CEO Interview: Risk, Tech, Regulation, And Education

This week, we interviewed CEO Paul about risk, regulation, and tech in cyber security.

Paul shared his insights on the impact of COVID-19 on remote communication, the evolving landscape of risk tech, and the need for simplicity in security.

📹 Watch the video on YouTube

Key Takeaways

• Discover the importance of securing email communications and the prevalent misuse of email.
• Get practical advice on deploying effective cybersecurity tools and training within an organisation.
• Hear expert views on balancing cybersecurity with regulatory demands and customer communication preferences.

Interview Summary

Q: How important are training, regulation, and tech in cyber security today?

A: We are predominantly working in highly regulated sectors, such as the professional services sector and financial services in general. Whether you're a lawyer, an accountant, a financial adviser, or a product provider in that same market, it's a highly regulated arena.

And that's quite problematic for business as usual because, ultimately, we're also a people business and a communications business. Everything to do with all of those professions requires good communications and ideally removing any barriers to that. Covid changed the dynamic of that market or those markets, those players, in as far as there was a greater propensity for people to have to deal electronically and remotely. Following COVID, that trait has continued.

People, while supporting people businesses, are now having to face the reality of interacting with their customers in, if not wholly, a partially remote way. That has driven all sorts of new habits and new technologies. The idea of doing a WebEx was something that very few of us really considered and used on a daily basis until we were forced to.

Email has been a prolific part of everyone's lives. For as long as I can remember, email has been prevalent in businesses, and most consumers retain their email addresses for probably longer than their physical addresses. As a consequence, it's become part of our everyday activity.

Therefore, people have to consider the lines that are drawn from a regulatory perspective in relation to that medium. And the compulsions that the ICO and other regulations place upon us, Consumer Duty included, if we're going to use email as a medium and our customers want us to, are significant. There are all sorts of surveys - we've been privy to the output from many global institutions in the financial services market in particular where that theme resonates. Numbers like 85% of customers say they want to be communicated with by email.

So there's that dynamic set against the requirement to ensure that when you're using that medium, you are respectful of the fact that the data you are transmitting, in most cases because of that arena, will be sensitive. You're compelled to encrypt it and make sure that it doesn't fall into the wrong hands, even potentially by way of misdirection, as cited by the ICO as one of the predominant areas of data leakage and issues.

Practically, people are beginning to understand more and more that if they're going to use technology of whichever description, they have to be mindful of the implications of the regulations and the regulators' guidance principles.

Q: Has there been a lack of training or understanding on the key risks?

A: I think there has been a general lack of training and understanding regarding the threats that exist around communication mediums that are used prolifically, email included.

Larger enterprises who have the luxury of individuals and departments that are solely focused on those risks will be more cognizant and therefore more likely to have in place the relevant measures to protect against someone inadvertently clicking a link they shouldn't. Smaller businesses may not have that same resource profile. It's something we've had to be very cognisant of when designing our product. Can we level the playing field a little by cleverly engineering tools that help address some of those problems for businesses that are perhaps not carrying the same luxury of a tech department, even if they're interacting with a tech supplier?

Training is becoming more prevalent, and people are beginning to understand some of those threats. But that's an endless task because the landscape is continually evolving. Employing technology can help you ideally filter out some of that noise because we're all trying to do our day-to-day jobs at the same time. There are software packages that look at that particular dynamic, that threat vector as they call it in techie speak.

Q: How does a business prioritise what threats to focus on right now?

A: Every business is different, and there's never a catch-all in terms of what priority you place upon one area of your business or another from a risk perspective. Like most things, you've got to look at the biggest bang for buck, what problems can you solve with a piece of tech that are multi-dimensional? We are providing tools that enable people to secure sensitive information in their everyday activity. It's rare when you're dealing with customers in the sectors we work in that you won't have an interaction during the day with somebody which is carrying information that is sensitive and could be damaging in the wrong hands.

But of course, you know, we quite often get that question raised as to whether clients will be happy to do this. Your customers are very receptive to using tech when their interests are at heart, and that's been proven by survey upon survey. If you can create some economies by using a piece of tech and increase your efficiency and the speed at which you exchange information, all of those things start to stack up to something that might therefore lift the topic in your priorities list.

At the same time, it doesn't detract from the fact there are other threats and other issues you need to deal with, which is why you need advice. Many firms these days will talk to a technology supplier and ask them to give a view on that prioritisation. In fact, many of them will conduct a brief overview of your business to give you a starting point on that stuff. I'd highly encourage people to take advice about ticking the right things off the list in the right order. Unfortunately, it's multidimensional, and there are so many things to consider.

Q: Why should email be a top priority in cyber protection?

A: So I have a suspicion that when you're using something like your telephone every day or your email every day, it's quite easy to inadvertently just assume that's okay. And in most cases, it probably is, except you get into bad habits. Using email is not a bad habit, but it works, and people prevalently use it - many hundreds of billions of emails sent or received every day.

If you're a one-man band, it's sometimes more difficult to carve out enough time to consider these things. In our solution architecture, we tried to think about this in the context of securing that email communication. The technology is great unless it's a pain to deal with, not just for you, as the sender, but for your customers. I can reassure people that's simply not the case. It's the heritage and the legacy we inherited. When people look at the subject, because I'm afraid it's not been an area where people have focused on that simplicity of use without going against the grain from a security perspective. We have, and I think people will be pleasantly surprised at the return they get by considering the topic.

User experience and technology don't have to act against each other. That's a common misconception we're often confronted with. “I've looked at secure email solutions before. They're really hard. My customers don't like them.” I'd highly recommend people just to briefly give themselves a chance to review that. They absolutely are not hard to use for the sender or the recipient, and they are well received because people are viewing their identity and their data as sacrosanct. It's part of the consideration that every adviser in whichever sector takes into account, and the customers will appreciate the fact that they bothered to do it.

Q: Has regulation become more nuanced and less prescriptive?

A: I'm not sure I necessarily prescribe to the idea that we've shifted our culture from guidance to rules. The legal system in the UK is a principles-based legal system, it always has been and probably always will be. Now, I have a perhaps cynical view on that, because my view, particularly on financial services, is it's had a habit of looking back in on the guidance or the principles and therefore allowing the regulator to interpret that in a different way as they become more knowledgeable about the risks that they're trying to legitimate out of processes.

It's not a surprise - what I guess I'm trying to say, which might sound bad for a regulator to retrospectively change their mind, is that the law enables them to do that. The law enables anyone to do that because we gradually gain more knowledge, and therefore there has to be a degree of sensibleness in terms of how you consider regulation and the obligations placed upon us within all these different acts that we're all trying to comply with.

The one founding principle is doing what appears to be the right thing to protect consumers, consumer duty, and the very words consumer duty emphasise. I don't think it's therefore a big leap to say, well, if you're doing something that could potentially lead your customers into a position of risk in communicating with them or whatever your actions might be, then they are suggesting that that would be a bad thing, which means that you need to solve the problem fundamentally, and it's not a new problem.

Email has been in its current state for many years. So I say that, you know, if you've got a Hotmail account, I'm trying to think how many years ago it was established, maybe 18 years or so ago, but what’s quite surprising is that that's a relatively short space of time. And yet consumers have their email addresses and are maintaining them for well over ten years these days. That's not going to change, you know, and despite the evolution of all these new messaging apps and things, which there's also been a lot of publicity around how businesses are falling foul of usage of message apps, etc., and the legislation seeking to similarly suggest that that's not a good way forward.

What's persisted is that now there's 320-330 billion exchanges a day, you know, and that's not going to change overnight. I think therefore there's no compulsion for anyone to do anything. But it would be highly sensible for people to consider what they're doing in that arena.

Q: What are your go-to resources for the best cybersecurity tech or practices?

A: It’s really hard these days to have a go-to resource where you can look up an unbiased view of the right suppliers. When you do a Google search these days, even the first couple of pages will often be ads, and that can be quite misleading. It's actually hard to consider the right suppliers for these things. It's quite human to look to others that are already working in this space and try and take some guidance from those that can give you some certainty or at least some security and make you feel comfortable that they've made a decision and they're using something daily, and it’s sort of working.

It’s the very reason that lots of companies like we do will often try and make sure we publish user cases and testimonials and Trustpilot-esque pieces. There's nothing better than getting a voice from a user base. And similarly, you know, I've got to mention it, look at the support levels that companies will supply. We are really proud of our support team and the stats that we continually get. People ring our support team in the UK, an actual real person, and they do an amazing job. People love them because they just sort stuff, you know, it’s great. Personally, I think that's invaluable. We probably don't bang that drum nearly hard enough because that's the test in my opinion.

Q: How does Mailock help to prevent the threats we’ve talked about?

A: The key features within the system that warrant an initial note are many, but fundamentally the system very simply enables an operator, a sender, to elect to secure a particular communication. In fact, it'll nudge that user if it sees some content that it suspects should be secured or indeed if you're wanting to be slightly more draconian, and you know, you can deploy the system, and it forces people to encrypt certain types of outbound communications based against rules, etc., All of that is available.

But I think the other pieces that are often forgotten is that when you send something securely, it'll enable you to choose in a range of different ways of verifying that the person that's ultimately at the end of that email communication is the intended party, all sorts of ways of checking that, and they're evolving around us now. You know, to a greater degree of fidelity and certainty and then all the controls that come off the back of the process.

So not just the fact that the customer can open the email when they authenticate themselves to you, they can also reply, There's no cost for any of that stuff. And they don't have to register to access their email. It's about reducing barriers to entry, barriers to access information, not increasing them like everybody else does in our arena.

But then on the sender's part, apart from, you know, I can suddenly exchange information I can ask you for, send me that sensitive document because I know it's protected. And again, the ICO has got an eye on that. Encouraging your customers to do something like that without security... well, if that goes wrong, that decision could fall back on you.

But it's also the audit trails that the sender gets. So when you know, you can set the system up to tell you when your customers authenticate and then access the documents and open them, you know, that's a great sales value, not just an information delivery. It's a great process that you pick up the phone and go "oh I've seen you've seen that document, you know, can I help?" You know that that can increase sales cycles.

And probably the big one - revocation, withdrawing access. I'm sure people have used (and this is not meant in any way bad way) Microsoft. Such an incredible toolkit. But the idea that if I send something to someone inadvertently or wrongly, that I can't stop them from accessing it, that's a big deal. And that's something that we've always had in our system. You can revoke access to a document, and it's gone. It's a big deal. 

So, you know, there's a lot of features in there, but they're all designed to be very simple to use. And I think that's the key. It's got to be simple. It's got to be easy. It's got to be quick. And it's got to be something that people want to use, not something that they're forced to use. That's the key.