Upon arriving at the second day of festivities at Infosecurity Europe, attendees were shepherded to a reception area. Here, they proffered their registration QR codes on their phones to waiting scanning equipment, which, after a few seconds of whirring and clanking, saw those same details reproduced on A4 paper by a nearby printer. Visitors were then directed to what can only be described as a large bucket housing cardboard lanyards into which, after folding the paper, attendees could stuff their credentials for all to see.
All this was a timely reminder that, sometimes, the most simple bits of technology – if you can call a printout ‘technology’ – can turn out to be the most practical. As Bentsi Benatar, co-founder of Sepio, explained, hackers don’t shy away from the challenge of hacking pagers, printers or even computer mice with the end goal of infiltrating a target organisation. Even biometric sensors, said Benatar, were at risk of subversion.
“Instead of using silicon finger fixtures and chemicals,” he explained, “it was implanted with a BeagleBone board, which is a very simple board that carries a USB proxy payload in order to bypass the biometric measure.”
This, of course, is hacking at its most ingenious – but, as Dr Jason Nurse alluded to in his discussion of CybSafe’s latest paper on the psychology of cybersecurity in the modern workplace, cybercriminals don’t have to be geniuses to manipulate your typical employee’s attitudes toward securing their workstation. Most individuals, said Nurse, approach cyber insecurity as a minor inconvenience: “They aren’t thinking, day to day, how to be secure.”
That necessitates some measure of badgering of staff by the security operations centre (SOC) to keep their passwords complicated and, more importantly, updated. Not only is compliance with these diktats complicated by the usual prejudices of the employee (44% of those surveyed said that it was the responsibility of workplace IT, not the individual, to secure the company) but also by generational attitudes toward technology.
But some generations are more attentive than others. Younger employees feel more at risk from being targeted by cybercriminals than their older peers, while Gen Z are much more likely to be using AI. These divides are also apparent in the methods by which each cohort prefers to receive cybersecurity training, with older staff preferring written materials and younger employees embracing video tutorials.
Encouragingly, all employees surveyed appeared to appreciate the danger posed by phishing emails and insecure passwords. Interestingly, however, apathy towards forwarding each and every example of a phishing attempt to the SOC persists. Of those who don’t bother forwarding these messages, 71% said they would do it if it helped stop cybercriminals, while 60% said they would if they saw something happen as a result. These individuals, said Nurse, “don’t believe anything makes a difference — so why continue to report?”
ROI discussions at Infosecurity Europe
The obvious conclusion to draw, said Nurse, was that corporate cybersecurity should cater to attitudinal differences among different generations of employees and, additionally, be transparent in what measures are effective and which are not. Using behaviour analytics as a way to argue for increased cybersecurity spend, however, isn’t always a strategy that works, as KPMG’s director for cyber, Dr Jon Davies, explained to BBC News’ Joe Tidy on the keynote stage.
“It got shot down straight away because they saw it as being too intrusive,” recalled Davies, in reference to how his team had used statistics on staff interaction with cybersecurity software as the crux of their argument for new investment. For the board, it gave the impression that some kind of ‘Big Brother’ system had been imposed on employees. “We just put it in the wrong language.”
Close Brothers’ CISO Munawar Valiji advised that the best approach for arguing for new cybersecurity investment from the board was simply, for want of an alternative term, to simplify. “We’re seeing such an emergence of complexity in terms of the way we visualise security, how we manage risk, how we respond, how we go into, now, simulation and crisis management, that it becomes really difficult to process and articulate [all that] internally to the board,” said Valiji. “But if you break it down to its component parts, it makes it easier to digest.”
Some company boards wait until it’s too late before acting. That was the message from Mikko Hypponen, Infosecurity veteran and the chief research officer at WithSecure. In his speech about the past, present and future of ransomware, Hypponen led delegates through a tour of the malicious programs at their most basic – the medium began life as a floppy disk suffused with malware – to their most sophisticated and devastating. But, he concluded, the situation is broadly improving, with companies proving increasingly attentive toward patching the kinds of vulnerabilities and building the kinds of backups that ransomware gangs respectively prey on and detest.
“If you worry about fire as a risk, nobody’s trying to burn down your factory every day, every week, over and over again until they succeed; that’s not a thing, you don’t need to worry about that,” said Hyponnen. “However, these guys are trying to break into your network every day, every week, over and over and over again and, if they succeed, they will shut down your company just as well as a fire or a flood would.”
Infosecurity Europe was held at the ExCel Centre from 3-5 June 2025
