision you need to assess the Cyber risk assess their your employees and their behaviors and you need to build a cyber strategy around it because instead of focusing on that on the present time and taking that compliance box this is the long-term Vision that we need to focus on so what kind of questions do you need to ask ultimately um you you have to understand where your Baseline is so do your employees share admin accounts do they share access badges do they send passwords in chat do you have tools to to check that do you have tools to

prevent that do they send confidential documents to to other private email accounts sometimes it's their sometimes someone else's doesn't matter do they know where the policies are and where they're stored and how to access them uh do do they know the impact of data breach do they know where to report because that's a key element suspicious things will always happen but do we know what to do when they happen um at the end of the day people are at the center of it all so you can put as many security tools in place as you can uh to to prevent something bad from happening you can have a 24/7 365 sock uh sock team available the reality

is if someone from marketing doesn't pay attention to a red flag in an email and they click on it who knows what they might expose the organization to so think of yourself think of your online present for example these are things I've seen people share on Facebook Instagram LinkedIn all sorts of all sorts of social media websites what kind of information do you volunteer yourself like I'm sure people will have picture of their dog here's Rusty with me traveling in my Fiat 500 to the seaside people know where you are now what kind of car do you drive maybe they know where you live cuz when you took the picture you can see a part of your

house with number and it all sorts of things maybe you're very good at not sharing that kind of stuff online but what if you for example I see people on Twitter especially adding their um mobile phone operator hey BT I lost signal in this area now everyone knows where you are you're using BT they can send you an email to your work email account saying hey I'm Janet from BT we have a voucher for you click here you know it's it's things like that there are minuscule in the grand scheme of things but with that kind of information it makes it easier for the threat actors to make contact with you and gain a lot

more from something so little they can get a lot of information or money from you so if you do that knowing the dangers of your online presence imagine people who don't have this big picture imagine how how bad they have it how much information is floating out there and can be traced back to them this is why we need to focus on behaviors because people are different but ultimately they behave the same um they will volunteer the personal information um they will show a tendency to help hey I'm in dire need of money help this child orphan child from whatever um hey I'm the CEO buy me some gift vouchers right sorry oh this this kind of stuff it actually

happened in my old company the finance director was out playing golf and he approved payment that was good that was fun um this is why we need to start assessing these behaviors we need to understand where people's compliance level lies and their appetite to to to follow instructions and their appetite to to be scared into doing something because people will usually react to something designed to elicit an emotional response so either because of fear or you're too busy going from meeting to meeting or you have stuff at home waiting on you or I don't know it's your last day before going on a holiday things will impact your response to this and the more we train it the easier it

is to avoid falling pray to this so you need toach teach people what to do like you're in the middle of a report typing away all good you get a message from thehl saying hey you need to pay for for this delivery do your colleagues need to know where to check do do they know where to check if they've ever ordered something that was supposed to be delivered bya DHL do they know how to track the history of this occurrence to learn if it's legitimate or not do they know how to check the content or the headers to confirm the legitim legitimacy of of the email they they know how to report the the email

ultimately or let's say you're in the office and you see this guy like fixing the printer but you've never seen him before do you have enough courage to go and challenge him people are ultimately bad at challenging others because you don't want to be the one preventing someone else from doing their job and it's very difficult to train that but we need to make people feel okay with being vulnerable and being wrong even if I go to that person and say hey are you actually with that maintenance company or whatever and they say yes and they provide me with a badge that Pro like uh proves that that's okay I only took like 2 minutes of his time but what if that

person is actually someone who came here to to gather intelligence on us and they're just like looking through the uh history of the printer to see what kind of documents we printed before so it's very uncomfortable but this is what we need to do we need to educate people and family and friends uh that it's okay to step outside the comfort zone it's okay to ask the challenging questions um we want them to have the right attitude towards security and that sometimes involves being a bit difficult being a bit um skeptical ultimately we need to we need to make sure that on this long journey we're all together and as business grows as businesses grow um we

need to ensure that this element of staying secure can be scaled up you know because truth is your organizations of all sizes can be um can be a Target bigger organizations have more money smaller ones they have either relaxo approach to security or less resources to deal with it so it's everyone's goal to it's everyone's responsibility to to be as secure and as aware as possible and it's done this is not done just through regular fishing training um or through that 1hour session of infosec training once a year this is something that you constantly have to work towards and you constantly have to adapt to and you constantly have to learn about and I know it's not our colleagues

responsibility but it's our job to basically hold their hand through all of this so why is working with people the only way to reach this Vision so if you rely on making security awareness everyone's business you have multiple lines of Defense ready to act when needed and maybe someone configured your email security wrong or your VPN was not deployed the right way or something happened um maybe you have a tting incident but what will people do will question that person maybe someone's requesting elevation for user rights someone will say hold on this is not the right procedure the new CEO that's asking you for vouchers they'll say I'm sorry I need to go check with my manager

if that's okay you know because technology is not always up to date but we can still rely on the human element the one that threat actors are also rely on to keep us safe and protected so like I said before behaviors trickle down and they ultimately help build a secure environment a secure culture uh if you see people constantly leaving their laptops unlocked you will start doing so because gives you a full sense of security if you see people um locking their computers questioning why are you sending me your password in on teams why are you sharing your access badge with your colleague people will start thinking hm this is not how things are run around here so like I said we need

to make it easy for people to ask those questions and stay skeptical and suspicious every step of the way oops my bad I did something I should have and I went back to the start yes okay it was my last fight anyway so thank you I apologize if you have any questions [Music] thank

you any questions thank you and that's great have you got time for answering questions yes do we have great anybody got a question um raise your hand if you do okay I had a question is that all right yes course um so I can imagine that when you put in a change your security awareness program in a company it costs oh yeah yeah is there a metric that you can think of that we can persuade the executive team to absorb this cost can they measure it there are methods to measure it and to be fair I um I'm still working on trying to quantify it in in a financial way because that's that's that's how the

board wants but until now because it was mostly um checkbox exercise a compliance requirement more than anything else it was hard to to look at uh security awareness from from the perspective of human risk which is what we're shifting towards right now so once once this approach is a bit more established I think it would be easier to to try and bring the financial aspect into it right now it's just like kind of kind of like a standard blanket approach to it yes this is bad this is five out of five so we're just going to put this as high as possible on the on the list oh superb thank you yes um oh we have a question

wait for [Music] m not so much of a question positive feedback you're absolutely right all that and doing similar stuff our organization so one few key things is pick the security up take much whatever oranization and then carefully craft everything you're doing make it positive yes definitely the positive reinforcement is what we're focusing on like like I said what is the desired effect for all of this ultimately you'll have people clicking on it but what are we trying to to to teach them we're trying them to stay aware we're trying them to recognize what the triggers are we're trying them to to teach them to report and if they don't know how to report they should know where to go to ask for

that and this is the kind of postive reinforcement that we're trying to do any more [Music] questions you spoken to Sarah gave two talks before uh no I haven't had the chance but I will yeah do okay she was looking at human risk me all that of stuff as well thank you thank you I will thank you oh [Music] there do do you think that's the current Serv security focus is more on Vin C lighting blaming the users not the real problem which is process failure of the companies and services that support provide secure services so I I will give a very controversial answer and I will say yes to that um it's easy to to find

someone in the company who can be used as a scap gold uh rather than try and understand what are the failings along the way because that's not one single point of failure there are multiple and they can be technical or they can be human related doesn't matter but at the end of the day the let's call it the organization who drives the attack they are responsible for that um we can lock as many doors as possible but at the end of the day if someone wants to break in they will find a way what we can do is make sure that we have people trained enough not to panic when that happens [Music] so not sure if you can actually share

this but what was your favorite teachable moment oh favorite teachable moment oh I can actually share this so someone clicked on for the fourth time on a fishing simulation which meant they had to see me un lucky for them uh and I think the biggest shock of their life was when they found out that actually it's unsafe to join um a Wi-Fi network a public Wi-Fi network without uh that doesn't have any password and they were like oh so if I go to Starbucks and suddenly would that be okay and I was like ideally know and that was the biggest teachable moment and I think I think some kind of light will happen there because they never cut

again yeah any more questions [Music] we're all good thank you so much thank you so much for having me