When Stuart Johnson visits a client to discuss their cyber security, he does something you wouldn’t expect of someone who has worked in ICT all his life: he keeps his laptop well away, doing so to listen closely to the person he is meeting.
And one of the reasons he does this is because he has been in that person’s shoes as an ICT leader – which, for the organisations Stuart works with, is often the founder or owner. As such, he knows that growing a company is much more than a job, and that a thorough understanding of that company and its plans is the first step to improving its cyber security.
“As Covid restrictions are easing, many employees are returning to workplaces having been through almost two years of radically different working practices. So it’s a good time to refresh their knowledge of cyber security.
“But it can be an intimidating subject – and one that’s attracted a lot more media attention over the past few years,” says Stuart, who works at our Doncaster office. “With that, the headlines often go one of two ways: they either make the problem sound insurmountable, or they only cover the biggest cyber attacks, giving people the impression that smaller businesses aren’t at risk.
“In both cases, they don’t tell the full story. And so, when I meet clients, the first thing I do is listen. Then typically, my initial response is ‘don’t panic – there’s so much we can do to minimise the threats and protect your organisation’.”
Invariably, when Stuart is having this conversation, he is beginning the process of auditing an organisation’s cyber security. And having in the past led ICT for charities, food production companies and even a local wildlife park, he has a lot of varied experience to draw on, including some eye-opening lessons.
“I’ve worked in this field from when the internet was just taking off in the 90s, so I’ve seen a lot,” says Stuart. “One thing I’ve concluded is that I’m not a fan of the term ‘cyber security’. Even though you see it everywhere, it suggests this work is tied only to the internet or technology – and that good cyber security is simply a case of, say, getting a better firewall.
“As a result, I prefer the term ‘information security’. Because when I conduct an audit, I look at everything that could be a threat to an organisation’s data and information. For example, I’ll look at the storage of paper records in terms of the GDPR, or staff access to server rooms. I’ll even look at employee lanyards and the associated security risks they pose to the premises.”
For Stuart – and indeed for us at AdEPT – this approach differs from many ICT providers that largely focus on the ‘cyber’ part of ‘cyber security’. It also means clients get an audit in the truest sense: with Stuart, no stone is left unturned. It’s an approach that gives clients real peace of mind.
“I’ll also look at policies and procedures,” adds Stuart. “And I take a lot from my experience of working in the charity sector, where governance and safeguarding were everything. So with the clients I help now, I’ll explain there is no point in, say, identifying risky passwords if you can’t also help the client improve its policies and educate its staff.
“There is certainly some truth that security risks often stem from human error – but it’s not about chastising staff about this. Instead, it’s about explaining why something that seems so minor can have enormous repercussions – and about reassuring them with real-life examples of how cunning cyber criminals can be.”
For instance, Stuart once helped a company that had fallen victim to an attack. He found an employee had taken a phone call from someone claiming to have met a colleague at a professional event the colleague had genuinely attended. The caller asked for the name of the colleague’s wife, saying they’d forgotten it but wanted to follow up on a discussion from the event. As the caller’s story was so credible, the employee taking the call confirmed the name of their colleague’s wife, which, unfortunately, that colleague also used as their email password. From there, the criminal was able to access the colleague’s email account – and in turn, the company’s systems.
“We have to recognise that in the age of social media, there is so much information online about a person – and cyber criminals exploit this to ‘get a foot in the door’,” explains Stuart. “Anyone can fall victim to these techniques – so my approach is about looking at the little details as well as the bigger picture, always keeping these devious ploys in mind.”
This points to another important aspect of Stuart’s work: cyber crime is like a game of ‘whack-a-mole’, with a new tactic appearing as soon as another tactic is exposed and countered. It means Stuart must keep on his toes with the latest news and knowledge.
“Anyone who knows me knows I love my work – and regular training is a big part of that,” says Stuart. “I’m currently studying for a CISSP qualification, which is the gold standard of information security. On top of that, I should soon have an ISO27001 qualification as a lead auditor, putting AdEPT on the map for our unique approach to cyber security audits.”
Such accreditations aren’t limited to ICT specialists – there are government-backed programmes that can help companies get ‘qualified’ in cyber security, too. One that Stuart recommends is the Cyber Essentials scheme from the National Cyber Security Centre (NCSC), which can also lead to discounts on business insurance.
“Cyber insurance isn’t mandatory, but in my experience, insurers are increasingly closely looking at their policyholders’ cyber risks,” explains Stuart. “So my feeling is it should be part of a company’s overall risk management.
“Of course, this does sound onerous, but on the plus side, not only does reducing these risks minimise your chances of business interruption or losses, but it can send a great message to your customers and your suppliers, too. You could say that by protecting your organisation, you’re protecting them and their data, too.”
With these observations in mind, Stuart is inviting business owners to get in touch to find out how a cyber security audit is the first step to better information security, reduced risk of costly business interruption, and greater confidence in your ICT systems.
“With the audits, I look to speak to employees across the whole organisation,” says Stuart. “And in many ways, it’s more important to understand the ICT usage by people for whom ICT isn’t the day job. And for that reason, it might be pleasantly surprising to know I don’t talk technobabble!
“Another pleasant surprise is the time an audit takes. Of course, every client is different, but I’d say in most cases, I’ll visit for three to four hours to assess the organisation before spending half a day writing up my findings. I’ll then send over my report with a quick explanation, allow the client a week to digest it, then follow up with a more detailed discussion, which answers all the client’s questions.”
Most of all, Stuart says, he wants to stress one point: though cyber crime is a part of life, there’s a wealth of effective ways to reduce the risks. So don’t panic – and get in touch today at enquiries@adept.co.uk.
