Skip to main content

Watch on YouTube

Listen to the Podcast


Check out the show description

📝Show notes:

What can we do so our products, services and processes have security built in by design and enabled by default?

 In this episode, Michala Liavaag talks about how not-for-profit organisations can think Cybersecurity first.

This is the last week of CyberSecurity Awareness Month, but Cybersecurity isn't just for October - #BeCyberSmart throughout the year.


Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions


🤝Connect with Michala and Cybility Savvy:




✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner


Read the episode transcript

Welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders

Welcome back I'm your host Michala Liavaag founder of Cybility Consulting

It's still October which means it's still cyber security awareness month.

Final week, we're going to be focusing on what does cyber security first mean? Now if you cast your mind back a few years when the general data protection regulation came out and everyone was scrabbling around you may recall the phrase “privacy by design and default”. Now the same thing is true of security we should really be looking at building security in, whether it's into products, services, the business processes to deliver those services. Whatever it is security should be built in by design and enabled by default.

Now that last piece is really quite important because I do unfortunately see a lot of organizations you know they've forged ahead with this digital transformation through the pandemic and what they've assumed is that when they've moved things to the cloud that it's fine, it's secure, and that things are secure by default. Now unfortunately historically this was not always the case and actually in some controls it's still not the case. So, whether it was putting information into Amazon buckets, and being misconfigured and being available to everyone on the internet. Or whether it's Microsoft releasing a security feature, but leaving it turned off instead of enabling it by default to help people. Just bear in mind as leaders that when you're involved in procurement and any of these sorts of changes get people to think about security from the outset when they have the initial concept of what they want to do. By actually thinking about security upfront if you're lucky enough to have security personnel in your organization involving them at the start will actually make life a lot easier in delivering what it is the change that you want to deliver.

So as leaders you are usually a project sponsor or project executive responsible for driving change through the organization. This means that you are in a really excellent position to put cyber security first and foremost in to the design so that means having those criteria in the business case because cyber security unfortunately does have a cost it doesn't always have to be expensive, but it is there. So, if your business case doesn't include the costs associated with securing whatever it is that that change is then it's going to be much harder to try and secure the budget, and retrofit things afterwards. So, involve your security contacts at that point. If you have them on staff, great, if you don't then work your network or engage a consultancy.

Now after the business case again in project initiation document when you've got a lot more sort of meat on the bone as it were, have you got the right stakeholders involved? Are security involved in signing off? As you actually work through the project you know what security and privacy processes are in there? How about information governance and records management control processes? All of these things if they're thought about at the start it will make everyone's life a lot easier and from your point of view if you're trustee on the board this is much better in terms of a good robust control environment that's going to help mitigate those information related risks.

Now a common error that I see is where people think that they understand the change and assume no there's no security involved in that, we don't need to consult them. When actually if you had consulted them they'd have been able to say to you: actually that fridge over there interconnected for medicine or whatever it might be, if it's connecting to our network then it's a security risk so we need to put controls in place to manage it. If you think just in your day-to-day life now how many of us have these smart interconnected devices in our homes and you know about our person with all these wearables now as well. Increasingly they're moving from the consumer space in the home into business.

Now whilst the government has introduced standards in the UK around the Internet of things to try and put the owners and the manufacturers and the developers to actually secure things again by design by default, it's still on us as consumers as business leaders to ensure that we actually check these things when we put them into operation. So that might be changing default passwords, it might be getting familiar with the security controls that are available, and determining are they on or off, you know little things like this. And again, as you just don't necessarily have to do this yourself but be asking the questions, is somebody doing this for you? And then remember in the home your friends and family are you helping them secure themselves or is somebody else helping you? Spread the word because as we do that and raise that bar across the country then we will be in a better position in terms of you know cyber security across the nation.

So, I've talked previously in an episode about how as leaders you will be making decisions around financial investment across the organization, not just in security. So, something that I've seen a fair bit is where, as leaders you've declared what the policy is and the board signed off on it, and the missing piece can be that financial investment or the communication to middle management of the financial investment available to them, for security controls. For example, you might have decided that actually because you've got lots of staff who are commuting that they're allowed to do some work on the train to make the most of that time, because it's often if they're traveling between sites counted as work time. But are you giving them the tools they need to do the job? Does the laptop they've been issued with have a built-in privacy screen? If not, does the manager know that it's safe to actually spend the money to buy one? Have they had specific training about how to secure themselves whilst on the move, both digital information and paper-based information? Just yesterday there was an amusing tweet I say amusing as a cyber security professional it probably wasn't, about a lady who was sat in an airport wishing that the lawyer sat next to her actually understood client confidentiality. Next time you're commuting have a look around, what are you seeing? And if you feel confident about it, I encourage you to challenge and help others understand what the potential impact is of you seeing their sensitive information. It’s not for everyone but we all have a part to play both in work and in our daily lives

So that brings us to the end of October already so bye bye black history month, bye bye breast cancer awareness, bye by cybersecurity, no no.  you need to continue with cyber security throughout the year, it’s not just for October. Continue to do your part and be cybersmart.