teissTalk: Why your non-cyber colleagues aren't listening to you

On 21 September, teissTalk host Tom Langford was joined by Lisa Ventura, Cyber Security Specialist & Founder, Cyber Security Unity; Dom Lucas, Head of Security, British International Investment; and Dennis Leber, Director of Cyber Security, Honest Medical Group.

Views on news
An article in Dark reading discusses the tactics and strategies to hone leadership skills so CISOs can help their organization make more informed cybersecurity decisions. Non-cyber colleagues, especially those in SMEs, often don’t understand why they need to take cyber security seriously. However, about half of the attacks are against companies employing less than 50 people. CISOs should explain to boards and the C-suite that if they enable them to sort out cybersecurity, there will be nothing in the way of meeting their business targets. If experts use jargon and techy language when training non-security people, they’ll shut down. Technical persons are key to training but often you’ll also need someone who can “decrypt” what they are saying. The question arises whether, to accelerate cyber security compliance, some basic rules should be mandated.

Making cyber-security more appealing
The right approach probably is to avoid blame culture and communicate to staff that these things can happen to anyone. People are often reluctant to share the mistakes they have made by clicking on a link for fear of losing their jobs. However, there are examples where schemes are introduced to start disciplinary actions against those who click on the wrong link 3 times which can even escalate to being dismissed.

Nevertheless, one could argue that it should apply to the IT team too that lets phishing emails through the security system. Ironically, sometimes the best incentive to embrace cyber-security is an incident that happens to the organisation. It’s also important to raise awareness of how cybercriminals see opportunities in human vulnerabilities that have arisen due to a volatile or emergency situation.

Chat GPT is also making it harder to spot phishing emails by looking at the spelling or grammar. CISOs probably need to open up to new channels such as Tik-Tok to teach cyber security. Humour can also make trainees more receptive. SMEs are hit harder by cyber-attacks than big corporations and it can even force them to go out of business – it’s just not covered on the news. However, this lack of coverage can give small businesses a false sense of security making them think that it’s always the big ones that get attacked. As CISOs are measured on failure, they tend to go for quick fixes rather than thinking strategically. 

The panel’s advice
Use real-world examples in cyber security training – such as the WhatsApp scam. 

Make security simple to increase willingness for its adoption by colleagues.

Develop a cyber security champion programme. 

Make friends with your finance team – you’ll need them to implement your cyber-security programme.