Most organisations can describe at least some of their security controls. They know whether they use multifactor authentication, whether they have antivirus software or whether they conduct awareness training. If asked, they can usually point to policies, procedures and technical safeguards that demonstrate a commitment to security. What many organisations find more difficult is explaining
For many years, organisations have invested heavily in security awareness training. Yet despite this investment, many organisations still struggle with understanding information risk. Employees watch videos about phishing emails, complete online courses and answer multiple-choice questions designed to help them recognise suspicious behaviour. The assumption is that if people can recognise threats, they will make
One of the more interesting projects we worked on recently involved a small professional services organisation rolling out a new client intake and workflow platform across several offices. The project itself looked fairly ordinary at first glance. Online forms, document uploads, automated notifications, reporting dashboards — the sort of thing organisations implement every day. The
I wanted to talk about this because it is incredibly common and people don’t question it enough. The truth is that, collecting sensitive data or private information in email attachments, seems convenient. But it raises important concerns. Also, if the only tool you have to collect information is the tool you use to write letters,
