Episode #66 Cyber Psychology with Ben Jones
The world has changed in so many ways in the past year and having a digital and online presence is fundamental. Criminals are just as likely to disrupt a small business as they would a major enterprise. The threat is real, and these days for businesses to thrive and survive, it’s imperative they prioritise security.
Ben Jones has a simple mission, to secure small business. Ben started his career journey as a psychologist caring for teens with cancer, moved into pharmaceutical sales, and in recent years he has joined the cybersecurity space. Join us as Ben shares how his psychology career assisted his move into the cyber security world, we discuss cyber dissonance, and Ben’s business Jumpstart.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Ben Jones. Ben's mission is simple, he wants to secure small business. There's no panacea to the threat of cybercrime. But you can take a measured approach to reducing your risks. Today, criminals are just as likely to disrupt small business as they would a major enterprise. And the world has changed in so many ways in the past year and having a digital and online presence is fundamental. To thrive and survive, it's imperative that you prioritise your security. And so Ben works tirelessly to deliver what is most important to business owners, which is certainty. And he believes that it enables them to focus on running their business, not on running security. Ben, it is great to have you chatting to me on the podcast today.
BJ: Thank you, Claire. It's wonderful to be here. And yeah, very, grateful to have the opportunity to speak to you, thank you.
CP: So you're actually a psychologist running a cyber security start-up, how did you get to here?
BJ: Yeah, my background in my first sort of career life was, yeah, I studied psychology and then went into the caring profession. So worked with young people in oncology. So I worked specifically in a very sort of niche of teenagers with cancer, so did a lot of end of life care, or when they were going through chemotherapy or radiotherapy. I guess the relationship was really just about helping people come to terms with sort of the end of their life or a pretty dire situation that they were in, they find themselves in. And in teenagers, cancer is quite aggressive because they're going through puberty, so cellular growth is often accelerated. And diagnosis is often late stage because presentations are quite a difficult thing for a teenager with cancer. So yeah, I did that for many, many years. And it was a real privilege to work with young people. But yeah, upon reflection, it's a million miles away from, I guess, cybersecurity. But I'm very grateful to have had the honour to work with those young vulnerable people. And I worked with some great organisations in some great hospitals. And, you know, ultimately that workstream, or that profession, got me to move to Australia as well. So I was gifted that. I've got my family here now, after 16 years. I worked for a great organisation called Canteen here, you might remember they do the bandanas every year. And that was a little bit of a departure because we could work with teenagers who whose Mums and Dads had been diagnosed or died as well, or brothers and sisters. So it wasn't just the patients, it was all that sort of holistic view of everyone that's impacted by cancer diagnosis. So yeah, and then I got to sort of my early 30s and decided I want to go into business. And I joined a big drug company, AstraZeneca, which is topical at the moment. And they were great because they sort of really, being such a big business, they really invested in me and learning how to do sales. And I worked as a GP rep, started right at the bottom, and worked my way up in, like a little Camry and little bag full of free stomach tablets for doctors and went and bought sandwiches for them. The company was very good to me. And I did very well at that company and they accelerated my growth professionally. And I was very grateful for that organisation for giving me the opportunity. And I'm went into to some other things. But I ended up in cyber four or five years ago. And the minute I joined I really enjoyed it. It's been a really good industry. And obviously at the moment, it's going crazy. I guess then to draw the parallel how one serves the other, I would have always thought that there was nothing in common between the two. But as I lead this business sort of into the next financial year, I've never been more grateful to have had that educational background and clinical experience. Because ultimately, I really feel that cybersecurity is about behavioural change.
CP: It's a good segue into another question I want to ask you about. I've heard you speak before and particularly about cognitive dissonance in security. And I'm keen to understand it and I guess share with the listeners what, what is that? And how do you think that impacts organisations from a cyber perspective?
BJ: Well, the term of cognitive dissonance was, actually it comes from a guy called Festinger in the 1950s. He was one of the first or is a pioneer in social psychology. I mean ultimately, or to surmise into one word, and we can go over a little bit more, but it's about inconsistencies, right. We all have like a social schema, they call it, which is the way that we look at our relationships and things that are externa. Then we have our internal schemas of who we are and our view of the world. When I talk about cognitive dissonance being about in consistencies every day, we battle with what we have a belief system about, and then what we are told by the world or what we learn. Now, I'll tell you and my ex-wife will tell me, and my partner might do, but I can be very stubborn person. Because often with my schema of the way I see the world, I find it very hard to be wrong on some stuff, but my growth as person...and it's a really good quote and I think it was actually and I hate to bring this guy up, but I actually wrote it down for the benefit of this session. But I think it was Bezos and he says "the smartest people are consistently revising their understanding, reconsidering a problem they thought they'd already solved. They're open to new points of view, new information, new ideas, contradictions, and challenging their own way of thinking". My own person is always about, if I think I'm right about something, then I think that I'm right. So I'll give you an example, which is a pretty classic one about what dissonance really is. And I, you know, as a younger man, I did, I smoked cigarettes. Now at the time, and it didn't even have the pictures on the package at the time. But I knew that smoking was expensive, made me stink, would give me cancer. And I worked in the cancer field when I smoked as well. But I still did it right. Now, I also know that, so I had this massive, conflicting view, so what happens when you have that contradiction, you usually do this thing called I guess, resistance to change. So even though you know that it's not the right thing to do, and it's a lifelong belief, there's empirical evidence, there's clinical evidence, there's people in your family that die of it, I would still go and spend my money to go and buy a cigarette and do it and normalise it. Now, if I look back, retrospectively, that's so crazy, you know, because my view of the world I would normalise and rationalise what was a bad behaviour. Now I can go into, you know, all of it. But ultimately, it's about that way that we have our beliefs challenged. Now, in this industry, and in my business with my wonderful colleague, Simon Khan, I realised that people always have this same thing. People know if they click on a link, or they get an email from the post office or a text message, they know they shouldn't do it. But they still have social engineering, they still do it. So I'd love to think that this was my phrase, but I reckon if I google it's probably someone else has said it. But I do think we have cyber dissonance. I think that we know there's good stuff that, we know our password shouldn't be 123 password, or whatever it is. But people still do it. The breaches are still happening, the bad hygiene in businesses still happening, because they know they shouldn't, but they don't. So the way to package it all up is, I feel that if we can just deal with that, help people change, you know, in a better way, we can get better hygiene and better cyber outcomes. Because invariably, the big stuff happens as a result of people doing the things they know they shouldn't be doing, but they still do it.
CP: I think it's it comes back to the desired path and how, you know, it's a bit like town planners, how they put bike paths in certain places. And then the cyclists actually just ride over the grass because it's much quicker to get there. And I think that's the same thing in business, you know, this is the desired path, or people are just trying to get their jobs done. And phishing is a little bit different, I suppose clicking on links. But things like sharing documents with your Gmail address, or you know that people do that, because they think they're getting productivity out of that. And you know that, as you said, they know that there's risk in what they're doing. But they do it anyway because their desire to achieve that particular outcome is stronger than their desire to, I guess, tow the cyber line. So probably a whole other podcast. So tell me a little bit about jumpstart, your company very focused specifically on start-ups and smaller organisations with low staff numbers, but high revenue. So what's the risk to these businesses that you're solving for?
BJ: Jumpstart's core mission is to help small business owners simplify the problem of cybersecurity. And it's topical, we're speaking today, because, look Claire, there's not a day that goes by where my Google Alert doesn't go off for something in cyber. I mean, it's on the hour now. We had all this stuff with the ransomware yesterday. The advice is appalling in many ways from you know what the powers that be, because they're still trying to solve the problem. Nobody's getting it right, nobody can get it right, and nobody can stop it. Jumpstart is actually a risk reduction business. And it's just going into smaller businesses, like you say that have got lower head counts, but higher revenues to sort of protect their IP. I think 10 years ago, like the raison d'etre of a criminal was to go and try and smash into like the infrastructure reigns at Commonwealth Bank may not it's not going away. The head of ANZ I think, came out the other day and said, yeah, they're getting 8-10 million attacks on their infrastructure every day. But these guys have got a SOC. They've got great tools. They've got every endpoint, you know, thing in the world. They've got smart people protecting that perimeter. But I think the criminal, my point is always that the criminal is the one that's displaying innovation. But everyone else, we're only ever responding, right. So you're only ever playing catch up. So that's a battle, you can never really win but the criminals have pivoted over to looking at these smaller businesses because it's not even money I think that's important at the moment, it's the data, right, it's people's personal information. And I think being able to perforate an ecosystem who's got pretty poor defences because they don't know what they're doing. They've not got the knowledge internally in the business to ring fence their business effectively. Because again, I'm not about selling someone a really big new, shiny piece of software. Because I think if you've got a 365, or you usually inherently got those controls, but they're not optimised and you've not got good cadence in your business operations. So my business is about three things, People, Process, Technology, that's not mine, you know, that's the government's line. And the guys that have come before me, I've not pinched it. But I'm going to leverage what excellent smart people have done about how you can get good hygiene. And I've just simplified those three particular verticals, and help those businesses get across those things, or give them visibility on where they currently are today, where they should be, which is their industry and I'm the custodian to help them to get there. And that's my business, making it as simple as I can.
CP: There must be an element of what you're offering these clients around compliance, because allowing a framework or a best practice or a standard set of principles, allows you to scale and help lots of organisations at once. I'm interested to know your position on sort of compliance versus security, because compliance is only going to get you so far. How can compliance in and of itself achieve secure outcomes for businesses?
BJ: In the particular subset or the cohort of customers that I'm working with which are those guys that hold an AFSL licence, or have got somebody that mandatorily has to report to CPS234. But now people know they'd have to have something in place, right. So my position on compliance now is, that a lot of the people that are in the boards of these positions, I'm speaking to the expert, literally the person that wrote the book on it, these guys now have got a responsibility. And they'll be a test case in the next 12 months where someone is going to get whacked for getting whacked. And that drives behavioural change. My tool gives a business owner visibility on who's been compliant and watching the awareness stuff, who signed up to read the policies and procedures and what they want to go around that board room table is, How are we doing on accounts, CFO? HR, how are we doing for head count? What's our churn rate this week? Cyber, which is now got a seat at the table, finally, what's our compliance looking like? Where are we with that? I'm trying to ultimately give businesses that internal mechanism whereby they can see what their risk is with their personnel. Now, the consequence of this has been for me and the bit that's made me excited about compliance, I still can't believe I'm saying that in the same sentence, but I am! Is that people are now going out to their customers to say we are compliant. Our staff have all been trained. This is our data management policy. You're our customer, we care about you, cybersecurity is important to us. So now the tool that I've got has now become a marketing tool for those customers to say to their customers and their third parties, this is our standard. Now, what's been crazy for us and in our learning that we didn't expect, but I'm embracing, is now their customers and their third parties want to have the same standard in terms of their policies and their procedures. And so they've become our customers as well. So it's metastasized now quickly, because by showing everyone that you've got good policies, procedures, compliance, so what the staff have got, the board member feels safe, the owner feels safer because they're doing all they can. That doesn't stop someone doing something stupid. But on the count back, they can say, as a business, we've done everything we possibly could have done to avert something going wrong.
CP: I feel like what you've just described, is more and more organisations seeing this compliance level of security as a ticket to the game. So no longer can you say you don't have either compliance or, you know, additional security measures, you have to have at least that base level of assurance that you're doing, as you said, what you can to secure your organisation and obviously by saying, you know, we've got this in place, it's having a flow on effect to fourth and fifth suppliers down the chain
BJ: It's a tough sell for a smaller business rather than the enterprise because it's a new cost centre. It's a new problem. And people have heard about it, they read about it all the time, but people don't really know what it means. And until experientially, it happens to you, trying to get a small business owner that might be running 10 cafes or something like that. It's very difficult for them to sort of become an evangelist. So half the work, and this goes back to what we're talking about at the start, it's that dissonance, right. They know they probably should do something about it, are they going do it? My barista hasn't not to my shop this morning. I can't you know, I can't sell coffee. I mean, that's some of the mindset of some of the people that we're dealing with. It's just a new challenge.
CP: So given the growth in your business, which is fantastic that, you know, for such a young organisation, you're growing month on month. For you, what does the future look like in cyber, given this constant evolution in our industry? And given I guess, the start-up space that you're in? What do you think the future looks like?
BJ: I mean, I think the future is this dark room and no one can shine a light on it. You know, because who would have thought upon reflection about what's just happened in the last 18 months. It's, um, it what's happened is unfathomable. You know, I'm obviously a pom, I have no idea if I can see my parents when I can see them, or travel for business, or take the kids away on holiday or anything. But I mean, I think in terms of what cyber I think there's just going to be more attacks. I think the methodology will probably be tweaked, but they don't really need to change the ransomware stuff, cause that's old hat anyway, and it's going great. You know, I mean, as an enterprise, you know, those guys are going good, the phishing stuff is still going to work. I think that the market and all of the big vendors, all of the big research companies, all of the big shop, the Big Four. You know, look at the Big Four, the Big Four have a change in their behaviour in their head count, then you know something's right, right. Accenture, at PwC, though, these guys are all expanding those teams very, very aggressively. And there is a lot of smart people who move into this space. I think there's going to be more problems, I think there's going to be more challenges. And I think that anyone thinking that there's like as you say and I use this in my bio, this word, and I always feel a little bit more intelligent when I am using it. But there's no panacea to solving this problem. I think I see much more challenges ahead. And I see there being maybe some, I thought it was interesting last week, when we all of the banks all got whacked by the Akamai piece. Again, I'm just always astounded there hasn't been something of more significance that's happened on an infrastructure level.
CP: Yeah, well, I think the space you're playing in is incredibly important. And as a small business owner, you know, I think it is a difficult investment for people to make and to understand as well. I mean, for big business, understanding your return on cyber investment is really challenging, let alone if you're a small organisation, kind of trying to find your way as a start-up in everything let alone in cybersecurity. So, I think you're doing great things. And this is not a paid advertisement. I really wanted to share with my audience, what you and your business partner doing. So, thanks so much for joining me today, Ben. I really appreciate it.
BJ: Why thank you!