much ‘wrong’ you’re willing to accept to get
higher detection.
How can businesses improve their
defences against users being tricked
into inviting malicious attackers into
their network?
You need to structure things so that they’re
more personal _ use real examples of
phishes that were sent to your executives
in the screenshot in your presentation that
you do for your staff. Have someone in one
of your departments stand up and tell a
story of what happened to them – make
it personal if possible. Another approach,
which can often be a better solution, is to
change a business process rather than trying
to do it with technology. A lot of businesses
are doing this and trying to avoid business
email compromises, people are being
tricked to change the wire transfer because
they impersonated the CFO or the Head of
Finance. Look at your business processes and
see if there’s a way you can train a small
number of people on a very specific thing
that helps protect them rather than trying
to do a generic thing for 400 people that
www.intelligentcio.com
“
I THINK WHERE
THE REAL VALUE
IS GOING TO LIE IN
THE LONG TERM
WILL BE FOCUSED
ON AUGMENTING
THE HUMANS SO
THAT WE BECOME
MORE EFFICIENT
AT WHAT WE DO.
only applies to a small number of them. At
Sophos for example, our Human Resources
department is responsible for opening up
documents all day of people’s CVs. Nobody
else is responsible for that so if we can focus
training just for the four of them and make
it more personal to their way of working
by showing them a slightly harder way of
doing it, that’s going to provide security and
safety. I don’t want to train 500 employees
on it – they’re not going to pay attention
to it, or if it’s hard it’s going to slow them
down. I only really care about the four
employees in HR because they’re the ones
that are high-risk. I can afford to give them
personal training, rather than some kind of
broadcast medium.
How can employees contribute to
creating a positive culture around
data security?
I think it’s really important that it’s positive.
An incentive might be to do a drawing for a
gift card for £100 to a nice local restaurant
once a month and tell them that if they
report anything they think might be a phish
to a security team, we promise we’ll get back
to you in half an hour and anybody that
reports something, we’ll put your name in
the phish bowl and we’ll draw a card once
a month – it’s the best £50 or £100 they’ll
spend. It’s saying, please help us – we can’t
do security without you and to show you
INTELLIGENTCIO
47