Skip to main content

Watch on YouTube

Listen to the Podcast


Check out the show description

πŸ“Show notes:

What does it mean to be cybersmart?

October is Cybersecurity Awareness Month!

This year, the campaign theme is β€œDo your Part. #Be Cyber Smart”.

Aligned with that, Michala Liavaag discusses three ways non-for-profit organisations can become more cyber smart: Creating Passphrases Using Multi-factor authentication Performing cybersecurity software updates (patching).

Β More on the Cybersecurity Awareness Month here:


⭐Found this useful? Please rate and review, as it helps reaching more people

πŸ‘You can also subscribe and share on social media

πŸ’¬ Contribute to future episodes with your cyber security concerns and questions


🀝Connect with Michala and Cybility Savvy:

βœ… LinkedIn βœ… Twitter βœ… Youtube βœ… Instagram



✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎡Music by CFO Garner


Read the episode transcript

Welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders


hello I’m your host Michala Liavaag founder of Cybility consulting.

It's identity management day which gives me the perfect excuse to talk about identity. So identity and access management is one of the most fundamental things in security. Without it a security program will not be very effective because it's important that we know who is working for an organization, maybe there's third parties involved as well. We need to know who they are, where they're working, what information they should have access to so we can actually implement the controls appropriately. And this all means that we need to have a really good handle on who's actually in our organization, and if we have an HR department, some robust onboarding and off-boarding procedures including when people move across the organization and take those access rights with them from job to job as it happens.

So the key elements around identity when we're looking at this from a process point of view is identifying and confirming that the person is who we think they are. So HR will be doing typically some screening, might look at passports, driving licenses and such and that covers that pre-bit. The identification of that individual before issuing them with a digital account it's going to be down to the organization looking at that person's role as to what information they should have access to, therefore they will issue some authorizations to say yes this person can access this content. And then when that person tries to access that content in a system, that process whether they're putting in a username typically a password, maybe multi-factor authentication, that's the authentication part of the process. So we've had the identification verifying the identity, we've had the authorization about the privileges and the access to the information, we've got the authentication to the system containing the information and the final piece is around accounting, which is where the system keeps a track of all the activity that a user is performing in that system and that can be you know as little or as much as is configured, but that's key to make sure that we can actually investigate in the event of an incident.

So what do the industry reports have to tell us about the importance of identity and access management? So the IBM cost of a data breach report, which is done in conjunction with the Economy Institute, is now the 17th year, they found that the most common initial attack vector is compromised credentials, which was responsible for 20% of breaches and in their pricing they've got that costing 4.37 million dollars, which if you compare it to the UK database report, there's a little bit different. I would say that generally speaking when you're looking at cost of data breaches I tend to go with the IBM report.

Coming out to the recently published UK Governance Cyber Security Breaches Survey for 2022 they had a look at in their 10 steps to cyber security what people are doing around identity and access management. And the good news is the organizations are now restricting those administration rights, they're looking at their password policies, making those more comprehensive and, most crucially, implementing multi-factor authentication. They found that 87% of businesses were doing this and 77% for charities, so that's a great improvement and we just need to keep up with that.

Now probably my favorite report of the industry reports looking at incidents is the Verizon Data Breach Investigation Report. It's been going a very long time and the authors have quite a sense of humor. What they found is that 85% of data breaches involve that human element. The credentials are still the most sought after by the cyber criminals because, again you get access to the network directly. When they look a bit deeper, what they found was within the privileged misuse, 99% of that was down to insiders. Yep that's people that work for us that we trust, and unfortunately, typically perhaps if they're not being paid well or something's not going right at home, they can be then targets for bribery or blackmail. You may have seen recently in the news there have been some really high profile hacks by a group called Lapsus and their technique was to find somebody and bribe them to gain access. Nice and easy, not very technical at all.


So in terms of what we're providing for you today, you've been hopefully following along the past few weeks with the Cybility tips where we've covered how to actually create a strong passphrase, and again about the multi-factor authentication. We are providing you with a crib sheet where you can look at 10 key questions that you can ask of your exec team or your IT department to get that insurance that identity and access management is something that's been handled well in your organization. And finally we're also introducing the new Cybility concepts, and in that we provide some short definitions of some of the key terminology around digital identity. So head over to the website and download those, and we will see you next time.