CEO Interview: Risk, Tech, Regulation, And Education

This week, we interviewed CEO Paul about risk, regulation, and tech in cyber security.

Paul shared his insights on the impact of COVID-19 on remote communication, the evolving landscape of risk tech, and the need for simplicity in security.

📹 Watch the video on YouTube

Key Takeaways

• Discover the importance of securing email communications and the prevalent misuse of email.
• Get practical advice on deploying effective cybersecurity tools and training within an organisation.
• Hear expert views on balancing cybersecurity with regulatory demands and customer communication preferences.

Interview Summary

Q: How important are training, regulation, and tech in cyber security today?

A: We are predominantly working in highly regulated sectors, such as professional services and financial services in general.

Whether you're a lawyer, an accountant, a financial adviser, or a product provider in that same market, it's a highly regulated arena.

And that's quite problematic for business as usual because, ultimately, we're also a people business and a communications business.

Everything to do with all of those professions requires good communications and ideally removing any barriers to that.

Covid changed the dynamic of that market, or those markets, and players, as there was a greater need for people to deal electronically and remotely. Following COVID, that trend has continued.

People, while supporting people businesses, are now having to face the reality of interacting with their customers in, if not wholly, a partially remote way. That has driven all sorts of new habits and technologies.

The idea of doing a WebEx was something that very few of us really considered and used on a daily basis until we were forced to.

Email has been a prolific part of everyone's lives. For as long as I can remember, email has been prevalent in businesses, and most consumers retain their email addresses for probably longer than their physical addresses. As a consequence, it's become part of our everyday activity.

Therefore, people have to consider the lines drawn from a regulatory perspective regarding that medium. The requirements that the ICO and other regulations place upon us, including Consumer Duty, if we're going to use email as a medium and our customers want us to, are significant.

Surveys from many global institutions in the financial services market show that 85% of customers prefer to be communicated with by email.

So there's that dynamic set against the requirement to make sure that when you're using that medium, you are respectful of the fact that the data you are transmitting, in most cases because of that arena, will be sensitive.

You're compelled to encrypt it and ensure it doesn't fall into the wrong hands, even potentially by way of misdirection, cited by the ICO as one of the primary causes of data leakage and issues.

Practically, people are beginning to understand more and more that if they're going to use technology of whichever description, they have to be mindful of the implications of the regulations and the guidance principles of the regulators.

Q: Has there been a lack of training or understanding on the key risks?

A: I think there has been a general lack of training and understanding regarding the threats that exist around communication mediums, especially email.

Larger enterprises with the luxury of individuals and departments solely focused on those risks will be more aware and likely to have the relevant measures to protect against someone inadvertently clicking a link they shouldn't. Smaller businesses may not have that same resource profile.

It's something we've had to be very mindful of when designing our product.

Can we level the playing field a little by cleverly engineering tools that help address some of those problems for businesses that may not have the same tech resources, even if they're interacting with a tech supplier?

Training is becoming more prevalent, and people are beginning to understand some of those threats. But that's an endless task because the landscape is continually evolving.

Employing technology can help filter out some of that noise because we're all trying to do our day-to-day jobs at the same time.

There are software packages that look at that particular dynamic, known as the threat vector in tech terms.

Q: How does a business prioritise which threats to focus on right now?

A: Every business is different, and there's never a catch-all in terms of what priority you place on one area of your business or another from a risk perspective.

Like most things, you've got to look at the biggest bang for your buck—what problems can you solve with a piece of tech that are multi-dimensional? We provide tools that enable people to secure sensitive information in their everyday activities.

It's rare when dealing with customers in the sectors we work in that you won't have an interaction carrying information that is sensitive and could be damaging in the wrong hands.

But of course, we often get that question raised as to whether clients will be happy to do this. Your customers are very receptive to using tech when their interests are at heart, and that's been proven by survey after survey.

If you can create some economies by using a piece of tech and increase your efficiency and the speed at which you exchange information, all of those things start to stack up to something that might lift the topic in your priorities list.

At the same time, it doesn't detract from the fact there are other threats and other issues you need to deal with, which is why you need advice.

Many firms these days will talk to a technology supplier and ask them to give a view on that prioritisation.

In fact, many of them will conduct a brief overview of your business to give you a starting point on that stuff. I'd highly encourage people to take advice about ticking the right things off the list in the right order.

Unfortunately, it's multi-dimensional, and there are so many things to consider.

Q: Why should email be a top priority in cyber protection?

A: When you're using something like your telephone every day or your email every day, it's quite easy to assume that's okay.

And in most cases, it probably is, except you get into bad habits. Using email is not a bad habit, but it works, and people prevalently use it—many hundreds of billions of emails are sent or received every day.

If you're a one-person business, it's sometimes more difficult to carve out enough time to consider these things. In our solution architecture, we tried to think about this in the context of securing email communication.

The technology is great unless it's a pain to deal with, not just for you, as the sender, but for your customers. I can reassure people that's simply not the case. It's the heritage and legacy we inherited.

When people look at the subject, because it's not been an area where people have focused on the simplicity of use without going against the grain from a security perspective, they will be pleasantly surprised at the return they get by considering the topic.

User experience and technology don't have to act against each other. That's a common misconception we often confront. “I've looked at secure email solutions before. They're really hard.

My customers don't like them.” I'd highly recommend people to briefly review that. They absolutely are not hard to use for the sender or the recipient, and they are well received because people view their identity and data as sacrosanct.

It's part of the consideration that every adviser in whichever sector takes into account, and the customers will appreciate the fact that they bothered to do it.

Q: Has regulation become more nuanced and less prescriptive?

A: I'm not sure I necessarily agree with the idea that we've shifted our culture from guidance to rules. The legal system in the UK is a principles-based legal system; it always has been and probably always will be.

Now, I have a perhaps cynical view on that because, particularly in financial services, it has had a habit of looking back on the guidance or principles and therefore allowing the regulator to interpret that in different ways as they become more knowledgeable about the risks they're trying to eliminate from processes.

It's not a surprise - what I guess I'm trying to say, which might sound bad for a regulator to retrospectively change their mind, is that the law enables them to do that.

The law enables anyone to do that because we gradually gain more knowledge, and therefore there has to be a degree of sensibility in terms of how you consider regulation and the obligations placed upon us within all these different acts that we're all trying to comply with.

The one founding principle is doing what appears to be the right thing to protect consumers. The very words Consumer Duty emphasise that.

I don't think it's a big leap to say, well, if you're doing something that could potentially lead your customers into a position of risk in communicating with them or whatever your actions might be, then they are suggesting that that would be a bad thing, which means that you need to solve the problem fundamentally, and it's not a new problem.

Email has been in its current state for many years. If you've got a Hotmail account, I'm trying to think how many years ago it was established—maybe 18 years or so ago.

But what’s quite surprising is that that's a relatively short space of time. And yet consumers maintain their email addresses for well over ten years these days.

That's not going to change, and despite the evolution of all these new messaging apps, there's also been a lot of publicity around how businesses are falling foul of using messaging apps, etc., and the legislation seeking to similarly suggest that that's not a good way forward.

What's persisted is that now there's 320-330 billion email exchanges a day, and that's not going to change overnight. I think, therefore, there's no compulsion for anyone to do anything. But it would be highly sensible for people to consider what they're doing in that arena.

Q: What are your go-to resources for the best cybersecurity tech or practices?

A: It’s really hard these days to have a go-to resource where you can look up an unbiased view of the right suppliers. When you do a Google search, even the first couple of pages will often be ads, and that can be quite misleading. It's hard to consider the right suppliers for these things.

It's quite human to look to others who are already working in this space and try to take some guidance from those that can give you some certainty or at least some security and make you feel comfortable that they've made a decision and they're using something daily, and it’s sort of working.

It’s the very reason that lots of companies like we do will often try and make sure we publish user cases, testimonials, and Trustpilot-esque pieces. There's nothing better than getting a voice from a user base.

And similarly, you know, I've got to mention it, look at the support levels that companies provide. We are really proud of our support team and the stats that we continually get.

People ring our support team in the UK, and they get to speak to an actual real person, and they do an amazing job. People love them because they just sort stuff out, you know, it’s great.

Personally, I think that's invaluable. We probably don't bang that drum nearly hard enough because that's the test in my opinion.

Q: How does Mailock help to prevent the threats we’ve talked about?

A: The key features within the system that warrant an initial note are many, but fundamentally the system very simply enables an operator, a sender, to elect to secure a particular communication.

In fact, it'll nudge that user if it sees some content that it suspects should be secured or, indeed, if you want to be slightly more strict, you can deploy the system, and it forces people to encrypt certain types of outbound communications based on rules, etc. All of that is available.

But I think the other pieces that are often forgotten are that when you send something securely, it enables you to choose from a range of different ways of verifying that the person ultimately at the end of that email communication is the intended party.

There are all sorts of ways of checking that, and they're evolving around us now, to a greater degree of fidelity and certainty. Then all the controls come off the back of the process.

So not just the fact that the customer can open the email when they authenticate themselves to you, but they can also reply.

There's no cost for any of that. And they don't have to register to access their email. It's about reducing barriers to entry, barriers to access information, not increasing them like everybody else does in our arena.

But then on the sender's part, apart from being able to exchange information, I can ask you for, send me that sensitive document because I know it's protected. And again, the ICO has got an eye on that.

Encouraging your customers to do something like that without security... well, if that goes wrong, that decision could fall back on you.

But it's also the audit trails that the sender gets. You can set the system up to tell you when your customers authenticate and then access the documents and open them.

That's a great sales value, not just an information delivery. It's a great process to pick up the phone and say, "Oh, I've seen you've seen that document, can I help?" You know, that can increase sales cycles.

And probably the big one - revocation, withdrawing access. I'm sure people have used (and this is not meant in any way a bad way) Microsoft.

Such an incredible toolkit. But the idea that if I send something to someone inadvertently or wrongly, I can't stop them from accessing it, that's a big deal. And that's something that we've always had in our system. You can revoke access to a document, and it's gone. It's a big deal. 

So, you know, there are a lot of features in there, but they're all designed to be very simple to use. And I think that's the key.

It's got to be simple. It's got to be easy. It's got to be quick.

And it's got to be something that people want to use, not something that they're forced to use. That's the key.

Reviewed By:

Sam Kendall, 07.06.24

Sabrina McClune, 07.06.24