Meet the expert: Jonathan Craven to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

Jonathan Craven is Privacy and Compliance Lead, UK/Europe at iRhythm Technologies, a US-based healthcare tech company where he heads up privacy strategy and compliance process implementation, as well as championing the “Digital First” approach.

Jonathon appears at #RISK London on a panel debate to talk through phishing attacks, their speedy evolution, and how organisations can offset risk. Below, Jonathan takes us through his professional journey so far and introduces some of the key points of his forthcoming #RISK London session.

Could you briefly outline your career so far?

It’s been somewhat unconventional, to say the least. My academic background is in psychology, and I’ve spent most of my career to date with public sector employers – the police, local government and the NHS – working in a variety of information governance, data protection and cyber security roles. More recently I’ve moved into the commercial sector, with a healthcare tech company as their privacy and compliance lead for the UK and Europe.

While it’s not necessarily a ‘traditional’ route into cybersecurity and privacy, it’s become increasingly apparent to me that much of what we want to achieve in those areas is actually a form of applied psychology – understanding what motivates people to do (and not do) certain things; applying an understanding of normal human thinking to designing business processes and software tools to maximise appropriate behaviours; creating training that employs fundamental learning approaches and supporting tools to optimise the efficacy of that training. In that regard, I often think of myself as a “Cyber Psychologist”.

I feel that the industry is currently experiencing a boom, with far more jobs available than there are appropriately skilled people to fill them, and that’s in stark contrast to when I first started in this industry, as roles were much less commonplace then.

I also think that the profile of these types of roles has risen significantly in recent years, partly driven by circumstances, such as the pandemic and the drastic rise of cybercrime, but also by an increasing awareness that effective privacy management and cybersecurity are business-critical.

Could you describe the current phishing attack landscape – what are the latest methods being employed by threat actors to subvert organisational security?

It’s notable that nearly half of these attacks were targeted at traditional public-sector verticals – healthcare, government and education – demonstrating that threat actors are well aware that these sectors traditionally struggle with investment into cyber security when compared with other commercial sectors, and could therefore be more vulnerable to this kind of attack.

It’s also apparent that threat actors are increasingly imitating well-known brands in an attempt to confuse email recipients into parting with security information, with Microsoft, OneDrive and Binance all being commonly-observed in phishing attacks.

There is also evidence of a growing use of phishing “kits” and AI tools to create increasingly effective phishing campaigns, which are much harder for a recipient to identify and consequently avoid. Also, phishing attacks themselves are continually evolving, with vishing and smishing threats now being more common, along with increasingly complex ‘Adversary in the Middle’ (AiTM) attacks potentially capable of bypassing MFA security.

In all, the cyber threat landscape has never been more varied, or more difficult to combat, which places a significant responsibly back onto organisations to ensure that they are able to robustly deal with such threats, which may see them having to move beyond traditional technical solutions and onto more holistic responses.

What are key strategies businesses should be employing in order to mitigate phishing attack risk?

There are never going to be enough cyber security professionals to deal with the ever-expanding and mutating cyber-threat landscape, so I’m always a strong advocate of businesses empowering their whole staff group to combat threats.

This is obviously a little easier said than done, but a firm foundation can be built upon by increasingly raising awareness of and responsiveness to potential threats as a starting point.

At the very least, this should usually entail businesses moving away from relying on the traditional annual cyber security ‘knowledge check’, and towards a more “drip feed” approach – providing regular bite-sized pieces of information and awareness about how to spot phishing threats and how to deal with them safely, alongside establishing and reinforcing a robust reporting and remediation culture, to encourage staff to report things they are unsure or concerned about.

Cyber teams shouldn’t be the police to the rest of the staff group in this regard – obviously if something has gone wrong, it needs to be fixed, but in the long term it’s more beneficial to promote a supportive and collaborative working environment, where cyber professionals can assist staff in mitigating errors and helping them to learn from any mistakes that are made, rather than waste time looking for somebody to blame.

This isn’t to discourage accountability for deliberately malicious or negligent behaviour – rather the intent is to foster a reassuring environment where cyber SMEs can advise and support other staff members. That way, you are positively reinforcing good reporting and awareness behaviours, and making staff your allies, rather than them being concerned about reporting something for fear of reprisal.

In the end, the sooner you can get the whole staff group well-educated and aware about phishing threats, the sooner you will have many more allies in your battle against them.