Training employees to log themselves off the computer system when they walk away from their desks and spot suspicious emails is key to avoiding cyber breaches, the incoming head of risk and insurance for communications regulator OfCom has warned

Elaine Heyworth

Elaine Heyworth, incoming head of risk and insurance for communications regulator OfCom 

In an interview with StrategicRISK Elaine Heyworth said that in her last role as head of risk and insurance for charity The Royal British Legion she collaborated with IT to send dummy phishing emails “just to wake people up a bit”. 

The risk expert said that around 80 percent of cyber vulnerabilities are the result of behaviour by an organisation’s own employees.

If people opened a link in the message, text would appear saying: “That was a phishing attack and you should’ve been able to spot it because x, y, and z,” Heyworth says.

But rather than singling employees out for blame, Heyworth says she used it as a chance to educate staff.

The faux phishing emails would contain deliberate errors that should have set alarm bells ringing for the recipient. For example, messages that claimed to be an internal memo from a fellow staff member would spell that sender’s name wrong.

“We said: ‘If you had looked more closely you may have noticed there was an extra ‘M’ in the spelling of this guy’s name,” says Heyworth as an example.

“It was about educating people at the same time, but you get a hell of a shock when you hit on an email and it says ‘you’ve been caught’.”

She said that some interesting data points came out of the exercise. For example, people are most likely to click on a phishing email at quarter to five in the evening “when people are thinking about going home and are getting a bit sloppy”, says Heyworth.

“They’re quickly flicking through things to make sure they haven’t missed anything important and then they click on something.”

She said processes should also be put in place to teach employees the importance of locking their computers whenever they leave their desk as well as being aware of their surroundings when they are using their laptops outside of the office.

“It’s about making sure that IT have all the defenses in place, and defenses start with policies and procedures,” Heyworth says.

“Good risk management is a thread that runs right through the business on everything you’re doing,” she explains.

“So when I’m thinking data protection training, I’m also thinking cyber training because data protection, the protection of your data, will often be through a cyber event.”

“So I try and tie them together so that people are getting data protection training when they’re getting cyber training, and they’re getting cyber training when they’re getting data protection training,” she continues. “So it’s that reinforcement, again, and again.”