Posts Tagged :


Call for better training and collaboration after O2 Academy Brixton incident

960 640 Stuart O'Brien

London’s Metropolitan Police have submitted an application for review of the O2 Brixton Academy’s licence to Lambeth Council and will be seeking a revocation following the crowd surge at the venue in December last year, in which two people lost their lives and put others in a critical condition.

Speaking to Total Security Briefing Kieran Mackie (pictured), Managing Director at security specialist Amulet, said that to close the iconic venue would be a shame, and that the issue lies in inadequate funding and training of security staff to be able to handle such situations.

He called for police and the venue operators to work together to restore the Academy to be the great, fun venue it has always maintained its great reputation for.

“This announcement from the MET Police is sad to hear as O2 Academy Brixton is an iconic venue,” said Mackie. “In my opinion, this is an example of why we need tighter legislation and better training of security personnel to reduce the risk of incidents like this.

“The outcome of the incident in December shouldn’t be the closing of venues through the withdrawal of licences, it should be the Police and the venue working together with the security company to provide better training, guidance, and service provision to ensure that the venue is safe rather than shutting it down all together. I am sure if correctly staffed and managed by a responsible well trained security team, the venue could be operated safely for many more years to come.

“The issue is that margins are tight in the security industry and people look to provide the minimum they can to make venues safe and keep costs low. Having the correct number of staff and ensuring that all security employees are trained correctly and briefed fully on the venue and the event should be the bare-minimum requirement, not an aspiration.”

Keeping cybersecurity initiatives on track

960 640 Guest Blog

The West Midlands Train service has come under fire after workers discovered that an email promising them a bonus payment after running trains during the pandemic was actually a phishing simulation test.

Around 2,500 employees received a message which appeared to come from Julian Edwards, Managing Director of West Midlands Trains, thanking them for their hard work over the past year under COVID-19, and that they would get a one-off payment as a thank you.

However, those who clicked through on the link were then emailed back with a message telling them it was a company-designed ‘phishing simulation test’ and there was to be no bonus. The email warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

Since the test has been revealed, the train service has received media backlash for promising a fake financial reward to well-deserved teams. However, the modern threat landscape is constantly evolving, and it’s vital that businesses prepare their workforces against any type of threat. So was this a good test of resilience? Andrea Babbs, UK General Manager, VIPRE, explains...

Fight Fire with Fire

In order to be successful in the fight against cybercrime and protect the network, businesses should not be afraid to fight fire with fire and sometimes stoop as low as the phishers themselves – who have no morals. By using a powerful message and incentive such as the suggestion of a bonus provided by West Midlands Train Service, businesses can gain valuable insight into how their employees could be tricked into clicking on a phishing link, and why they need to ensure their staff are trained for any type of attack.

However, the test has clearly upset West Midlands’ employees, and could have been done in a less dramatic way so that it wasn’t either ethically or morally questionable. Particularly during a pandemic where our frontline workers, like those in the transport industry, have continued to put themselves at risk over the last year. The idea of a bonus in the current challenging environment seems deserving as an act of recognition for their above and beyond service – but for this to be a test, rather than the promised reward, is particularly hard-hitting for those involved.

Finding the Balance

It is vital that organisations take the time to train and educate their staff so that they become an additional line of defence in an organisation’s cybersecurity strategy. However, IT teams also need to rely on users’ goodwill to encourage them along the cybersecurity journey. This test by West Midlands Train service may have damaged that goodwill, and could disillusion some members of staff.

Rather than mentioning a bonus, the train service could have mentioned a change to pay, or date of payroll. Both of these statements would have had the same instinctual reaction in employees, without having heightened emotions surrounding the letdown of a non-existent bonus.

Importance of Education 

Regardless of the incentive behind the West Midlands phishing test, the fact that employees clicked on the link highlights the need for businesses to perform these types of tests in the first place.

Cybercriminals will stop at nothing to get users to click on a phishing link, download a malicious attachment or fill in their details on a forged website, and will use personal or professional information to lure them into doing this.

Therefore, employees need continuous training to identify and avoid these attacks. Going forward, businesses who are looking to deploy such phishing tests should try using less exciting topics to trick their users in order to avoid any bad will or backlash from their employees, and the media.

One way to achieve this is to implement Security Awareness Training programmes which incorporate real-life situations, including phishing simulations – that are less emotive. This educational material will help organisations to fortify crucial cyber threat prevention messaging and educates workforces on how to protect both the business and themselves.

NCSC roleplay exercise educates home workers on cyber risks

960 640 Stuart O'Brien

Business owners are being urged to help keep their home working staff safe from cyber attacks by testing their defences in a roleplay exercise devised by the NCSC.

The ‘Home and Remote Working’ exercise is the latest addition to the National Cyber Security Centre’s Exercise in a Box toolkit, which helps small and medium sized businesses carry out drills in preparation for actual cyber attacks.

Launched last year, the toolkit sets a range of realistic scenarios which organisations could face, allowing them to practise and refine their response to each.

The latest exercise – the tenth in the series – is focused on home and remote working, reflecting the fact that for many organisations this remains a hugely important part of their business.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said: “We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.

“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.

“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”

The exercise follows a range of products developed by the NCSC – which is a part of GCHQ – to support remote working during the coronavirus pandemic, including advice on working from home and securely setting up video conferencing.

The new ‘Home and Remote Working’ exercise is aimed at helping SMEs to reduce the risk of data compromise while employees are working remotely.

The exercise focuses on three key areas: how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident remotely.

Some of the most popular exercises include scenarios based around ransomware attacks, losing devices and a cyber attack simulator which safely imitates a threat actor targeting operations to test an organisation’s cyber resilience.

As part of the exercises, staff members are given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end an evaluative summary is created, outlining next steps and pointing to NCSC guidance.

Exercise in a Box is an evolving tool and since it was launched the NCSC has continued to work on the platform. It has recently been given a new refreshed look to make it even more intuitive for users and soon micro-exercises – ‘bite-sized’ exercises that focus on a specific topic – will be added.

Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast, said: “This new NCSC tool is a fantastic measure and will be welcomed universally as the threat of cyber attack continues to rise. In fact, our State of Email Security shows that 91% of UK organisations believe their organisation volume of web and email spoofing will increase in the coming year, while 59% of UK organisations have observed an increase in phishing attacks over the last year. It’s important that organisations prioritise cyber security, especially at a time where remote working has become the norm and connecting corporate devices via the home router becomes commonplace. This provides greater opportunity for malicious actors to infiltrate and obtain sensitive corporate data through unsecured home devices, so it’s important that businesses educate their staff on the tell tales signs of compromise and the benefits of good cyber hygiene practices.

“Regular cybersecurity awareness education is also key. Our State of Email Security report found 56% of organisations don’t provide awareness training on a frequent basis, leaving organisations incredibly vulnerable. This is supported by further research which found that enterprises that didn’t utilise Mimecast awareness training were 5x times more likely to click on malicious links as opposed to those companies that did. Often such training and education exercises may be viewed as burdensome or tedious, but it’s crucial that organisations work to change this perception and using tools such as these provided by the NCSC and others can significantly help. Our research has identified that awareness training, which is fun, interactive, and done in intervals can significantly help with retention, in addition to bolstering cyber defence in depth.”

You can sign up for Exercise in a Box or find out more about it on the NCSC’s website.

Coronavirus: Guaranteed funding needed for security training providers

960 640 Stuart O'Brien

Calls have been made for the government to protect funding for independent training providers during the ongoing COVID-19 outbreak.

Apprentice trainers to the fire and security sector, Skills for Security, follows guidance released by the Department for Education (DfE) which states that policy “does not allow payment for services in advance of delivery”, which will mean that funding for apprenticeships cannot be made until the training has taken place.

Skills for Security, which operates under the British Security Industry Association, believes the omission of support from the DfE for apprenticeships and other skills training is a ‘complete turnaround’ after the Secretary of State guaranteed funding support for mainstream further education provision. The latest guidance excludes any independent training providers who deliver adult education, apprenticeships and other forms of training, although colleges will continue to receive guaranteed funding even though they are technically independent providers.

Skills for Security says there is concern that anyone providing this type of education is in danger of going out of business in the likelihood of a dramatic fall in attendance or the inability for apprentices to attend online training if their firm is providing key worker services and the demand on the apprentices’ time means there are unable to participate with the new online model.

Skills for Security are therefore calling for the Government to consider:

• All independent training provider contracts should be paid on profile whatever the current performance and levy apprenticeships paid based on the prior six months delivery

• If funding is maintained, providers will commit to not furlough staff relating to delivery thus saving the Treasury a significant amount of money.  

• Guarantee the next month’s funding to allow time to sort through the details and how the model might work.

David Scott, Managing Director, Skills for Security, said: “We are incredibly concerned that this omission of financial support will have a dramatic effect on our business as a leading provider of fire and security apprenticeships in our sector. Although we have had a 90% remote access participation for this week’s training, the following week at present is less than 50% and, based on the Government’s statement this will have a serious effect on our finances.

“If providers cease trading or furlough substantial numbers of staff then apprentices, learners and employers who want to continue training will lose their provider and many of these learners will be left with no support.  If we are unable to guarantee funding there is every chance the industry will lose capacity and increase levels of unemployed and a low possibility of upskilling those in the workplace.

“The lack of support from the DfE is not only going to affect our current financial and operational performance, but the long term effects may mean we will not be able to reach our full potential in ensuring the fire and security industry has appropriate number of apprentices trained. Before this impact of the Coronavirus (COVID-19) the security industry reported a skills shortage of 30,000 engineers needed to service customer requirements. Skills for Security significant expansion in its training resources and provision ensured we can meet the increase in demand for apprenticeship training nationally.”

Industry Spotlight – EOS Risk Group: Employment training – a necessary expense?

800 450 Jack Wynn

There are a number of qualifications employers require individuals to gain before they are considered for numerous positions in the sector, including close protection operative, maritime security officer, security manager or risk advisor. This is no secret and is widely viewed as the ‘status quo’, but does the need for training stop there?

Some would argue the requirement is in place to ensure those recruited are completely suitable and have previous experience; therefore, are fully qualified to fulfil the job duties without the need for additional training. Of course, security professionals investing financially in appropriate qualifications  is vital to securing a sought after position, but even more crucial is post-recruitment training provided by the employer. 

How many contractors will go out of their way and pay for additional training when a dreaded document renewal isn’t required? It’s safe to assume the majority will not pay for a renewal they are not required to evidence. Therefore, employers may look to provide training to its contractors. This isn’t to replace the need of third party accredited training, but simply to provide the opportunity to upgrade skills. If training courses aren’t completed when off rotation, where are new skills learnt and existing skills refreshed?

Employer training also allows the employer direct interaction with their workforce. It makes sense to ensure the personnel delivering such products are completely up to speed and can call on their training whenever required. A generalised guess would be that very few contractors have received training on the ground from their employer. The reasons why are complex, but the main explanation is cost. Inevitably, it is vital to keep costs in mind to ensure profitability, but the benefits of employer training offset this cost in both money and time.

Contractors may have only seen a company representative during the recruitment process, therefore this face-to-face interaction with the employer is extremely valuable and morale boosting. This also provides a way for employees to voice issues. By being proactive and delivering training, companies open a dialogue with contractors which may give them ‘on the ground’ insight they would not have access to otherwise. The main benefit of training remains that in highly volatile environments, security professionals need to call on skills at a moment’s notice. If the skills in question are regularly practised and refreshed through training, this will make a crucial difference in a hostile situation.

Therefore, is it not part of the duty of care by the employer to provide training to personnel on the ground, to better improve their operational capabilities?  Training also allows employers to assess the ongoing competency of their contractors and identify training needs.

Security contract budgets can be constraining, and the value of offering continuous training is not recognised by many organisations. However, in a competitive market, a focus on training and continuous development makes the difference from one provider to the next. A company can recruit contractors who are experienced and may not be seen as needing additional training, but through lack of regular training, even the most capable security professional can commit mistakes. We have seen all too recently certain industries failing to comply and the cost of that failure. Companies fail to invest in training their contractors in order to reduce expenditure, but the potential consequences of lack of training come at a much greater cost.


Words by Richard Baskeyfield, senior co-ordinator, Training & Recruitment at EOS Risk Group

e: | w:

Industry Spotlight: How can we address the cyber security skills shortage?

800 450 Jack Wynn

Various industry research studies suggest that many businesses of all sizes are ill-equipped to address cyber security threats, leaving them vulnerable to hackers.

According to NTT Security’s Risk:Value 2016 report, while most decision makers admit they will be breached at some point, just half agree information security is ‘good practice’. This raises the question as to why businesses are holding back from minimising the effects of an impending breach. Some argue there is a lack of internal resource to keep up with the growing threats, indicating that it is no longer possible for many organisations to tackle all aspects of security in-house.

Organisations are left under-skilled and under-resourced in security terms, and this is evidenced by a recent cyber security talent report, which estimates there are 1m unfilled security jobs worldwide. This is unlikely to change in the near future and could get worse – with Frost & Sullivan predicting there will be 1.5m unfilled jobs by 2020.

According to the firm, security analyst tops the list of positions that are in most demand, with 46 per cent reporting a staffing deficiency at that position, followed by security auditor (32 per cent), forensic analyst (30 per cent) and incident handler (28 per cent).

Information security needs to be seen as a career choice, with greater awareness in schools and colleges globally in order to attract more people into the profession. Until then, companies need to think carefully about a future that relies on getting by with existing resources or outsourcing some or all of their security operations.

An organisation’s IT team will be grounded in IT fundamentals and daily business operations, so would be well placed to take on roles in cybersecurity. Security experts need a great mix of technical and soft skills, which are usually honed over many years. They need to know how to communicate effectively with non-IT colleagues and understand business processes, compliance and analytics. They also need to have a genuine interest in cybersecurity.

Training staff is a long-term investment, but technology products change faster than an organisation can train its team. A commitment to training and professional development is a strategic decision needing budget. There’s the cost of training, as well as the length of time it takes to train each person while keeping skills and certifications up-to-date. Plus, when people leave, you have to start the process over again.

Investing in internal resources therefore isn’t an option for a large number of organisations. Almost half of companies worldwide lacked in-house security skills, according to Frost & Sullivan’s 2015 (ISC)2 Global Information Security Workforce Study, while a third plan to use managed and professional services to address these skills shortages.

Outsourcing some or all of an organisation’s security operations to a Managed Services Provider can alleviate the problem. A trusted provider will know how and where to find the right experts, invest in training and improving professional qualifications, and continuously monitor an organisation’s network round the clock. If companies find they don’t need to fully outsource their security operations, they can use an MSSP to fill specific gaps, such as incident response.

There’s no silver bullet in terms of training internal resources or hiring new resources, but there’s never been a more important time to address the skills gap.  


Words by Stuart Reed, senior director at NTT Security