An interview with Emma W, Head of Cyber Essentials at the UK’s National Cyber Security Centre
A senior software engineer receives yet another internal phishing simulation. He knows exactly how the test works at his company, so he has a system. Every simulated phish goes into a special folder. Time to time, he opens the folder and clicks through everything, just to make sure he comes up as the “worst liability” at his company.
And then he waits. But no one follows up with him.
“Stop with the bad phishing training!” Emma, who leads the Cyber Essentials scheme at the National Cyber Security Centre (NCSC), is exasperated with harmful phishing simulations.
Emma has worked for the government for 23 years in a variety of roles, specialising in people-centred security, security culture and security communications. She worked on the NCSC Password Guidance, People: The Strongest Link, phishing guidance, government security culture guidance and many more. (NB. Links to this best practice guidance are listed at the end of this interview.)
The software engineer is her friend, who, like many discerning employees, has figured out how to game the system. He’s even prodding the security team to do something about his “bad” behaviour. But nothing happens, and so this exercise is a waste of time.
Another way that phishing simulations can hurt is by distancing the very people you’re trying to engage. Emma says that the fastest way to ruin cyber security culture is by treating people like they’re liabilities. Cyber security has long been about catching people doing something wrong and hoping that the sting of “gotcha” will make them learn.
Well, people do learn, but often the wrong lesson. What they’re learning is:
“I can’t trust you.”
“You’re not on my side.”
“You’re not a safe team to approach if I’m unsure or – heaven forbid – if I made a mistake.”
Now they’re afraid to tell you when things really go wrong.
Welcome the calls for help
You need people to tell you when things go wrong – or better yet, about to go wrong. They are valuable “human sensors” that help you monitor the health of the organisation.
But this doesn’t mean they need to be security experts.
Emma says it’s actually great that most people don’t think about cyber security constantly: “we don’t need a whole organisation of security experts.” You want people to be great at their own jobs.
A healthy culture, Emma says, is one that asks everyone to build a broad sense of what’s OK and what’s not OK when it comes to cyber security. They need to understand when and how to raise concerns. And know that whenever they’re not sure, they can ask for help without being shamed.
What you want to be hearing is:
“I don’t know how to do this. Can you remind me?”
“This email looks ropey. Can you help me sort out if it’s a bad one or not?”
Cyber Essentials: A culture starter pack?
Emma is passionate about her work with Cyber Essentials. At its core, Cyber Essentials simply sets a minimum standard for cyber security: Five technical controls designed to defend against the most common cyber security threats.
But it can also teach us a few things about building a healthy culture.
Emma says that for many small and medium organisations, cyber security is all about fear. They hear horror stories. They know they should do something. But they don’t know what. When people feel scared and helpless, they turn away. They avoid the topic, postpone decisions, and hope bad things don’t happen.
Cyber Essentials acts as an entry point. A way to turn fear into action. And starting small builds self-efficacy. Once organisations see that they’re capable of tackling their problems, they feel more in control and more willing to take the next steps. She feels that through her work with Cyber Essentials, she and her team are making tangible improvements in cyber resilience across the UK, every day. A minimum standard isn’t the landing point. It’s a springboard.
Entering an ecosystem of support
But culture doesn’t build itself from just a few technical controls. Emma says that the “secret sauce” of Cyber Essentials is that it’s also a step into a support ecosystem: NCSC-assured assessors and highly trained expert advisors that give people hands-on support. A group of people you can trust.
Emma shares a story about the first steps toward building this relationship.
Through IASME – the official Cyber Essentials Delivery Partner – the NCSC started offering small and medium organisations a free 30-minute consultation with its cyber advisors to help them towards Cyber Essentials certification. One day, a local food bank called in. When the cyber advisor on the line realised that the food bank had absolutely no money to spare, he stayed on the phone for 4 hours to help them with every step to make them secure. At the end of the call, he says,
“Anything else you need, call me.”
It’s not just your expertise that will get people to ask you for help. You need to spend time with them to show that their problems matter to you.
What is our priority? Show, don’t (just) tell
Organisations are often very good at stating their priorities and values.
But just saying that something is a priority doesn’t make it so. It may be no more than good intentions. If an organisation says “security is important to us” but doesn’t have any mandatory security training and awareness for new employees – or even an introduction to the security team – then people quickly learn that security isn’t a real priority around here.
The most reliable indicator of real priorities is where you ask people to spend their time. Any declared priority that has no resourcing attached to it, isn’t actually a priority.
Emma says, “if you want culture to be a priority, then you have to treat it in the same way. You have to put some explicit focus on it.”
A time in the diary for people to have honest conversations about culture.
“How are we working together as a team?”
“Is there anything we want to change?”
And maybe go knock on the door of that senior software engineer who’s clicking on all the phishing emails. He probably has something to say about how we do things here!
Links to the NCSC best practice outlined above:
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
https://www.ncsc.gov.uk/guidance/phishing
https://www.ncsc.gov.uk/guidance/phishinghttps://www.security.gov.uk/policy-and-guidance/improving-security-culture/
