Mike Worth [00:00:00]:
I think the complexity comes when thinking that spending money on IT security tools will solve the cybersecurity problem. Because the biggest investment I feel that you should make around cybersecurity is in humans. It’s got to be targeted to the humans working for you and it’s got to be personable to them.
Karissa Breen [00:00:35]:
Join me now is Mike Worth, founder of Indi-tech consultancy and today we’re discussing cybersecurity for SMBs is critical when and where it’s understood. So Mike, thanks for joining and welcome.
Mike Worth [00:00:53]:
Thank you very much for having me on the show. Really looking forward to it.
Karissa Breen [00:00:56]:
Okay, so Mike, you’ve obviously got quite a strong pedigree in this space. You spend a lot of time working with legal firms, mid size law firms, etc. So you obviously got a lot of knowledge in a very specific vertical and which is interesting because sometimes other people a little bit more general. But I think I really want to go deep down on this vertical because it is a big one, is an important one. So perhaps tell me what is some of the biggest misconceptions that you’ve seen in these legal businesses when it comes to sort of cyber risk?
Mike Worth [00:01:28]:
I’ve worked across different sectors in my career. The last 12 years has been in the legal sector, which is a great space to be in. I think I found the biggest misconceptions within the law firm is they fail at cyber security sometimes not because they don’t care, but because they see it as an IT problem, not as a business risk. And you think the solicitors, the lawyers that work in these spaces, they run the businesses, they’re very well educated people, intelligent, innovative people and I’m sure if they’re given, given space and time, cybersecurity would be a very straightforward subject for them. When they think about it, I think the problem comes is where they work in a professional services business, they bill by the hour, their pure focus is hitting their targets for the business and it becomes less of an issue for them worrying about links and emails, attachments and other means of cyber criminal activity.
Karissa Breen [00:02:26]:
Yeah, so this is interesting. So would you say that as well, even if you’re not working a law firm, just say like a general, like business consultancy, like these people are billing by the hour as well. Would that similar mindset apply though in terms of billable hours and inverted commas or.
Mike Worth [00:02:40]:
I don’t think the impact’s the same I think with professional services where, where it is literally time is money, that is how it’s viewed and that’s how the profession is really viewed as well. I think other businesses, obviously it would cost them money around cyber issues by the day whatsoever, but I don’t think they measure it incrementally in that kind of fashion.
Karissa Breen [00:03:01]:
And so because they do measure income into like, I’ve even heard that some people like Bill in like five seven minute blocks. Would you say that’s what’s attributing to perhaps being overlooked was like cyber security? Because I mean at the end of the day businesses want to make money, partners want to make money. At the end of the day that’s normal human nature, but which has a key driving factor as to not doing these other things perhaps because then if you’re doing other like cyber stuff, are you going to do like a security awareness training for an hour and you’re getting billed at a thousand bucks an hour, that’s big chunk of money that you’re sort of effectively not getting or billing.
Mike Worth [00:03:33]:
Yeah, no, absolutely. You hit the nail on the head there. Taking time out to undertake other activities towards things like not just cyber security but other legal requirements as well does cost the business money in that effect.
Karissa Breen [00:03:48]:
And then would you also say that it’s more of an opportunity cost as well? So it’s like, okay, I’ve got arbitrary 10 hours in a day, eight of them I want to spend billing customers rather than, you know, eight of them thinking about cyber security. I mean I’m giving very over extreme examples, but it’s more about getting into the mindset of why businesses of this caliber are focusing on things like this.
Mike Worth [00:04:15]:
In my time through the legal sector, I’ve seen the mindset change more. The C suite or the managing partners taking more interests, taking more notice. I’m still seeing firms, I was speaking to one only yesterday, boutique London firm. They didn’t really even seem to have an IT strategy, let alone a cyber one. So seeing this still as a real life scenario happening today is something that’s quite worrying.
Karissa Breen [00:04:45]:
Would you say? I know that you said you’ve worked in the legal sector for 12 years, but then obviously you worked in other sectors. Would you say in terms of like a race? Legal is definitely towards the back of the race rather than leading the pack because you’ve obviously got more regulated industries which are probably by default, by compliance etc. Are at the top and leading, but where do they sort of sit in the pecking order?
Mike Worth [00:05:08]:
I think it depends what areas that you look at. The legal. So you have the, the big law firms, the Dentons and other firms of a massive size that have lots of rainbows with pots of gold security teams, just lots of money to put into that space. The problem comes when you start looking at the small medium law firm market and their investment in it, let alone cybersecurity, takes a bigger chunk out of their profits. So when they spend it, it needs to be spent on something more specific and more effective because ultimately any breach, like any company, hits your reputational damage, hits your trust and it will drive business away.
Karissa Breen [00:05:53]:
And when you say spent on something more specific, are we talking cyber IT or just like other general things that they’d prefer to invest their money on or in?
Mike Worth [00:06:03]:
I think the complexity comes when thinking that spending money on IT security tools will solve the cybersecurity problem. Because the biggest investment I feel that you should make around cybersecurity is in humans. It’s gotta be targeted to the humans working for you and it’s gotta be personable to them.
Karissa Breen [00:06:24]:
Okay, so the part that I’m quite curious about, given there is a little bit of, you know, reluctancy there, of, you know, we’re a small firm, you know, who’s gonna think about us. All the stuff that you and I know about in the industry generally knows about. Given your experience in this space with SMB businesses, how do you sort of shift them towards, hey, look, I know your key deliverables each day to do billable hours. Right, we get that. How do you shift them towards caring about cybersecurity more than just a tick box exercise? To think a little bit more strategic long term. How do you get them away from. Well, I’ve got to spend an hour to look at this, which means an hour less than I’m not billing.
Mike Worth [00:07:08]:
It’s a really good question. I spent quite a lot of the last 12 years building a cyber security culture within a law firm. And the culture was essential to keep the business safe. You look at how can you build that culture and the way to build the culture is to keep things short and sharp. I’m a youth football coach and even in coaching I use behavioral science as part of it, which is repetition, repetition, repetition. So you, I think you have to tell someone something about 23 times until it actually is retained if it’s something that they’re not interested in. But you’ve got to make it fun, you got to keep it real, like real life scenarios. You’ve got to keep it short You’ve got to keep it relevant and on topic and you know, in the environment needs to be a safe space as well for people reporting mistakes or opening test phishing emails.
Mike Worth [00:08:03]:
And they’ve got to feel safe to speak up because speaking up then in effect has a positive return and reduces your risk dramatically. So I think you have to keep it short and sharp and you keep it short and sharp. You look at other phishing awareness companies like Know before they’ve started using short and sharp videos, making them into like a series that people want to go back and keep watching because they’re short, they’re sharp and they actually keep people’s attention. But actually they remember and they, they start bringing on the correct behaviors when it comes to working around cybersecurity and keeping themselves and the business and actually at home personally safe.
Karissa Breen [00:08:49]:
Okay, I really want to get into this. I find this really fascinating now. So what was coming, my mind was said short and sharp. So I don’t know about you, but end of the night I like to scrol reels like probably 98% of the population out there do. Why? Because it’s short and sharp. So going back to your point, which I liked, you know, making it relevant, making it something fun because it’s then will be a little bit more interesting to them. Typically speaking, you’re not really working in cyber security. You probably don’t really think it’s fun to extend on that.
Karissa Breen [00:09:17]:
If I’m scrolling a reel and I don’t know, someone goes 10 things about horticulture. If I look at a minute, I’m. I can spare a minute, Mike, but I’m not going to spend an hour learning about horticulture. Why? I don’t care. I find it boring. But a minute, I’m happy to listen to you. So I want to get into the short and sharp side of it because now people are attention currency is really hard to get. People are bored instantly.
Karissa Breen [00:09:39]:
They’re scrolling, their eyes are glazing over, they’re not doing it properly. So I’m really curious to explore that because going back to your point around human behavior, this is how people are consuming content more broadly speaking. But again in businesses like some of these trainings just they go on forever and I think it’s too long. And as a result people don’t retain the information and actually probably does more of a disservice because they’re then actually annoyed at the cybersecurity function in general because it’s bored them to sleep.
Mike Worth [00:10:07]:
Yeah, I’ve seen it. I’VE seen it many times. It’s never been my approach. My approach has always been making it very personable. So, you know, cybersecurity, you see all the different things. You Talk to big CEOs from big companies and I hear all the kind of things that they say about protection from cybersecurity security, but they always come back to the fundamentals, which is keeping things simple. But I like to spin it round and make it more personable to them because that way it gauges their attention a lot quicker. If I say to them, well, don’t keep using the same password for everything at work, they’d be like, yeah, whatever.
Mike Worth [00:10:43]:
Or they’ll stick a post it note on their screen with a password on. But if you position it, you do a little bit of emotional intelligence and a bit more deep diving to what they like, what they enjoy or they enjoy shopping online. Did you know if you use the same password here as you do in work, if somebody breaches your work account, they’ll then go and try and find your personal account that they can break into. They’ll use your credit card to buy stuff from your account. And when you start changing the scenario round and making it more personable to them, you’re basically saying what you do at home and how you act on your personal devices should be exactly the same as what you do in the office by keeping it safe.
Karissa Breen [00:11:22]:
Yes, good points. Because do you think, generally speaking, and I know like when you’re working a big enterprise, it’s a bit harder personalize it for 50,000 people. But if SMB like you’re saying, you know, under 50 people, you can probably spend a bit of time making it happen. Right. Do you believe the industry, generally speaking, has just naturally like overcomplicated things and as a result it’s really deterred people from really caring about what’s going on in the cyber world.
Mike Worth [00:11:52]:
Yeah, I mean complacency, absolutely. Over complicated. I go back to the MO before making a little series of videos that I hear even people that leave the company, they still want to see the next episode because they want to know what happened. And it’s all based around real life scenarios and actually things that you end up laughing at as well. You have comedy things like the IT Crowd, which is a really funny kind of like it geek comedy series, which I haven’t actually watched. But it’s based around people being stupid and how they act and taking the mickey out of people and laughing at it. But at the same time it’s highlighting what actually happens. And people’s behaviors as well.
Karissa Breen [00:12:35]:
I have seen that show. It’s a good show. You should definitely watch it.
Mike Worth [00:12:38]:
Saw a couple of episodes and I started to cringe. I moved away.
Karissa Breen [00:12:42]:
Okay, so that’s a good word, cringe. That was going to be my next question. Literally what I’ve seen over the last, I don’t know, 12, 15 years is, and I’ve worked with firms before, the content is cringe. How do we avoid it? I know, like, I’m just trying to be honest here because I do believe that people, meanwhile, it just doesn’t execute well. And then it just, it’s like, why, how do we get away from that?
Mike Worth [00:13:07]:
How do we move away from cringe? Is a very good question. And you know, I keep going back to just relating it to, to things that I’ve, I’ve done in my past in building that kind of culture. And moving away from cringe is kind of relating it to just real life scenarios. It’s making it personable. It’s the key to activate in people’s emotional intelligence to get them involved, even to the point of making it more competitive. So it may be cringe, but if you can make it competitive, people are naturally competitive. And if you can put it into a more competitive context, it then draws people in because they want to do well, if that answers your question.
Karissa Breen [00:13:52]:
Okay, so what I’m hearing is cringe. But competitive makes sense. But if it’s just cringe without the competitiveness, it’s going to be improved. Is that correct?
Mike Worth [00:14:02]:
Absolutely. Neither of us would sit through something that’s cringy that we find boring and complacent. It’s not what we do. We want to be what’s next moving forward.
Karissa Breen [00:14:12]:
What about demographics? So I’m a millennial, but then you like Gen Z’s, like some of the stuff that they know about. Like I had to explain to someone in my teen once, like what dial up Internet was. So there are certain terms, like perhaps can you then make specific content for different demographics? Or when I was like a younger kid and my parents would say like, oh, you know, when this like historic thing that happened, I was like, I don’t know, like, I’m like, not that old. I don’t know. Obviously it’s a bit different now because I’m a bit older, but the same sort of applies sometimes for younger folks as well. They may not get certain things that older people would get or like, you know, older generations would get, etc. So would that potentially work as well to make sure that it’s relevant for them because, like certain phraseology and certain terms, Gen Z just don’t say they think we’re cringe millennials. Like, they’re getting around their crew socks.
Karissa Breen [00:15:06]:
Apparently, you know, if you’re wearing ankle socks, it’s. That’s you. Clearly a millennial. Right. So this is the part where I’m finding it quite interesting.
Mike Worth [00:15:13]:
Yeah. That age demographic. Absolutely. I mean, I’ve got three kids. If I do something, you know, when you’re younger, if you danced at a party, you was dancing at a party. Then when you’re a dad, you dance at a party, you’re that dancing. So you have that kind of interpretation from the different age groups and different generations. But ultimately, regardless of that, they still have similar behavioral indicators.
Mike Worth [00:15:37]:
People thrive on challenge. They may not like it, but it drives us forward. Pressure drives us forward. The right amount of pressure. Looking at how we move forward, what makes us confident? What are we confident in doing? Obviously the lower gens are on. Your gens are more. More based around tech and content. Content on content.
Mike Worth [00:15:57]:
As you said, the short and sharp kind of the tip, the TikTok reels, the. The Snapchat reels or whatever they’re looking at, it’s all taken on board pretty quickly. But ultimately, however, they’re consuming that information. The information has to be very similar in its message.
Karissa Breen [00:16:15]:
And when you said pressure, do you mean pressure towards. If it’s a cringe but competitive sort of campaign, they got pressure to be like, I want to win, I want to be best in the business. Like, is that what you mean by.
Mike Worth [00:16:25]:
The pressure or the pressure to perform? The pressure to understand, the pressure to be part of something. The pressure to being the know the new. The newer gens have a lot more pressure on them from the social media aspect from it as well. If their friends know and they don’t, they want to know if you can get some of them on. On the bandwagon of wanting to know more about cybersecurity, that kind of generation would spread like wildfire.
Karissa Breen [00:16:53]:
Interestingly, a while ago I was working with a law firm when I was in consulting and the CIO was like, yeah, the part that gets me a little bit. KB is just in security. We just keep telling people, like, don’t click on the link. But there’s no, like, why you don’t. So do you think that people. No one wants to be nagged at to be like, oh, don’t click on the link, Mike, don’t do this. It seems to be like, don’t do all of these things. And then therefore it can come across a little bit condescending.
Karissa Breen [00:17:18]:
Sure. Do you think as well, it’s just how people are framing it, which is just not conducive to someone. I mean, these people are professionals. Right. Like you’re not working in a legal firm because you’re a moron. Like, you’re smart. Yes. You may not be the most in depth cybersecurity professional, but hey, you’re really good at doing, you know, being a lawyer.
Karissa Breen [00:17:35]:
So how do we move from parenting people in our business to educate them in a way where, yes, it’s not cringe, but also we’re not sort of talking down to people a little bit. There’s still seen, there’s still a little bit that stigma. Unfortunately, in this industry, I go back.
Mike Worth [00:17:51]:
To my coaching as well. I’m. I’m a trained football coach, UEFA coach. And I think it’s really important that the way you approach things, it’s not don’t do this, don’t do that. It’s more about changing that round, about rewarding behavior. That’s right. So I have a group of players standing there, three or four of them are chatting. One standing there completely quiet, standing there listening to me, wanting me to talk.
Mike Worth [00:18:16]:
I praise that individual for standing there ready and waiting, and everyone else all of a sudden is quiet. And that’s not with me telling them to be quiet. I’m praising the right person. I think when you praise behavior, that’s the positive behavior, rather than say, don’t do this, don’t do that. Because as you said as we spoke at the beginning, lawyers and solicitors in the legal world, highly intelligent, innovative, very smart people. And you’re right, they don’t want people telling them, don’t do this, don’t do that. But pilots are very intelligent people as well. And I know part of the pilot training, what I’ve heard that you do is there’s an obstacle while they’re flying the plane in a simulator.
Mike Worth [00:18:59]:
They don’t say, don’t fly into the obstacle. What they say is, let’s concentrate on the blue sky on the other side. And it is a natural way of giving people some credit for the intelligence.
Karissa Breen [00:19:12]:
Yeah. And that’s the part that’s interesting as well, because we don’t know about all the ins and outs that they do to be a lawyer. Like, we don’t. So I think it’s a little. Comes across a little unfair and a little bit unbalanced sometimes. Like we expect them to know all these things. That we know day and day in 15, 20 years, 30 year veterans that are doing this stuff day in, day out. But yet, just because the person who’s a partner in a law firm doesn’t necessarily understand things to the, you know, minutiae, I just don’t believe it’s their fault.
Karissa Breen [00:19:37]:
But again, it does get people off site, as you would know, Mike, when you’re sort of talking down to them and you sort of treating them like a child.
Mike Worth [00:19:46]:
Yeah, absolutely. You don’t. I work with people at all levels. I talk to everyone and treat everyone with the same respect. Instead of talking to another firm and their managing partner, the owner of the firm, the founder of the firm, is the one who makes the IT decisions. And people just add what they think they should do and they decide and gets decided whether he thinks it’s right or not. And that’s based off somebody who’s a legal professional, who’s top of his game legal career, that likes to do it because everyone knows something about it.
Karissa Breen [00:20:20]:
So I’m going to slightly change tact now and I want to talk about what do you see SMBs wasting money on in terms of security tools and perhaps overall don’t meaningfully reduce risk. Talk me through that.
Mike Worth [00:20:37]:
It’s quite common. I mean the law firms don’t tend to inherently of that size want to spend a lot of money on it, let alone security around it. And the biggest risk of spending that money is it’s more the complexity, people being complacent and the lack of knowledge and understanding. You have a salesperson saying buy this or take you from ransomware. But question should be, okay, but what happens if ransomware gets past it? They don’t have the knowledge and understanding in the SMB space because they don’t normally have a head of it. They don’t normally have a senior IT official, kind of like working for the company. That’s part of the reason why when I was setting up Inditech, part of what I wanted to do was the fractional IT leader, which people call directors and stuff like that. Because that space is so important.
Mike Worth [00:21:32]:
There isn’t a space within the law firm for somebody to have ownership in the C suite level or the partner LED level and an understanding and that can lead to external providers selling software here and there. And the more money you pay, the more protected you are, which isn’t the case.
Karissa Breen [00:21:53]:
This is interesting because I’ve heard this from other people as well. So do you think sometimes, perhaps because there is a lack of understanding about certain areas, the Right. Questions aren’t asked. So therefore there’s a lot of gray area on what they’re buying. Perhaps like certain things I’m not an expert in buying, so I may not ask the right questions and may overlook certain areas because I’m not an expert in asking certain things. Do you think it’s sort of the same here when people are procuring these sort of products and services?
Mike Worth [00:22:28]:
Absolutely. I’m not a master at marketing, but could I market. Yeah. Could I waste money marketing? Absolutely. Because I won’t know the intricacies of what I’m doing. The same happens within that kind of environment. And again, it’s not a lack of care, a lack of want, but it is a gray space that becomes a lack of understanding. You know, some businesses think we’re going to do cyber Centrals plus, which is the UK accreditation, government accreditation for a baseline of protection within businesses.
Mike Worth [00:22:57]:
Within the UK it’s optional whether you do it or not. But it’s starting to become more mainstream and businesses to start actually taking it on board. And alongside that you have cyber insurance. So a firm will take on the accreditation, pass the accreditation, which is a baseline. It doesn’t mean you’re super protected. It means you’ve got a good base to start from. But they also get as part of that cyber insurance. And the funny thing is with the cyber insurance, like all insurances, if I insure my car, then I go out and put some mods on it, put bigger tires on it, ramp the engine up, I’m no longer insured.
Mike Worth [00:23:36]:
But the cyber insurance that firms take on as well, they take it on thinking we’re protected. As soon as they get hit with a breach and maybe part of their insurance was that they haven’t got their multi factor authentication turned on for everything, then that insurance is no longer valid.
Karissa Breen [00:23:53]:
Yeah, okay, so walk me through is the mindset, and again, this is general, that something happens. But it’s okay because I got the insurance. Now from my understanding there’s a certain way that some of these insurance players, you got to engage with them like instantly. If you don’t do that instantly, it’s like, oh, you’re not covered now because you didn’t listen to us, you did all these other steps, therefore we can’t cover you because you, you didn’t come to us from the get go. Therefore that’s one route of them not getting covered. But then also is it like, oh well, it doesn’t really matter. I have insurance. So for example car insurance, I’m not going to go drive recklessly because I don’t want to injure myself.
Karissa Breen [00:24:29]:
But maybe some people have that theory of, oh, I can drive around like a maniac on the road because I have car insurance.
Mike Worth [00:24:35]:
Absolutely. You’ve got to pick your external partners regardless of the cyber or whatever tech. You’ve got to pick them and pick them well and do your research in them. The same applies to cyber insurance. You don’t want to be partnered with the insurance company that’s happy to insure you but will put every obstacle in the way to pay out. You want to be with an insurance company that cyber insurance, but they work with you to ensure you meet the levels of insurance that they’re insuring you for. And I can categorically say I’ve seen it on more than one occasion where the insurance sits there in person being paid for. The actual setup within the business doesn’t meet their needs.
Karissa Breen [00:25:23]:
Yeah. Okay, so how would you sort of explain to these people in these businesses, like what is there sort of things that they should look out for when they’re speaking to a vendor, when they’re speaking to a service provider? They’d be like, well, that could be a red flag, obviously.
Mike Worth [00:25:39]:
Quick sell. Quicksilver always, you know, is definitely a red flag. I just want to sell on the sell. How much interest are showing in your business now? Any SMB kind of side of things. If you work with an external partner, you want them to know who your business is and know something about your business and actually pay an interest in your business. Because if they’re not, it’s insurance for, for a purpose rather than insurance for a designed goal as such.
Karissa Breen [00:26:08]:
Yeah, okay, those are good points. And so then my next sort of question would be what about awareness fatigue? So what I mean by that is, and I’ve experienced this myself, which is why I’m asking the question, historically, when things are really long, it’s not short and sharp, it’s long, it’s a little bit banal, et cetera. People sort of just click through it just to get it done and dusted. How do we avoid that as well? Because we want people doing that again, it’s counterintuitive to doing the exercise in the first place. So what are your thoughts then on this?
Mike Worth [00:26:41]:
It’s a good question. I felt that kind of that awareness fatigue sitting through anti money laundering half day sessions, which I don’t think at the best of times could be made entertaining. Same with health and safety videos and things like that. But I go back to a lot around, I Like to focus on the human element of cybersecurity. And for me, awareness, fatigue, repetition, repetition, repetition, repetition enforces the message. Fine. It goes back to short and sharp. Make it fun.
Mike Worth [00:27:14]:
If you can make it funny and competitive, even better. Keeping it short and relevant, making any information scenarios personable. For example, there’s a YouTube video I’ve used a few times where there’s a sign outside a coffee shop, and the coffee shop has got a message on the billboard and says, like our Facebook page, get free coffee. So people walking past, liking it, going in and getting the coffee, and as they’re giving the coffee to the person, they’ve actually taken their data off their Facebook account. They’ve put their full name, they’ve put the date of birth, if it’s sitting on there. They’ve put the job that they do, their best friend’s name, and they’ve handed them the coffee and just said, there you go, Mike. Have a good day at your law firm as head of it. And it’s really quite impactful, that real life scenario, because how many of us would walk past the coffee shop and think, oh, if I like this, I get free coffee.
Mike Worth [00:28:09]:
Everyone loves for free coffee. And praising, reporting mistakes, praising, making mistakes. Again, I’ll go back to my coaching. Somebody makes a mistake, you praise the attempt. If they continually make mistakes over and over and over again, you have to take a different approach. But if you praise a mistake, people try to do the right thing. And you create a culture with a safe space where people are happy to speak up.
Karissa Breen [00:28:32]:
Okay, I like this because I’m going to ask you something. I hope you can answer the last part of it. Nothing beats a.
Mike Worth [00:28:41]:
Nothing beats a.
Karissa Breen [00:28:43]:
Well, okay, let me explain it. So nothing beats a jet to holiday. Have you seen that repertoire? Also, it’s in your part of the world. So I thought you may have known it. I was taking a bit of a chance. How many times have you seen that now?
Mike Worth [00:28:58]:
Oh, hundreds. It’s brilliant. It’s great.
Karissa Breen [00:29:00]:
And then there’s people that have gone around and asked people like, hey, finish rest of sentence. Nothing beats it. And they’re like, jetty. Oh, they get it. So. Because it’s repetitive. And so I think that that is case in point to what you’ve been saying. It’s super simple, but it’s competitive.
Mike Worth [00:29:12]:
Yeah, absolutely. And it’s funny. So you remember it?
Karissa Breen [00:29:15]:
Well, yeah, now I can’t get it out of my head. And it’s like when we’re going at those radio ads or those television commercials that we’d see and we can still remember it to this day. Unfortunately, people don’t remember things like that as much anymore because it’s not repetitive. But what, how do we get closer to becoming more like that where it is a little bit repetitive? Like do we need to scale everything back and just focus on okay, maybe if it’s only one thing for the entire year I need to sort of drum into the, the employees just for a year. Like we’re trying to give all these things out in cybersecurity act as if these people should understand like quite intricate like architecture designs and stuff like that. Whereas how do we just strip it all back so that maybe one thing that they do remember, I think the.
Mike Worth [00:30:04]:
Tax change really because you do have this yearly kind of training kind of thing that’s always been a historic thing. Yearly training, sit down, anti money laundering training, sit down health and safety training, sit down this yearly kind of kind of thing going and sidewind. I just treat as a, as a daily risk, you know, I’d be more inclined to have shorter times between there but short content, maybe more specific content, maybe more modular content that might actually reflect better on what that person does as a role. They could even pick that modular outcome. Maybe they’re an accountant and they want to understand a bit more about cybersecurity problems with accountancy rather than generic law firms. The biggest risk in law firms has and will continue to be for the foreseeable future is email. Email is obviously impact for all of us with phishing emails and stuff. But email within legal is such a heavily used tool, it’s also the biggest attack vector for cyber criminals as well.
Karissa Breen [00:31:08]:
And so I lastly want to ask metrics. So there’s a lot of people out there that like okay, well 50 of the people in the company have done the training successfully. That doesn’t mean that they get it. I mean if they had to do a test on it immediately, people probably would fail it. So what are some maybe just simple rudimentary metrics to be like, okay, generally people overall are kind of getting it now or they’re understanding it a little bit more because maybe we’ve made it short and sharp, haven’t overcomplicated it, made it less cringe or cringe being competitive. What does that look like in your eyes?
Mike Worth [00:31:42]:
A simple example of that would be efficient email testing. So one of the softwares I’ve rolled out before on the training side things was new starters. They come to the business, they have to complete cyber awareness training before they move on and start on Systems. It’s a 30 minute interactive Q& A video based kind of induction cybersecurity side of things. And then that rolls them into, you know, this is old how you know about this. Most people know about this. You get pushed into a phishing email campaign which is a test one which keeps you on your toes. So maybe one, two or three emails a month will come through.
Mike Worth [00:32:20]:
A couple of them will be generally quite easy to spot and then another one might come in looking a little bit more unsure about. But the simple metrics there is if people do click on that test version link, do they report it? Do they not report it? It’s a very easy metric. You can see if it’s been clicked and or not. If you’ve not heard or had any reports and a form’s not been filled out to say oops, sorry, I’ve done this. That’s a very basic metric. You can also look at behavioral indicators as well. The way people behave can also highlight behavior, sometimes even more than actually specific metrics that you’re measuring the behavior of somebody and how they’re working when they work. Do they, do they try and bypass the mfa? Do they often ask for things to be restored that they’ve made mistakes on and deleted? Just behavioral things as well.
Mike Worth [00:33:16]:
And I think it’s just more healthy looking at human behavior as part of your risk posture as such, because all compliance metrics aren’t necessarily just facts and figures.
Karissa Breen [00:33:31]:
And lastly, Mike, what is one thing or Any final thoughts? Closing comments you’d like to leave our.
Mike Worth [00:33:37]:
Audience with Today, law firms that do cyber security, well, they don’t have to be the most technical, but they’re the ones that I always say that are calm. They invest in their people, they’re prepared and they’re open and honest about their risks. They don’t try and hide them. And I think that’s a real, very strong culture to have in place to defend against cybersecurity problems.
