Dr Emma Philpott MBE, CEO of IASME speaks exclusively with Security Journal UK.
There are few security sectors which have experienced significant growth over the past decade like that of cyber. Where many of the traditional concerns relating to cybersecurity were once looked at from a wider, more reactive perspective, those prone to attacks are not just financial institutions and critical national infrastructure sites – in 2022, at the heart of the cyber-victim pool remain small businesses and organisations.
Throughout the past two years – particularly as a result of home and flexi-working following the implementation of nationwide COVID-19 restrictions in March 2020 – the landscape has changed drastically and the fundamentals of good cyber practice are becoming more valued than ever before. With statistics published by the National Federation of Self Employed & Small Businesses suggesting that SMEs account for three fifths of the employment and around half of turnover in the UK private sector, the need to safeguard this population from hostile online activity is critical to both economy and social stability.
One of the individuals spearheading the growth of the UK cybersecurity sector through her work with businesses and organisations is Dr Emma Philpott MBE, CEO of IASME. Reflecting the need to offer straightforward certifications which secure businesses of many sizes, the consortium is founded on the principle that ‘basic cybersecurity is an essential requirement for the supply chains of all organisations’. In this exclusive interview with Security Journal UK, Philpott shared her advice on how businesses can improve their cybersecurity, what the threat landscape looks like in 2022 and why diversity and inclusion is so important to IASME.
From emerging tech to cybersecurity
A material scientist by trade, Philpott completed a BA and MA in Natural Sciences at the University of Cambridge, St Catharines College and worked in this industry for much of her career; during this time, she worked with a host of small businesses who were commercialising the nano technology sector. “Sadly, when the financial crisis arrived, not many people were investing in this technology,” explains Philpott.
“However, everyone I met in Malvern was investing in cybersecurity which, in itself, is an emerging technology. If you are a small company such as a shop or a plumbing business, typically, you want to advertise and sell locally. On the other hand, if you work in nano tech, you have to look across the whole country and across the globe. It is a very different business and I found, during this time, that my expertise in nano technology was very valuable to the cyber world.
“After helping to establish the Malvern Cyber Security Cluster, an organisation where people meet to speak about ideas, more of these were established across the UK. It was really about supporting small companies working in the UK cybersecurity sector; during a period which was heavily dominated by the defence primes, this was a significant challenge. It was all about building one, resolute voice that had its own status in comparison to the major players within the industry.”
Philpott admits that when she was first starting out on this path, there were far less people who had a strong interest in cybersecurity. In many ways, the sector was seen as “high end” and somewhat irrelevant to most smaller associations and businesses. “It all changed when Cyber Essentials was launched by the UK government; a stronger market was established and our sector has experienced significant growth ever since.
“When I first started the clusters, you could only join if you worked in cybersecurity. Once Cyber Essentials got going and the market changed however, I noticed that many companies and organisations had a strong, professional interest in cybersecurity as part of their core offering. For example, whilst your job may be in accountancy, the reliance we have on digital technology for finance these days means that you have an interest in cyber.”
Making cybersecurity understandable and affordable
In the world of cyber and information security, when the pandemic hit, it was frightening. As the mentality of hostile actors switched, so did the technology that enabled transactions, meetings and personal business to be conducted. With many people working on everything from old iPads to gaming computers, the landscape changed significantly and, in turn, this impacted the way in which Philpott and IASME conducted assessments. Philpott elaborates: “One of the first questions we used to ask was: ‘Do you have any staff working from home?’
“Now, with the rise in home working, it has become the norm for a lot of businesses, even in 2022. Where it is relatively easy to secure a large office network, when everyone is using a host of random VPNs, devices and routers, the problem is deepened. We have to think about cybersecurity in a completely different way – we have to ask questions and think differently.
“At IASME, we try and make things understandable. I had very kind people who explained cybersecurity to me in simple terms when I was starting out and that is what we try and do for businesses and organisations. IASME are still a relatively small company and we can relate to those that need certification and support without breaking the bank. There should be free, understandable guidance which helps keep smaller companies secure. Whilst our certificates are, at the end of the day, a product, we need to also ensure that we are simplifying cybersecurity.
In 2021, IASME launched a readiness tool that takes you through a host of questions written by a technical team member and re-written by a non-technical individual. In doing so, those who are not as equipped with cyber vernacular can understand the fundamentals far more easily. “Nowadays, as many of us are working from home we have to take the cloud into account,” Philpott continues.
“Cybersecurity has become more complicated than ever before. Not long ago I asked my technical team: ‘How would I know if I was using a cloud service or if what I am using is on my computer?’ These are the questions that need to be answered. This is how we can help people understand security. What IASME brings is affordable, understandable guidance. Until Cyber Essentials came along, the first thing you had to do was do a risk assessment – but, how can you do a risk assessment if you do not understand risk? Asking organisations and businesses to do this can be complicated and we want to simplify the process.”
Supporting businesses, organisations and individuals
Whilst IASME does not specifically conduct the assessment process for the Cyber Essentials scheme, the consortium does conduct all the training and auditing for approximately 270 UK certification bodies. When auditing the major schemes in place, Philpott and her team work with them and offer advise along the way. Having formed strong relationships with most key certification bodies, IASME also offers businesses and organisations a range of non-government associated certification schemes including: IASME Governance; IASME IoT Security Assured; IASME Counter Fraud Fundamentals Scheme and Civil Aviation Authority Assure Scheme.
Looking at the current landscape, Philpott remarks: “For organisations, ransomware is continuing to rise. A lot of it, however, can be stopped by the available schemes. Putting in the basic preventative methods is vital and IASME is here to help those who need it. Ultimately, it is about the journey, not the destination.
“As we look ahead, we are continuing to investigate the best ways in which we can help protect vulnerable people within our communities from cyber-enabled fraud. By balancing affordability and effectiveness, we hope that this will reduce the amount these attacks happen. It is becoming a pandemic of its own and people are losing their life savings, not to mention their confidence and sense of trust online. There are serious repercussions beyond that of just financial loss.”
Whilst cybersecurity and the support of organisations and businesses is naturally at the top of IASME’s agenda, so is diversity and inclusion. Philpott told us that when her daughter was diagnosed with autism, she further recognised how important it was to encourage career opportunity and inclusivity in a variety of industries and across society in general. “Through her, we met a charity called ASPIE which was a meeting place for neurodiverse adults,” adds Philpott.
“Many of those who attended ASPIE were extremely clever and gifted individuals, yet the majority of them did not have careers as a result of severe depression and anxiety. The more I learned from these experiences, the more I realised that many of these individuals’ skillsets would be extremely suited to the world of cybersecurity. So, we started some training courses at IASME and the UK Cyber Security Forum whereby we train up unemployed, neurodiverse adults and support them as they develop skills and careers in the world of cyber.
“Whilst we stopped this as a result of the pandemic, it is starting up again now in 2022. The first cohort of those who learned on this course, 14 people, were employed by IASME. It is extremely challenging being such a diverse company, however by putting in the effort to remain cohesive, you create an amazing organisation that can overcome any challenge. By chatting about even the most trivial of issues, we come up with creative ideas and solutions.”
To find out more information about the work of IASME and how they are helping businesses and organisations to become more cybersecure, visit: https://iasme.co.uk/
This article was originally published in the March edition of Security Journal UK. To read your FREE digital edition, click here.