[00:00:00] Speaker A: I think the complexity comes when thinking that spending money on IT security tools will solve the cybersecurity problem. Because the biggest investment I feel that you should make around cybersecurity is in humans. It's got to be targeted to the humans working for you and it's got to be personable to them.
[00:00:24] Speaker B: This is kvcarez as a primary target.
[00:00:28] Speaker A: For ransomware campaigns, security and testing and performance them.
We can actually automate that, take that.
[00:00:35] Speaker C: Data and use it.
Join me now is Mike Worth, founder of Inditech consultancy and today we're discussing cybersecurity for SMBs is critical when and where it's understood. So Mike, thanks for joining and welcome.
[00:00:53] Speaker A: Thank you very much for having me on the show. Really looking forward to it.
[00:00:56] Speaker C: Okay, so Mike, you've obviously got quite a strong pedigree in this space. You spend a lot of time working with legal firms, mid size law firms, etc. So you obviously got a lot of knowledge in a very specific vertical and which is interesting because sometimes other people a little bit more general. But I think I really want to go deep down on this vertical because it is a big one, is an important one.
So perhaps tell me what is some of the biggest misconceptions that you've seen in these legal businesses when it comes to sort of cyber risk?
[00:01:28] Speaker A: I've worked across different sectors in my career, the last 12 years has been in the legal sector, which is a great space to be in. I think I found the biggest misconceptions within the law firm is they fail at cyber security sometimes not because they don't care, but because they see it as an IT problem, not as a business risk. And you think the solicitors, the lawyers that work in these spaces, they run the businesses, they're very well educated people, intelligent, innovative people and I'm sure if they're given, given space and time, cybersecurity would be a very straightforward subject for them. When they think about it, I think the problem comes is where they work in a professional services business, they bill by the hour, their pure focus is hitting their targets for the business and it becomes less of an issue for them worrying about links and emails, attachments and other means of cyber criminal activity.
[00:02:26] Speaker C: Yeah, so this is interesting. So would you say that as well, even if you're not working a law firm, just say like a general, like business consultancy, like these people are billing by the hour as well. Would that similar mindset apply though in terms of billable hours and inverted commas or.
[00:02:40] Speaker A: I don't think the impact's the same I think with professional services where, where it is literally time is money, that is how it's viewed and that's how the profession is really viewed as well. I think other businesses, obviously it would cost them money around cyber issues by the day whatsoever, but I don't think they measure it incrementally in that kind of fashion.
[00:03:01] Speaker C: And so because they do measure income into like, I've even heard that some people like Bill in like five seven minute blocks. Would you say that's what's attributing to perhaps being overlooked was like cyber security? Because I mean at the end of the day businesses want to make money, partners want to make money. At the end of the day that's normal human nature, but which has a key driving factor as to not doing these other things perhaps because then if you're doing other like cyber stuff, are you going to do like a security awareness training for an hour and you're getting billed at a thousand bucks an hour. That's big chunk of money that you're sort of effectively not getting or billing?
[00:03:33] Speaker A: Yeah, no, absolutely. You hit the nail on the head there. Taking time out to undertake other activities towards things like not just cyber security but other legal requirements as well does cost the business money in that effect.
[00:03:48] Speaker C: And then would you also say that it's more of an opportunity cost as well? So it's like, okay, I've got arbitrary 10 hours in a day, eight of them I want to spend billing customers rather than, you know, eight of them thinking about cyber security. I mean I'm giving very over extreme examples, but it's more about getting into the mindset of why businesses of this caliber are focusing on things like this.
[00:04:15] Speaker A: In my time through the legal sector, I've seen the mindset change more. The C suite or the managing partners taking more interests, taking more notice. I'm still seeing firms, I was speaking to one only yesterday, boutique London firm, they didn't really even seem to have an IT strategy, let alone a cyber one. So seeing this still as a real life scenario happening today is something that's quite whimmy, would you say?
[00:04:45] Speaker C: I know you said you've worked in the legal sector for 12 years, but then obviously you worked in other sectors. Would you say in terms of like a race? Legal is definitely towards the back of the race rather than leading the pack because you've obviously got more regulated industries which are probably by default, by compliance etc are at the top and leading. But where do they sort of sit in the pecking order?
[00:05:08] Speaker A: I think it depends what area that you look at, the legal. So you have the, the big law firms, the Dentons and other firms of a massive size that have lots of rainbows with pots of gold security teams, just lots of money to put into that space. The problem comes when you start looking at the small medium law firm market and their investment in it, let alone cybersecurity, takes a bigger chunk out of their profits. So when they spend it, it needs to be spent on something more specific and more effective because ultimately any breach, like any company, hits your reputational damage, hits your trust and it will drive business away.
[00:05:53] Speaker C: And when you say spent on something more specific, are we talking cyber IT or just like other general things that they'd prefer to invest their money on or in?
[00:06:03] Speaker A: I think the complexity comes when thinking that spending money on IT security tools will solve the cybersecurity problem. Because the biggest investment I feel that you should make around cybersecurity is in humans. It's gotta be targeted to the humans working for you and it's gotta be personable to them.
[00:06:24] Speaker C: Okay, so the part that I'm quite curious about, given there is a little bit of, you know, reluctancy there, of, you know, we're a small firm, you know, who's gonna think about us. All the stuff that you and I know about in the industry generally knows about.
Given your experience in this space with SMB businesses, how do you sort of shift them towards, hey, look, I know your key deliverables each day to do billable hours. Right, we get that. How do you shift them towards caring about cybersecurity more than just a tick box exercise? To think a little bit more strategic long term. How do you get them away from. Well, I've got to spend an hour to look at this, which means an hour less than I'm not billing.
[00:07:08] Speaker A: It's a really good question. I spent quite a lot of the last 12 years building a cyber security culture within a law firm. And the culture was essential to keep the business safe. You look at how can you build that culture and the way to build the culture is to keep things short and sharp. I'm a youth football coach and even in coaching I use behavioral science as part of it, which is repetition, repetition, repetition.
So you, I think you have to tell someone something about 23 times until it actually is retained if it's something that they're not interested in. But you've got to make it fun, you got to keep it real, like real life scenarios. You've got to keep it short You've got to keep it relevant and on topic and you know, in the environment needs to be a safe space as well for people reporting mistakes or opening test phishing emails. And they've got to feel safe to speak up because speaking up then in effect has a positive return and reduces your risk dramatically. So I think you have to keep it short and sharp and you keep it short and sharp. You look at other phishing awareness companies like knowbefore they've started using short and sharp videos, making them into like a series that people want to go back and keep watching because they're short, they're sharp and they actually keep people's attention. But actually they remember and they, they start bringing on the correct behaviors when it comes to working around cybersecurity and keeping themselves and the business and actually at home personally safe.
[00:08:49] Speaker C: Okay, I really want to get into this. I find this really fascinating now. So what was coming, my mind was said short and sharp. So I don't know about you, but end of the night I like to scrol reels like probably 98% of the population out there do. Why? Because it's short and sharp. So going back to your point, which I liked, you know, making it relevant, making it something fun because it's then will be a little bit more interesting to them. Typically speaking, you're not really working in cyber security. You probably don't really think it's fun to extend on that. If I'm scrolling a reel and I don't know, someone goes 10 things about horticulture, if I look at a minute, I'm, I can spare a minute, Mike, but I'm not going to spend an hour learning about horticulture. Why? I don't care. I find it boring. But a minute I'm happy to listen to. So I want to get into the short and sharp side of it because now people are attention currency is really hard to get. People are bored instantly. They're scrolling, their eyes are glazing over, they're not doing it properly. So I'm really curious to explore that because going back to your point around human behavior, this is how people are consuming content more broadly speaking. But again, in businesses like some of these trainings just they go on forever and I think it's too long. And as a result people don't retain the information and actually probably does more of a disservice because they're then actually annoyed at the cybersecurity function in general because it's bored them to sleep.
[00:10:07] Speaker A: Yeah, I've seen it I've seen it many times. It's never been my approach. My approach has always been making it very personable.
So, you know, cybersecurity, you see all the different things. You Talk to big CEOs from big companies and I hear all the kind of things that they say about protection from cybersecurity security, but they always come back to the fundamentals, which is keeping things simple. But I like to spin it round and make it more personable to them because that way it gauges their attention a lot quicker. If I say to them, well, don't keep using the same password for everything at work, they'd be like, yeah, whatever. Or they'll stick a post it note on their screen with a password on. But if you position it, you do a little bit of emotional intelligence and a bit more deep diving to what they like, what they enjoy, or they enjoy shopping online.
Did you know if you use the same password here as you do in work, if somebody breaches your work account, they'll then go and try and find your personal account that they can break into. They'll use your credit card to buy stuff from your account. And when you start changing the scenario round and making it more personable to them, you're basically saying what you do at home and how you act on your personal devices should be exactly the same as what you do in the office by keeping it safe.
[00:11:22] Speaker C: Yes, good points.
Because do you think, generally speaking, and I know like when you're working a big enterprise, it's a bit harder, personalize it for 50,000 people. But if SMB like you're saying, you know, under 50 people, you can probably spend a bit of time making it happen. Right. Do you believe the industry, generally speaking, has just naturally like overcomplicated things and as a result it's really deterred people from really caring about what's going on in the cyber world.
[00:11:52] Speaker A: Yeah, I mean complacency, absolutely. Over complicated. I go back to the know before making a little series of videos that I hear even people that leave the company, they still want to see the next episode because they want to know what happened. And it's all based around real, real life scenarios and actually things that you end up laughing at as well. You have comedy things like the IT Crowd, which is a really funny kind of like it geek comedy series, which I haven't actually watched. But it's based around people being stupid and how they act and taking the mickey out of people and laughing at it. But at the same time it's highlighting what actually happens and people's behaviors as well.
[00:12:35] Speaker C: I have seen that show. It's a good show. You should definitely watch it.
[00:12:38] Speaker A: Saw a couple of episodes and I started to cringe. I moved away.
[00:12:42] Speaker C: Okay, so that's a good word, cringe. That was going to be my next question. Literally what I've seen over the last, I don't know, 12, 15 years is. And I've worked with firms before, the content is cringe. How do we avoid it? I know, like, I'm just trying to be honest here because I do believe that people, meanwhile, it just doesn't execute well. And then it just, it's like, why, how do we get away from that?
[00:13:07] Speaker A: How do we move away from cringe? Is a very good question.
And you know, I keep going back to just relating it to, to things that I've, I've done in my past in building that kind of culture. And moving away from cringe is kind of relating it to just real life scenarios.
It's making it personable. It's the key to activate in people's emotional intelligence to get them involved, even to the point of making it more competitive. So it may be cringe, but if you can make it competitive, people are naturally competitive. And if you can put it into a more competitive context, it then draws people in because they want to do well, if that answers your question.
[00:13:52] Speaker C: Okay, so what I'm hearing is cringe. But competitive makes sense. But if it's just cringe without the competitiveness, it's going to be improved. Is that correct?
[00:14:02] Speaker A: Absolutely. Neither of us would sit through something that's cringy that we find boring and complacent. It's not what we do. We want to be what's next moving forward.
[00:14:12] Speaker C: What about demographics? So I'm a millennial, but then you like Gen Z's, like some of the stuff that they know about. Like I had to explain to someone in my teen once, like what dial up Internet was.
So there are certain terms, like perhaps can you then make specific content for different demographics? Or when I was like a younger kid and my parents would say like, oh, you know, when this like historic thing that happened, I was like, I don't know, like, I'm like, not that old. I don't know. Obviously it's a bit different now because I'm a bit older, but the same sort of applies sometimes for younger folks as well. They may not get certain things that are older people would get or like, you know, older generations would get, etc. So would that potentially work as well to make sure that it's relevant for them because like certain phraseology and certain terms, Gen Z just don't say they think we're cringe millennials. Like they're getting around their crew socks. Apparently. You know, if you're wearing ankle socks, it's. That's you. Clearly a millennial. Right. So this is the part where I'm finding it quite interesting.
[00:15:13] Speaker A: Yeah. That age demographic. Absolutely. I mean, I've got three kids. If I do something, you know, when you're younger, if you danced at a party, you was dancing at a party. Then when you're a dad, you dance at a party, you're that dancing. So you have that kind of interpretation from the different age groups and different generations. But ultimately, regardless of that, they still have similar behavioral indicators. People thrive on challenge.
They may not like it, but it drives us forward. Pressure drives us forward. The right amount of pressure. Looking at how we move forward, what makes us confident? What are we confident in doing? Obviously the lower gens are on. Your gens are more. More based around tech and content.
Content on content. As you said, the short and sharp kind of the tip, the TikTok reels, the. The Snapchat reels or whatever they're looking at, it's all taken on board pretty quickly. But ultimately, however they're consuming that information, the information has to be very similar in its message.
[00:16:15] Speaker C: And when you said pressure, do you mean pressure towards. If it's a cringe but competitive sort of campaign, they got pressure to be like, I want to win, I want to be best in the business. Like, is that what you mean by.
[00:16:25] Speaker A: The pressure or the pressure to perform? The pressure to understand, the pressure to be part of something, the pressure to being the know the newer gens have a lot more pressure than them from the social media aspect from it as well. If their friends know and they don't, they want to know if you can get some of them on. On the bandwagon of wanting to know more about cybersecurity, that kind of generation would spread like wildfire.
[00:16:54] Speaker C: If you're in legal risk or compliance, you know the stakes and the spreadsheet sprawl. Vanta makes life easier by automating key parts of your security frameworks. From evidence collection to audit readiness, ISO 27001 SOC 2 GDPR. It's all in one platform built to reduce manual work without cutting corners. Visit vanta.com kbcast that's V-A-N-T-A.com kbcast to learn more.
Interestingly, a while ago I was working with a law firm when I was in consulting and the CIO was like, yeah. The part that gets me a little bit KB is just in security, we just keep telling people, like, don't click on the link. But there's no like, well, why you don't. So do you think that people, no one wants to be nagged at, to be like, oh, don't click on the link, Mike, don't do this. It seems to be like, don't do all of these things.
And then therefore it can come across a little bit condescending. Sure. Do you think as well, it's just how people are framing it, which is just not conducive to someone. I mean, these people are professionals. Right. Like, you're not working in a legal firm because you're a. Like, you're smart. Yes. You may not be the most in depth cyber security professional, but hey, you're really good at doing, you know, being a lawyer.
So how do we move from parenting people in our business to educate them in a way where, yes, it's not cringe, but also we're not sort of talking down to people a little bit. There's still seen, there's still a little bit that stigma. Unfortunately, in this industry, I go back.
[00:18:26] Speaker A: To my coaching as well. I'm a trained football coach, UEFA coach. And I think it's really important that the way you approach things, it's not don't do this, don't do that. It's more about changing that round, about rewarding behavior. That's right.
So I have a group of players standing there. Three or four of them are chatting, one standing there completely quiet, standing there listening to me, wanting me to talk. I praise that individual for standing there ready and waiting, and everyone else all of a sudden is quiet. And that's not with me telling them to be quiet. I'm praising the right person.
I think when you praise behavior, that's the positive behavior, rather than say, don't do this, don't do that. Because as you said that as we spoke at the beginning, you know, lawyers and solicitors in the legal world, highly intelligent, innovative, very smart people.
And you're right, they don't want people telling them, don't do this, don't do that. But pilots are very intelligent people as well.
And I know part of the pilot training, what I've heard that you do is there's an obstacle while they're flying the plane in a simulator. They don't say, don't fly into the obstacle. What they say is, let's concentrate on the blue sky on the other side. And it is a natural way of giving people some credit for the intelligence.
[00:19:46] Speaker C: Yeah, and that's the part that's interesting as well, because we don't know about all the ins and outs that they do to be a lawyer. Like we don't. So I think it's a little. Comes across a little unfair and a little bit unbalanced sometimes. Like we're expecting them to know all these things that we know day and day in 15, 20 years, 30 year veterans that are doing this stuff day in, day out. But yet, just because the person who's a partner in a law firm doesn't necessarily understand things to the, you know, minutiae, I just don't believe it's their fault. But again, it does get people off site. As you would know, Mike, when you're sort of talking down to them and you're sort of treating them like a child.
[00:20:21] Speaker A: Yeah, absolutely. You don't. I work with people at all levels. I talk to everyone and treat everyone with the same respect.
Instead of talking to another firm and their managing partner, the owner of the firm, the founder of the firm, is the one who makes the IT decisions.
And people just add what they think they should do and they decide and it's decided whether he thinks it's right or not. And that's based off somebody who's a legal professional, who's top of his game legal career that likes to do it because everyone knows something about it.
[00:20:55] Speaker C: So I'm going to slightly change tact now. And I want to talk about what do you see SMBs wasting money on in terms of security tools and perhaps overall don't meaningfully reduce risk. Talk me through that.
[00:21:12] Speaker A: It's quite common. I mean, the law firms don't tend to inherently of that size want to spend a lot of money on it, let alone security around it. And the biggest risk of spending that money is more the complexity, people being complacent and the lack of knowledge and understanding. You have a salesperson saying, buy this, it will protect you from ransomware. But the question should be, okay, but what happens if ransomware gets past it? They don't have the knowledge and understanding in the SMB space because they don't normally have a head of it. They normally have a senior IT official, kind of like working for the company.
That's part of the reason why when I was setting up Inditec, part of what I wanted to do was the fractional IT leader, which people call directors and stuff like that. Because that space is so important.
There isn't a space within the law firm for somebody to have ownership in the C suite level or the partner LED level and an understanding. And that can lead to external providers selling software here and there.
And the more money you pay, the more protected you are, which isn't the case.
[00:22:28] Speaker C: This is interesting because I've heard this from other people as well. So do you think sometimes, perhaps because there is a lack of understanding about certain areas, the right questions aren't asked, so therefore there's a lot of gray area on what they're buying?
Perhaps like certain things I'm not an expert in buying, so I may not ask the right questions and may overlook certain areas because I'm not an expert in asking certain things. Do you think it's sort of the same here when people are procuring these sort of products and services?
[00:23:02] Speaker A: Absolutely. I'm not a master at marketing, but could I market? Yeah. Could I waste money marketing? Absolutely. Because I won't know the intricacies of what I'm doing. The same happens within that kind of environment. And again, it's not a lack of care, a lack of want, but it is a gray space that becomes a lack of understanding. You know, some businesses think we're going to do cyber Centrals plus, which is the UK accreditation, government accreditation for a baseline of protection within businesses within the uk, it's optional. Whether you do it or not, it's starting to become more mainstream and businesses to start actually taking it on board. And alongside that you have cyber insurance. So a firm will take on the accreditation, pass the accreditation, which is a baseline. It doesn't mean you're super protected. It means you've got a good base to start from, but they also get as part of that cyber insurance. And the funny thing is with the cyber insurance, like all insurances, if I insure my car, then I go out and put some mods on it, put bigger tires on it, ramp the engine up, I'm no longer insured. But the cyber insurance that firms take on as well, they take it on, think we're protected. As soon as they get hit with a breach and maybe part of their insurance was that they hadn't got their multifactor authentication turned on for everything, then that insurance is no longer valid.
[00:24:28] Speaker C: Yeah, okay, so walk me through is the mindset, and again, this is general, that something happens, but it's okay because I got the insurance. Now from my understanding, there's a certain way that some of these insurance players, you've got to Engage with them like instantly. If you don't do that instantly, it's like, oh, you're not covered now because you didn't listen to us, you did all these other steps, therefore we can't cover you because you didn't come to us from the get go. Therefore that's one route of them not getting covered. But then also is it like, oh, well, it doesn't really matter. I have insurance. So for example, car insurance. I'm not going to go drive recklessly because I don't want to injure myself. But maybe some people have that theory of oh, I can drive around like a maniac on the road because I have car insurance.
[00:25:10] Speaker A: Absolutely. You've got to pick your external partners regardless of the cyber or whatever tech. You got to pick them and pick them well and do your research in them. The same applies to cyber insurance. You don't want to be partnered with the insurance company that's happy to insure you but will put every obstacle in the way to pay out. You want to be with an insurance company that cyber insurance, but they work with you to ensure you meet the levels of insurance that they're insuring you for. And I can categorically say I've seen it on more than one occasion where the insurance sits there in person being paid for. The actual setup within the business doesn't meet their needs.
[00:25:58] Speaker C: Yeah. Okay, so how would you sort of explain to these people in these businesses, like what is there sort of things that they should look out for when they're speaking to a vendor, when they're speaking to a service provider, they'd be like, well, that could be a red flag.
[00:26:14] Speaker A: Obviously, quick sale. A quick sale is always, you know, is definitely a red flag. I just want to sell on the sell. How much interest are showing in your business now? Any SMB kind of side of things. If you work with an external partner, you want them to know who your business is and know something about your business and actually paying interest in your business. Because if they're not, it's insurance for a, for a purpose rather than insurance for a designed goal as such.
[00:26:43] Speaker C: Yeah, okay, those are good points.
And so then my next sort of question would be, what about awareness fatigue?
So what I mean by that is, and I've experienced this myself, which is why I'm asking the question. Historically, when things are really long, it's not short and sharp, it's long, it's a little bit banal, et cetera. People sort of just click through it just to get it done and dusted how do we avoid that as well? Because we don't people doing that again, it's counterintuitive to doing the exercise in the first place.
So what are your thoughts then on this?
[00:27:16] Speaker A: It's a good question. I felt that kind of that awareness fatigue sitting through anti money laundering half day sessions, which I don't think at the best of times could be made entertaining. Same with health and safety videos and things like that. But I go back to a lot around. I like to focus on the human element of cybersecurity. And for me, awareness, fatigue, repetition, repetition, repetition, repetition enforces the message. Fine. It goes back to short and sharp. Make it fun. If you can make it funny and competitive, even better. Keeping it short and relevant, making any information scenarios personable. For example, there's a YouTube video I've used a few times where there's a sign outside a coffee shop and the coffee shop has got a message on the billboard and says, like our Facebook page, get free coffee. So people walking past, liking it, going in and getting the coffee and as they're giving the coffee to the person, they've actually taken their data off their Facebook account. They've put their full name, they've put the date of birth, if it's sitting on there. They've put the job that they do, their best friend's name and they've handed them the coffee and just said, there you go Mike, have a good day at your law firm as head of it. And it's really quite impactful, that real life scenario, because how many of us would walk past the coffee shop and think, oh, if I like this, I get free coffee. Everyone loves for free coffee. And praising, reporting mistakes, praising, making mistakes. Again, I'll go back to my coaching. Somebody makes a mistake, you praise the attempt. If they continually make the mistakes over and over and over again, you have to take a different approach.
But if you praise a mistake, people try to do the right thing and you create a culture with a safe space where people are happy to speak up.
[00:29:07] Speaker C: Okay, I like this because I'm going to ask you something. I hope you can answer the last part of it. Nothing beats a.
[00:29:16] Speaker A: Nothing beats a.
[00:29:18] Speaker C: Well, okay, let me explain it. So nothing beats a jet to holiday. Have you seen that repertoire? Also, it's in your part of the world, so I thought you may have known it. I was taking a bit of a chance.
How many times have you seen that now?
[00:29:33] Speaker A: Oh, hundreds. It's brilliant. It's great.
[00:29:35] Speaker C: And then there's people that have gone around and asked People like, hey, finish rest of sentences, nothing beats it. And they're like, jetty hole, they get it. So because it's repetitive. And so I think that that is case in point to what you've been saying. It's super simple, but it's competitive.
[00:29:47] Speaker A: Yeah, absolutely. And it's funny. So you remember it?
[00:29:50] Speaker C: Well, yeah, now I can't get it out of my head. And it's like when we're growing up, those radio ads or those television commercials that we'd see and we can still remember it to this day. Unfortunately, people don't remember things like that as much anymore because it's not repetitive. But how do we get closer to becoming more like that where it is a little bit repetitive? Like, do we just need to scale everything back and just focus on, okay, maybe if it's only one thing for the entire year, I need to sort of drum into the, the employees just for a year. Like we're trying to give all these things out in cybersecurity and act as if these people should understand like quite intricate like architecture designs and stuff like that. Whereas how do we just strip it all back so that maybe one thing that they do remember, I think the.
[00:30:39] Speaker A: Tax change really because you do have this yearly kind of training kind of thing that's always been a historic thing. Yearly training, sit down, anti money laundering training, sit down health and safety training, sit down this yearly kind of kind of thing going. And sidewind I just treat as a, as a daily risk. You know, I'd be more inclined to have shorter times between it, but short content, maybe more specific content, maybe more modular content that might actually reflect better on what that person does as a role. They could even pick that modular outcome. Maybe they're an accountant and they want to understand a bit more about cybersecurity problems with accountancy rather than generic law firms. The biggest risk in law firms has and will continue to be for the foreseeable future is email. Email is obviously in bet for all of us with phishing emails and stuff. But email within legal is such a heavily used tool, it's also the biggest attack vector for cyber criminals as well.
[00:31:43] Speaker C: And so I lastly want to ask metrics. So there's a lot of people out there that like, okay, well 50 of the people in the company have done the training successfully. That doesn't mean that they get it. I mean if they had to do a test on it immediately, people probably would fail it.
So what are some maybe just simple rudimentary metrics to be like, okay, generally people Overall are kind of getting it now or they're understanding it a little bit more because maybe we've made it short and sharp, haven't overcomplicated it, made it less cringe or cringe being competitive. What does that look like in your eyes?
[00:32:17] Speaker A: A simple example of that would be efficient email testing. So one of the softwares I've rolled out before on the training side things was new starters. They come to the business, they have to complete cyber awareness training before they move on and start on Systems. It's a 30 minute interactive Q& a video based kind of induction cybersecurity side things. And then that rolls them into, you know, this is old how you know about this. Most people know about this. You get pushed into a phishing email campaign which is a test one which keeps you on your toes.
So maybe one, two or three emails a month will come through. A couple of them will be generally quite easy to spot and then another one might come in looking a little bit more unsure about. But the simple metrics there is, if people do click on that test version link, do they report it? Do they not report it? It's a very easy metric. You can see if it's been clicked and or not. If you've not heard or had any reports and a form's not been filled out to say oops, sorry, I've done this. That's a very basic metric. You can also look at behavioral indicators as well.
The way people behave can also highlight sometimes even more than actually specific metrics that you're measuring the behavior of somebody and how they're working, when they work. Do they, do they try and bypass the mfa? Do they often ask for things to be restored that they've made mistakes on and deleted? Just behavioral things as well. And I think it's just more healthy looking at human behavior as part of your risk posture as such, because all compliance metrics aren't necessarily just facts and figures.
[00:34:06] Speaker C: And lastly, Mike, what is one thing or any final thoughts, closing comments you'd like to leave our audience with today.
[00:34:14] Speaker A: Law firms that do cyber security, well, they don't have to be the most technical, but they're the ones that I always say that are calm, they invest in their people, they're prepared and they're open and honest about their risks. They don't try and hide them. And I think that's a real, very strong culture to have in place to defend against cyber security problems.
[00:34:44] Speaker B: This is KBCast, the voice of cyber.
[00:34:48] Speaker C: Thanks for tuning in for more industry leading news and thought provoking articles. Visit KBI Media to get access today.
[00:34:56] Speaker B: This episode is brought to you by mercset. Your Smarter Route to Security Talent mercsec's Executive Search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent Acquisition team helps startups and midsize sized businesses scale faster and more efficiently.
Find out
[email protected] today.
