Zoe Edmeades, The Security Company: “to establish a strong cybersecurity culture, clear communication is key”
With remote working models becoming the new normal in the post-pandemic world, cybercriminals emerge, seeking to exploit new vulnerabilities. And organizations need to take action.
One of the best preventative measures that companies can take is to provide quality cybersecurity training for their employees. Numerous cybersecurity management tools such as password managers are on the rise, but proper risk awareness is something that may be lacking, especially if training is not taken seriously enough.
To talk about the newest methods of engaging and effective cybersecurity training, Cybernews sat down with Zoe Edmeades, the Managing Director and Co-Owner at The Security Company. They provide quality cybersecurity awareness training and behavioral change programs.
What has the journey of The Security Company been like since your launch in 1997? Were there any milestones you would like to share?
TSC is proud to be one of the first organizations to truly focus on the human factors within security and cybersecurity. We have over 25 years of experience helping organizations mitigate inadvertent human behaviors. The company was originally founded by Martin Smith and Jo Wise in 1997. I joined the company in 2007 as a Project Manager working my way up to Managing Director by 2012. Tony (Operations Director & Co-Owner) and I had just bought TSC when the pandemic hit. To say it was a baptism of fire was an understatement. However, thanks to the commitment of my amazing team and our already established client relationships we were able to weather the storm and emerge stronger.
We are also proud to have joined the growing employee-owned sector in the UK in 2019. Employee ownership research has shown that co-owned companies are more successful, competitive, profitable, and sustainable.
Cybersecurity training can often seem boring and time-consuming. What techniques do you use to ensure engaging and effective training?
This is an angle that we always get asked about. There are a few things CISOs and DPOs can do to encourage more engagement in training. We always encourage cybersecurity training programs to provide incentives such as prizes for the first, second, and third employees to pass with a 100% pass rate. This will not only increase the speed and focus of the training but can also be applied in remote, hybrid, and office-based workplaces.
Cybersecurity training can also feel disconnected for some employees, especially if you are managing a smaller close-knit team. In these instances, why not book some time out for the team to complete the training together. When scheduled time is put aside and employees learn together, there is a social understanding of the content and a greater chance that knowledge is retained, shared, and talked about long after the learning is done.
At The Security Company, we are big advocates for the gamification of cybersecurity training. Not only does "gamifying" learning make it more enjoyable, but the training is also remarkably easy to deploy, digest, and use as an efficient refresher throughout the year. Employees are far more likely to retain information when it is entertaining, as opposed to PowerPoint-esque lectures.
Have you noticed any mistakes that companies tend to make when it comes to cybersecurity awareness training?
100%. There is a ‘tick in the box’ mentality for a lot of companies and this is dangerous. Just because your employees have a 100% pass rate, or you have a box checked stating that 100% of your employees have read cyber policies, does not mitigate your risk; all this does is pass the onus onto the employee and create the illusion of protection. Regurgitating knowledge alone does not equate to improved security behaviors – to do this, we need to shape mindsets and attitudes.
Another common mistake is that annual one-off training simply does not work. By keeping the frequency of practice consistent, cybersecurity awareness sticks in the psyche, rather than eventually fading away as the mind gets inundated with other tasks and responsibilities.
Furthermore, many CISOs and DPOs don’t measure the effectiveness of their awareness and training programs. You may have all the data stating that employees have completed the learning, but has it really changed their behaviors? This is where post-assessments need to become staples in cybersecurity strategies. And finally, with all the minutia involved in cybersecurity, one must ensure that your strategy has room to breathe. I recommend focusing on one key change objective at a time to ensure that good practice can be fully adopted before moving on to the next.
How do you think the current global events are going to influence the ways in which threat actors operate? What should organizations and individuals be on the lookout for?
We are already seeing an increase in ransomware attacks as a result of the economic instability rooted in Russia’s invasion of Ukraine. In fact, cybercriminals have been ramping up ransomware attacks and new destructive malware (malware-as-a-service) in 2022 and it doesn’t look like they will be slowing down any time soon.
Phishing and other fraud schemes are always opportunistic so we shouldn’t be surprised to see a further increase in the aggressiveness of these particular attack vectors.
We should also prepare and teach about the damage supply chain attacks can cause, particularly due to the efficiency of one successful supply chain attack opening up access to hundreds of other organizations.
And finally, with the advent and improvement of Web 3.0 services and technology – such as the Metaverse and AI machine learning – organizations need to be on the lookout for sophisticated fraud schemes. In the near future, deepfake audio, video, and even fake online avatars will be used to launch cyberattacks.
Additionally, what kind of tools or solutions do you think average individuals should have in place to combat these new threats?
There are a whole host of things individuals can do to ensure they are protected against new threats. Firstly, I would suggest using a strong password generator during sign-ups in conjunction with a password manager to help you secure and maintain multiple accounts with peace of mind. It is also extremely beneficial to set up two-factor or multi-factor authentication to ensure that only you can access your data even if the first security wall (password) is circumvented.
We all do it, but you should stop ignoring your software updates. Cybercriminals prey on hardware and devices that have not been updated with the latest security patches. Back up your data and make sure your software is up to date or you may receive an unwanted visitor through a backdoor.
Why do you think employee cybersecurity training is often overlooked?
Again, this goes back to my earlier point about the intention of organizations when they set up cybersecurity training. The problem is that organizations treat the training itself as the metric for success as if just completing the training means you are now cyber secure. The focus should always be on the effectiveness of the training and if you achieved the desired behaviors you intended.
Also, much like other forms of learning, individuals can collapse under the weight of too much information. This is compounded further when learning doesn’t innovate or engage, instead opting to repeat the same training over and over again. Naturally, employees will begin to overlook cybersecurity training if they feel they are getting nothing new or impactful from it.
Besides employee training, what other practices do you think are extremely important for every business?
That’s a very good question. Organizations must make sure their security strategy aligns with their company values, whilst maintaining a regularly planned awareness campaign. They should consider establishing a Security Champions Network to encourage better behaviors but also remember to highlight near misses to paint how real these potential attacks and their consequences are.
And finally, and I can’t stress this enough, there needs to be two-way communication. You have to make it easy for people to report security incidents and ask questions about threats, attack vectors, and what to look out for. If a business is to establish a naturally strong cybersecurity culture, then clear communication is key.
With work from home becoming the new normal, what issues do you see becoming a common occurrence?
I anticipate that businesses will struggle to control the use of mobile devices while still protecting the security of their data. Furthermore, remote employees will almost certainly link many devices and IoT devices to a single network, exposing a large number of possible vulnerabilities and breach points. Web apps commonly used by remote employees accounted for over 90% of breaches, according to Verizon's 2021 Data Breach Investigation Report (DBIR).
Share with us, what’s next for The Security Company?
2022 is set to be extremely exciting for TSC. You will have to watch this space to learn more.