As head of IT at Thrive Homes, John Stenton shares his thoughts on why he believes ‘people power’ is key to strengthening housing providers’ security.
Let’s call her Gladys. She’s a lovely lady, one of the first in the office every morning. She is dedicated and hardworking, and she always has a smile and wants to help. However, Gladys does have some trepidations when it comes to technology.
Early one morning, Gladys walked over to me.
“Hi John, I think I have a dodgy email.”
“Hmmm…”, I thought, “I really should be working on this tender, but let’s go and have a look.”
We went back to her laptop where she showed me the email. I asked why she thought it was dodgy, knowing very well that Gladys had had the same security training as everyone else so she should know about phishing emails.
“Well,” Gladys said, “The email address is odd and the English is terrible. They are also asking me to click on this link quickly because I’ve run out of email space, but you’ve told me before that that won’t happen.”
“No, you won’t run out of space. So, is this a phishing email?”
“Yes, I think it is.”
I thanked Gladys and asked her if she knew what she was supposed to do next.
“Send an email to xxx, so that they can clean the email out of everyone’s inbox,” she said correctly.
This ten-minute exchange set me thinking; what had just happened? No idea – I’m in IT and we’re a little thick skinned sometimes.
A couple of weeks later, Gladys does the same thing. Over she sidles, early in the morning.
“Hi Gladys, how can I help?”
“Well, I think I have another dodgy email.”
“OK, let’s have a look.”
“You see? It’s asking me for Amazon vouchers for Elspeth (Thrive’s CEO) but it isn’t from her Thrive email address, so I think it’s a fake!”
“You’re right, Gladys, so do I. Well done, that’s an easy scam to fall for. I’m proud of you for catching that one. So, what’s the next step?”
A beaming Gladys then proceeded to tell me about sending the email onto our managed services provider so that they could check it and purge it from everyone else’s inboxes, just in case anyone else had also received the same thing.
“That’s the perfect response, Gladys. Exactly right, you’re an expert – you don’t need me to help you with checking dodgy emails anymore!”
I may be thick skinned, but even I could feel something odd going on. Still, back to our P2P systems and pay off some invoices…
Let’s now fast forward a few more weeks. I’m walking down the office (past Gladys) and what do I hear? Gladys is explaining to someone about how a particular email is a fake and asking them, “What do you need to do next?”
I smiled at how the tables had turned, then it occurred to me – what had just happened? Gladys, a self-confessed technophobe, was giving out cyber-security advice to her team and peers – what on earth was going on?
OK folks, this is it – the social hack.
We are all users, and we are all the weakest link in cyber security. In February 2020, the NCSC Weekly Threat Report claimed that 90 per cent of breaches are caused by human error.
This isn’t about end-user training; we all do that. This is about getting users to be more aware and pay attention ‘in the moment’.
Thrive’s end-users now seem to be more ‘present’; they take care to look at the web links and emails – they don’t click on ransomware, thank goodness!
How did this happen?
Giving them some of my personal attention, by showing them what they already know is right and wrong, is the key to reinforcing the training.
I am sure you could get similar results; your end-users know that your time is precious (because you don’t have time to share it, usually) so when you do, they know it’s important and they feel valued. I think of this time as an investment in order to reduce the number of times I have to stand in front of our board and explain a data breach or at least a near miss.
I can hear you already; you have too many users to do this. I know, I do too. Everyone in Thrive knows me, but I can’t spend time with all of them so choose your ‘targets’.
My first targets after Gladys were the ‘super users’. They’re already IT savvy, so get them on side, highlight the importance of their roles, share some enthusiasm with them and they will have more to share with their teams.
When the pandemic and the lockdown diminish, try to get an hour in their team meetings (it’s the equivalent of a week sitting with individual end-users). Make it fun and make it so that you’re interacting with them and concerned. They’re used to ignoring boring emails, yet face-to-face interaction from a senior manager, that’s memorable, especially if it’s fun.
You don’t have to do this on your own. Share the load with other leaders across the business. The super users are a start but bringing other managers on board will amplify the ripple effect.
Use what influence you have with the rest of your leadership team. Show them the way and remind them; a data breach is managed by you and your peers, not the person that caused it. You have to explain it to the board and the ICO, so use that as a lever to get some time from the leaders in your organisation to help get your users ‘in the moment’.
That’s my security hack – use the ‘power of the people’. Cyber criminals can destroy your business and your colleagues can stop them, but only if they understand the importance (that your time demonstrates) and are empowered by you to do the right thing.
John Stenton is the head of IT at Thrive Homes.
