Dynamics Matters Podcast Ep 92: How to keep your organisation secure

Welcome to episode 92 of the HSO Dynamics matters podcast.

Your regular sonic dive into the world of Microsoft technology related matters and much more besides.

I’m your host, Michael Lonnon.

How secure is your organisation? Do you know what the threats are that surround it? And do you know what measures to put in place to secure your physical and digital environments to keep unwanted threats away?

I had a chat with HSOs Chief Information Security Officer, Steve Rawlins, to get you some answers.

So, grab a brew, sit back, relax, and enjoy the show.

Michael Lonnon

The subject of today is security in an organization. Maintaining security within an organization is essential for the health. So why is security so important for maintaining the smooth running of any organization?

Steve Rawlins

I guess you've kind of already answered at a high level, you need it for the continuity of running of your organization. Every company is different. Every company's got its own risk appetite. It's different. But however, you need to make sure you've got your security in place. It protects everything, all your physical stuff, all your digital stuff at a very high level. It allows us to carry on doing our jobs. If we didn't have things in place and controls in place, it would very quickly stop.

Michael Lonnon

Interestingly, do you find, generally speaking, that most people are conscientious security advocates, as far as it's a terrible phrase, but they're thinking about it.

Steve Rawlins

It definitely differs company to company, I think in HSO it's something that we do take seriously, I've been in the company for four years, and it's just continued to grow and as part of my job to kind of encourage people to do so. We’ve actually just gone through our most recent ISO 27,001, which is the standard for information security. One of the good bits of feedback the auditor gave us was actually around the kind of security awareness that we do for our employees and the kind of the training, because you need that. You can have everything in place in the world, but if you're not telling your staff about it, they're not conscientious, then there's no point.

Michael Lonnon

Why is it important to maintain that level of communication is important for something like getting an ISO accreditation.

Steve Rawlins

ISO is important. More and more companies are asking for it, firstly. There's a lot of companies out there that wouldn't do business with us if we didn't have it. It's a huge, huge framework. It covers a lot of stuff, and in a lot of detail. The audit itself is seven days long, and as a painful time for someone to be asked a question after question after question. It's a lot of work, but it gives our customers confidence that you know you're doing the right things.

Michael Lonnon

How did you feel after the seven days?

Steve Rawlins

I went straight to the pub, I think I was on the way to the pub during the closing meeting. It’s a relief, you spend a lot of time thinking, Oh, are we doing this? Are we doing that? Then actually when someone comes along, someone external, spends seven days going through everything and actually turn around at the end and say, You know what, you guys are doing an absolutely cracking job. It's a big relief, I still have a job.

Michael Lonnon

What are some of the dangers out there? What are some of the things that organizations should look out for when it comes to maintaining a secure environment?

Steve Rawlins

There’s just a few things we've already touched on actually. It’s people, people are the most important thing. You can look at things around technical systems and have all the best firewalls and the best controls and the best monitoring in the world. But if you haven't got the right people and you haven't got the awareness, then then you're going to struggle. There's loads and loads of different kinds of stats out there. But typically, the stats that you're seeing, for example, are at least 85 to 95% of all data breaches are down to people. It's not to say that 85 to 95% people in your company, or our company are bad people. It just it's down to humans. So you can have looked at all the controls but if someone just clicks the wrong thing, then that's where you can be in trouble. So that's why it's it is so important to spend time talking to people not just pay x amount of money to have the most amazing systems.

Michael Lonnon

And when you're minimizing these risks that you've already talked about communication, maintaining that regular communication to employ employees to help them understand what they should be looking out for and what they should be careful of. But what other methods do you take to maintain in a good secure environment?

Steve Rawlins

Yeah, so firstly, is making sure your equipment, your infrastructure is top notch.  Things change all the time and there's lots of external risks out there, so it's important that you keep up with that to make sure that your networks, etc, are all are all top notch. You've also got things such as the ISO 27,001 framework. Cyber Essentials is another good one. So there's some really good things that actually gives you a framework. If you've got everything in place, having an external framework, which is kind of fresh, and it changes from time to time, that's just a really good way of kind of benchmarking that you're doing the right thing.

Michael Lonnon

So we're fortunate, we've got yourself in the organization, looking after this, this is your role, this is your remit, this is what you do day to day.

What about those organizations that aren't as lucky to have someone like yourself there? What advice would you give to them? In terms of maintaining a secure environment?

Steve Rawlins
I think firstly, you need an element of responsibility. So you might not need to see so, but you certainly need someone who's responsible for your assets. So your data, your IP, someone needs to understand what those things are and you also need to be able to look at what those risks are to those things and how to monitor and if required to actually mitigate and do something about those risks. So yes, accountability is a huge thing. That could be one person, ideally, but it could be it could be a group of people. You definitely need that buy in from somebody and the buy in from top management. Because if it doesn't happen from top management down, then you're opening yourself up to a big struggle.

Michael Lonnon
How do you measure risk? How do you measure whether you're doing thing well? How do you measure whether you're doing things badly?

Steve Rawlins
Lots of different ways. Typically, risk management is a huge part of information security and a big part of ISO 27,001. As part of that, we have to do annual risk assessments, and also occasionally, if new things come along, we look at what our current risks are and what controls we've got. So we put controls in place, which then reduces that risk and then we look at what the future risk is. So it's all it's all ongoing monitoring. We have our own ISMS, which is our information security framework, and as part of that, there's ongoing risk management and monitoring, making sure we're compliant to the ISO framework or other frameworks.

It's an ongoing journey and we’re lucky enough in HSO to have that management buy in at a high level. We have what we call an ISO management board, we meet on a monthly basis and that's so senior directors from various areas of the business as well as one of our managing directors, we actually sit down and talk about this risk. I could come up with every risk I think is applicable, but because I'm not involved in the day to day business, there's maybe stuff that I don't know about. So getting other people involved enables you to actually understand what's going on in the business and look at those risks that you might miss. It's just an ongoing journey with a number of people and it's integrating risk management into the whole business, not just the IT or the security team.

Michael Lonnon
Which is why again, security management is an ongoing process. It's not a one off activity, you need somebody there, as you say, a person or a team, looking at this all the time.

Steve Rawlins
Yes, you have to look at it all the time because there's lots of bad guys out there, there's lots of bad guys trying to attack you and attack companies. A lot of breaches out there are not actually intentional. Just by chance they're going to get hold of somebody at some point. So you have to have the things in place to try and mitigate those risks. Again, it comes back to people and comes down to technology. But then you’ve also got to look at your own people as well, because people come in and out of businesses. You can't just say right, you've been through some security awareness training, you're done. Because in 12 months’ time, six months’ time, you may have forgotten some of that. If you go back to my earlier point about how many breaches happen because of things like social engineering, and humans, you need to continuously refresh people, so they know how to how to pick up on those risks as much as they can.

Michael Lonnon
That makes sense. Now, you said that you've been doing this role at HSO for the last four years, how generally are you seeing the security? What words were used to describe this? How are the threats evolving over the last four years, and how security having to change to deal with those risks.

Steve Rawlins
It just tends to get harder and harder and harder. Cybersecurity is a big game of cat and mouse, always has been. You've got the good stuff, you've got the bad stuff and it's like Tom and Jerry ready to continually chase each other and who's going to come up best. In my opinion, it did change a lot when the COVID happened. But for some reason we saw a spike in attempts, maybe because it was a vulnerable time for people. When you look at things like social engineering, a lot of it is psychological and you've probably got less techs and some of that can be like banking, or it could be about it could be about your health, anything that is always going to catch someone where actually you know what that's relevant to me. We saw a lot of that during COVID. But I think going forward and I think is definitely been a kind of a buzz thing this year, and that’s AI. I think that's one of the one of the biggest threats we're going to see. It blows my mind away. It's a lot of talk - a lot of good stuff of AI but it's also a lot of less good stuff. So I think that's going to be one of the biggest risks globally for everybody in the next years.

Michael Lonnon
As always, when there's opportunity there seems to risk whenever something new comes up. There's something do to kind of battle against it.

Steve Rawlins
Yeah, definitely. So interesting times ahead, hopefully good, interesting times.

Summary
Threats are all around. And yet the biggest security threat to your organisation is right in front of you. It’s you. And it’s the people working in your organisation.

That isn’t to say people go out of their way to create threats – but, we’re all human, and mistakes happen.
Steve recommends two things to creating a more secure working environment. The first is to educate staff on security best practices. Using regular communications to make them aware, and keep them alert, to any potential dangers. The second is to adopt an industry framework such as ISO certification, that you can follow and use to guide your security practices.

These two things alone will reduce the risks to your organisation.
And on that note, thanks for listening, until next time, take care of yourselves.