Most organisations can describe at least some of their security controls. They know whether they use multifactor authentication, whether they have antivirus software or whether they conduct awareness training. If asked, they can usually point to policies, procedures and technical safeguards that demonstrate a commitment to security. What many organisations find more difficult is explaining
For many years, organisations have invested heavily in security awareness training. Yet despite this investment, many organisations still struggle with understanding information risk. Employees watch videos about phishing emails, complete online courses and answer multiple-choice questions designed to help them recognise suspicious behaviour. The assumption is that if people can recognise threats, they will make
A few years ago I sat down with the owners of a small business that had grown steadily over the previous decade. They had good staff, loyal customers and healthy revenue. Like many business owners, they worried about cybersecurity because they had heard the stories about ransomware, online fraud, privacy breaches and so on. They
One of the more interesting projects we worked on recently involved a small professional services organisation rolling out a new client intake and workflow platform across several offices. The project itself looked fairly ordinary at first glance. Online forms, document uploads, automated notifications, reporting dashboards — the sort of thing organisations implement every day. The
