In this episode, Michala Liavaag talks with Maureen Chaffe, about the challenges of keeping data protected in the local government and charity sectors.
Maureen is the founder of Processmatters2, a Data Protection expert, and a 'former trustee'. She has over 20 years of experience unpicking poor data practices and improving the efficiency of systems in local government, non-profit organisations, and the private sector.
https://bit.ly/Cybility2ProcessMatters2 (Only use this, not email too or we can't track)
👉 Cited in this episode:
Podcast Desert islands discs: https://bbc.in/3y2B5Cr
Podcast Change Makers: https://bit.ly/Cybility2ChangeMakers
BBC's The Archers: https://bbc.in/3Zq2FoK
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
hello and welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders I'm your host Michala Liavaag and today we're going to be talking with Maureen Chaffe about their journey to becoming a cyber Savvy executive we'll explore the ins and outs of cyber security and local government sector from the perspective of both employee and trustee Cybility Savvy the quickest way to go from cyber confused to cyber savvy hi Maureen thank you so much for coming today would you like to introduce yourself?
yeah hi thanks for the invite so I'm Maureen Chaffe I'm the director of process matters 2 which is a company I set up about 15 years ago my early years were spent in the aircraft industry that's just when computers were coming in actually dealing in bonded warehouses and things I then joined a local government when I got married and started off as a clerk worked my way up to running the planning Administration more on the techie side than just on the admin side so starting to automate the processes we did involved in building the first national planning system and then eventually when the government gave local authorities the target of everybody being online by the year 2000 joke I got the job which was a massive step up for me got involved in all sorts of things to do with moving the local authority to using online systems putting in customer relationship management all sorts of automation and at the same time running a team of program and project managers which is where I met Michaela Michala came and joined us I'm working sort of cross partnership across lots of local authorities so that's kind of my background before I left and retired in inverted Commerce but I'm easily bored so that's why I find myself where I am today
yeah that is absolutely something we do have in common I always say better busy than boards one of the things that I first experienced with you was your sort of passion around data protection that the way you sort of put that across in a different way to how I'd heard it before how did you kind of sort of flow into that?
yeah that is absolutely something we do have in common I always say better busy than boards one of the things that I first experienced with you was your sort of passion around data protection that the way you sort of put that across in a different way to how I'd heard it before how did you kind of sort of flow into that when I got the job for the year 2000 I got all the jobs that nobody else knew what to do with so the Freedom of Information Act was new then and it was jumped in with everything else I was doing I'm told year 2000 get everybody compliant get everybody online but also you're in charge of data protection Freedom of Information managing the website I.T security you name it I got it I had to try to find ways of introducing the two compliance subjects in a way that people would listen to Because say I'm easily bored I knew that if I didn't deliver it in a way that people found interesting they weren't going to get it so I've always and I mean data protection is my core business now my view is if I can make people understand why data protection is important to them personally they'll get why it's important to their business their company their charity so that's really how I got into it I'm not an expert by any means but I do have 25 years worth of experience of handling Frontline GDPR data action Foy type queries
Just for the people who perhaps aren't aware of how government is structured, they might just sort of think, Oh well, a central government like government. Could you perhaps just explain for them a little bit about those differences and therefore the kind of range of services that you would have been engaged with managing data protection across this.
just for the people who perhaps aren't aware of how government structured they might just sort of think oh well the central government local government could you perhaps just explain for them a little bit about those differences and therefore the kind of range of services that you would have been engaged with managing data protection across those governments really basically sets out into your ministerial type things for people that you generally see at a more local level when you get beyond your MP you get a County Council and the county councils usually responsible for the big issues so things like roads and transport education social services that type of stuff the next level down is the District Council and the district councils are responsible for delivering things like Housing Services revenues and benefits planning environmental health the kind of more generalist stuff that goes on in a district and then below that you have another tier which are your town and Parish councils they're a local level delivering small scale Services mostly some of the bigger Town councils deliver a lot of crossover with the district council so there are some Town councils who've got a staff of maybe 15 or 20. Parish councils tend to range in size from four hours a week to somebody who may be three or four days a week very few of them are full-time so they have a lot of work and generally speaking very little time to do it in the local authorities scenario when I was working there I was working across the range of people asking for housing inquiries so they want to know everybody thinks that local government has got a secret file on them it's just kind of it so they would make requests I want to see everything the housing department know about me or environmental health somebody's got a problem with a complaint and a noise complaint I want to know what you know about this person the types of inquiries you get there have to be handled in a central way because if somebody makes a request for information they're requesting it from the whole business not just from a sector so my job was to bring together what everybody knew about a client and then to go through and redact it to remove the names and identifiers of other people it's tedious job actually it's quite important that it's done right because the information commission has quite a lot of teeth and can find you quite heavily from getting it wrong that's kind of how it worked across those sort of different sectors and these days I'm working mainly at the town and Parish Council level but I still work up into the district council level on some of the work I do because there's a crossover
what sort of different I suppose challenges do you see in Parish councils versus what you see in district councils?
oh they are Polar Opposites but I should probably sort of frame it by the fact that I do work across a number of sectors now so I do a lot of work in local authorities sort of Parish councils I do a huge amount in Charities and I also do some in education and some in businesses so it's kind of a range the theme that runs across all the people I work with is that none of them have got any money so anything that you're doing is always going to be a challenge so a district Authority generally speaking has got a reasonably large budget for Tech and has usually got an IT team parish and town councils just haven't when I first started working with the parish councils I didn't find any that weren't using their home email addresses for business most of them were using their home phones for business they had no computer systems at all some of them were using their home PCS to keep the council business on a complete mess really I've been working to try to move them to a different way of working but the challenge is always the fact that if they've got any money their counsellors don't want to spend it on I.T because that's not visible to the public also a huge lack of knowledge total lack of understanding of what these things are about that I think is the biggest difference between them they generally speaking until I got involved around here none of them had any backup or support of any I.T professional
So it's a scary.
it is scary and it's also a GDPR nightmare if I've learned one thing from all of this it's been that everywhere I've been to try to do GDPR my first problem has been technology I spent the whole of lockdown trying to get mainly elderly Parish counsellors online so that they could continue to have meetings using computers that didn't have cameras microphones that they'd never used some kit that wasn't capable of taking the technology anyway it was so old we ended up having to put telephone conferencing in so that people could join meetings because democracy had to continue but they weren't allowed to meet but it really shows the difference in the business sector and these kind of smaller organizations when it comes to their ability to deal with technology
just thinking about that of course just because they are smaller and don't have the budgets doesn't mean that they don't have really sensitive data is it an issue that they kind of recognize or is it just kind of accepted that yeah that's the risk
mostly they don't recognize it because they would say that they don't have personal data that all they get is an inquiry from the customer and they'll say yeah your Bin's gonna be empty or whatever my argument is that they always have stuff information about the clock which they're swapping so if they're talking about her pay review they'll be doing it on their home computers well that's not acceptable GDPR says basically if I paraphrase it basically says you need to know if you've had a data breach now I'm at a loss to know how I would know if you've had a data breach if you're all working on your own email accounts on your own laptops and that's the only way that I've managed to sell the move away from the way they working were working to the way I want them to work and if I then translate that to my Charities the issue is far more serious because some of them are dealing with the most sensitive data and they are doing it on Bits of Paper now they've gone home to work and they've put a plug on a paper process so now they're working on the kitchen table but they're talking on Zoom so what happens to all that paperwork when you finish the meeting so there's all that going on in the mix and I don't think well if I know because I've known to the information commissioner about it they don't get what it's like down here at the coal face you know for people who are they're willing to do their best but they haven't got the money quite often from a GDPR point of view I have to take a pragmatic view and say we've got that as good as we can get it with the resources we've got
would you say that one of the big shifts around the old data protection act to GDPR and have a deeply 2018 is that it used to be quite prescriptive and now it is risk based so there is that acknowledgment in the law that you know different size organizations will have different abilities to manage the risk in terms of putting those controls in I'm just sort of thinking how you sort of reconcile knowing that there's really sensitive stuff here the law says yes you should protect it but again being pragmatic there's a risk to be accepted how does that sort of play through
so in the case of the parish councils generally speaking if I produce a report which explains what the risk is and that they are liable for that risk usually they will step up and say okay we've got to find the money it's not always the case but usually they will do that if they don't and they haven't got the money to do it then I will look at what is the risk what could they lose if I stop them doing this this and this would that reduce the risk and if I can do that what we do is we do a full audit trail of what we've done and my view on that is that they can show that they're on the journey to compliance but they're not there yet yeah because actually I don't think anybody's there yet with all of my groups we always talk about the journey to compliance we can't get there in one go not only because of money but because if you only work four hours a week yeah you're not you haven't got the time to give to it and certainly with my charity customers where you know their Core Business is not Tech and it's not sorting out I.T it's talking to clients who've got immediate problems you know I've got to recognize that's their day job so that's why I say I think you sometimes just have to step back and say are we doing the best we can and sometimes it will be we'll there'll be some more money next year and if we can wait till next year we'll add a bit more on to what we've done
it's exactly the same thing from a cyber security perspective as well it's about that what can you do now what's good enough and then iterate and improve as you can and the thing that I always say is that you know cyber security it's a marathon it's not a Sprint so you've just got to sort of keep building on that
yeah I joke with my customers that I like to rule by fear and I like them to think when they're about to press a button what did Maureen say I'd love to get just give you a little example of the challenge that I think we have I've over the last week been sending out emails from one of my email accounts it's a known me an email accounts Gmail one to some of my customers randomly it says I need your help start with a k the first line says hello I'd like you to check this document for me and it's all in italics it's not signed by Maureen it's got no other credential on it and it's got a click on a PowerPoint and when you click on the PowerPoint a great big picture comes up of a red skull and crossbones and things saying this is a ransomware attack so far everybody I've sent it to has opened it every one of them has opened the attachment none of them have contacted myself or their I.T support to tell them that they've made a mistake when challenged most of them have come to me and said well I thought it was something wrong with it but it was from you so we thought it'd be all right and I just think that just to me says what an uphill struggle it is all the time you've got to keep on and on and on and I've had a meeting this morning with one of those groups saying okay come on fess up who opened it and there was a lot of red faces and we all had a good laugh about it and then we had a really serious talk about the level of cyber threat there is at the moment and how disastrous that could have been cyber professionals as data professionals whatever we call whatever line we're in we've got to keep this message up high all the time because they're not getting it they really are
They really are.
it's a really difficult one as well because you know on the one hand you know we still say stay vigilant and I think there's generally been that Acceptance in the industry that it's no longer training once a year it is about ongoing campaigns and you know showing examples and recognizing people who do report and saying thank you for protecting the organization but equally the challenge is it only takes one when you've got people who are really overworked and stressed and they're trying to do lots inevitably you know something's going to give people make mistakes so I agree it's a really uphill challenge
yeah and I think all we can do is just to keep on and on about it and trying to make it fun if you keep on at people they just blank it out anyway but it just makes that point to me that that lots of people have got no idea how high the risk is you know I talk all the time about you know the big companies that have been hacked and how much it's cost them and try to give those kind of examples as well as giving the small examples of the data breaches we have every week Friday afternoon in my world is data breach afternoon and it's because somebody's in a rush on a Friday afternoon and they don't engage their brain and they send something and they I sent it to the wrong place so it's that constant kind of trying to say to people that these things are happening and you've got to be aware of them this one this week has been real fun I couldn't believe that everybody would open it I really couldn't
yeah I think the concerning thing for me there is not just the fact that they opened it but the fact that they weren't reported it that's the thing for me because I have a little bit of a rant quite frequently about fishing simulations and the way they are misused it's not that I don't think they can be an effective tool yeah in the awareness sort of tool chest I think they can be but what I often see is organizations who just look at the click rate and they just focus on reducing that when actually what I want to see is of the people who did click through or did put their credentials in who reported it and how did they report it was it through the agreed of official channels was that kind of back channels that they kind of went through and I find that always to be most enlightening about the Readiness of organization to deal with an incident
there's that but I think there's also we're almost victims of our own success because what I hear from people is we don't know why this got through because we're paying for security so we don't have to worry about this because you've secured our systems but what I try to say to people is that our cyber security is only generally one or two steps ahead of the latest hacker every now and then they get lucky and they get ahead of us our virus checking software may not pick it up so we still need you to be the front line people and to understand that you've got to report it
it's not new we've been doing this for decades and we still are struggling with it which just shows how difficult sort of human risk management is just thinking about the work you've been doing across these different sectors and the fact that it is challenging and sometimes you feel like you're not sort of getting anywhere what would you say the most important traits for a leader who is working to improve data protection and cyber security in these organisations
you've got to take the people with you when you're on your own in business you've got to work hard to take people with you to make sure you explain things properly and that you're constantly patient with them although we talk about cyber security has been really important I think everybody underestimates the appalling lack of skills that there are in people in terms of tech I mean I have people who say to me oh you know I'm too old to work this out and that I'm older than them people who don't know how to file people who ring me up regularly of an evening to say that they've filed something and the computer's taken it there are all those sorts of challenges and I have to be endlessly patient going back to people and say playing do you remember we talked last week and do you remember I showed you how to do this I got my own YouTube channel now and I actually create YouTube clips and send them to them so they can practice and rehearse it and make sure that they get it you know and again if you only work four hours a week in a particular job and I've shown you how to do something on a Monday Morning by the time you come back in the next week quite often they've forgotten what I told them it's constantly making sure that you're referencing that you're giving them tools you're helping them to find what they need to get where they're going and we're trying at the moment to make life as easy as we can for a lot of the Charities we've just developed an app that works off of mobile phones so that Charities can let their key workers have conferences and such like and they'll fill in their notes of the meeting on their mobile phone they'll take a photograph of their notes and it will convert their text into a document and file it for them in the file that they're working in and nothing stays on the phone so we're trying to move people away from the work the problems of a not having decent care B having kit they don't how to use like scanners and things which are expensive to maintain printers are difficult to maintain and when they use them they don't know where they filed it that combined with the fact that we've got so many people who were working from home and keeping the paper at home and I just can't have that kind of working now to develop some new ways of making letting people work and I've actually done two demos this morning of our new product and they're Blown Away by it which is really gratifying so I'm quite excited about that because it's meeting a need that I've identified and I didn't know how to fix it
yeah anything I think that helps people do things that are better and more secure way I think is positive
so I've learned that there's no point if you don't take people with you you're wasting your time
as you say you know that's a lot of really sensitive information that they're dealing with how do you find you know that the trustees themselves actually you know do they recognize and acknowledge this do they even become aware of it what's your sort of experience there because I know that you've also previously been a trustee as well
the problem with being a trustee is that people don't realize that it has a huge legal basis behind it I tend to try to meet with trustees at the beginning of my relationship with the charity to talk to them and make them understand that GDPR is their personal legal liability and I think you have to say it that way you know you are liable for the data that's being collected in this organization so how are we together going to work together to make sure that we secure that if you can get the trustees on board and if you can if you can have some Authority I can generally handle trustees I don't expect their managers to handle them because they the managers tend to have a different role so I will meet with them I'll talk to them about what the legal liability is what the responsibilities are and then talk to them about a road map for helping them to get to where I think they need to be it's rare that I don't get them on board there are there have been a couple where I haven't they have a report from me which I insist that they minute at their board meeting that they're refusing to accept the recommendations that's all I can do if they then have a data breach the information commissioner I suspect would take a pretty dim view so you do have a little bit of clout the sort of Trustees I'm working with they're nice people they're good people they have a heart for the charity they're working for they understand why it's important to look after clients data they often haven't got the money to do it that's a different issue my training sessions I do I tend to do if I can I tend to do one with the trustees on their own first and then when we do the next training session on GDPR we do trustees staff and volunteers all at the same time if I can because I think that that cross-fertilization of ideas and understandings is good for everybody to hear but it's also always exciting because nearly always the volunteers tell the managers that the managers don't actually know what the volunteers are doing and it transpires the volunteers are doing things a completely different way to what the managers were expecting so that's always quite exciting as well but it's keeping all of them on board and developing that relationship so that they feel they can pick up the phone or ping me on teams if they are not sure or they think they've done something silly and I will I will not be a data Protection Officer for an organization unless I have a relationship with them
yeah absolutely I just wanted to pick up on something you said both now and earlier around the digital skills of trustees and the systems that they're using so do you find that once you sort of got them on board they're quite happy for example to not use personal email accounts and not use personal devices or do you still find some resistance around that for other reasons?
No in fact the charity sector has been easier to move than the parish council has moving Parish councils away from using the home email address is quite exciting and I've got them all there now no I think that when you explain to trustees that email is one of their weakest links the reason most people don't want to use a charity-owned email address is because they say oh I don't want to go somewhere else to look for my emails when you say to them well actually did you know you can have them all on the same screen as separate accounts you're not allowed to put them all together but I mean I've got like 25 email accounts on my screen now you can see your mail coming into them one at a time and you can decide whether to open it because you're not working for that charity today and they go oh didn't I could do that as soon as you get over that hurdle and you get their phone set up so that they can see their mail coming in everything else seems to fade away it's a really interesting point and I kind of get it because why would you want to go to more than one device to look for your emails I mean you're just not going to do it are you
do you think that when people are actually recruiting trustees digital skills and knowledge around data protection and cyber security should actually be part of the criteria when interviewing was that perhaps going a step too far do you think?
I would love to be able to do all sorts of things like that but the reality is in the world I'm working in it's becoming harder and harder and harder to get trustees in fact it's getting harder and harder to get volunteers of any kind certainly one of the Charities I used to work for they introduced that we had to do a big training regime every year and it worked out that I would be doing more training days with them than I was doing for my professional career and I said well it's just not going to happen I'm a volunteer and so I think yeah I'd love to love to have that and there are some trustees who go through there's lots of trusty training courses and they do it and they do it very well but the vast majority that's just not going to happen but I do think that that you know what whatever of the Spheres I'm working in whatever we do we've got to keep this message going all the time about you know it doesn't matter who you are or what you are you're not bigger than the organization the organization should set down standards and rules about how you're going to work the first one being that you don't get access to company systems or charity systems until you've signed the data protection policy signed the it security policy and has some GDPR training and that shouldn't happen after they've been in the organization six months so I think that setting those standards and getting trustees Governors Etc to endorse that as the way the organization is going to structure itself is a good starting point because it says we take this subject seriously we understand that if we give these people access to the systems before they've been trained that's like giving a burglar a key to your house and I think that some of that is kind of instilling into any of these groups or whatever level they are that that's the starting point we're going to be an organization that takes this stuff seriously we're still we're going to get it wrong no doubt about it we will get it wrong but hopefully not so badly that it causes a lot of pain for people
in my experience certainly there's very few organizations the top leadership are willing to go that far about saying you know no you will not have access to these systems until you've done all these things because that would be great I agree with you but there's very few
that's crazy really if we don't as an industry Drive the standards we're not helping those people lower not in the industry to drive the standards if you see what I mean you know if I say to my Parish clerks well I don't care if you don't get it signed well I'll log them in anyway well I'm complicit in getting it wrong
I think that's a really interesting point I both agree and disagree on that the part of me that agrees is the sort of security purist in me that's like people just absolutely should not have access and so you've verified their identity they've done as you say it's security training the Privacy data protection training and also the training around the specific application that they're going to be using if there's any particular rules around that from a security point of view which quite often there are but then the kind of pragmatic risk-based person in me is like well I can give you my recommendation and this is it but as an organization the leadership still have that flexibility to accept that or not and the risk that goes with it if they don't accept the recommendation I don't personally view myself as complicit as long as I've made it clear what my recommendation is it's still their decision I feel
yeah I guess I guess that's complicity is the wrong word but I kind of feel because I've got a number of different hats on so you know I'm actually the external data Protection Officer for a lot of these organizations so my role is to actually guide and make sure they're on the right track so that that that says to me I don't want people in systems till I know that they're not a burglar then I've got my sitting here doing Office 365 accounts on a daily basis trying to get people set up kind of semi-tech role so I'm kind of like the I.T person but I'm not fully and then I've also got that kind of bit of me that says as a manager of people and when I was a manager in the local Authority my teams had a an induction program they had a day one a week one a month one induction program and I think day one there are some really important Essentials that you've got to check out because if you look at the statistics there are some fairly alarming statistics about the number of data breaches which occur within the first two months of an employee joining an organization and they're even more terrifying ones about the numbers of breaches after a person's left the organization because people didn't have an exit strategy which included locking them out of the systems to me as a as a data protection professional it's basically saying those things have got to happen because if they don't and you haven't got those good processes in place you leave the organization open to risk to say I like to rule by fear
yeah I guess we all have different approaches don't we we're just we're all trying to achieve the same thing at the end of the day when was your moment where you clicked about information security and the importance of that what was it that kind of just went oh yeah I get that
when I was in the local Authority I kind of got it but it wasn't really my problem if you know what I mean although I was a data Protection Officer there was a whole team of tech people in the background since I've started on my own and started to get involved in trying to help people to set up their systems I think it has clicked more because it's brought together the Practical applications of GDPR with the nuts and bolts of how you can actually secure it understanding how you can share documents for example from SharePoint and not attach them to emails I didn't know how to do that until I looked at SharePoint probably couldn't have done it till I've got SharePoint but from a GDPR point of view one of the things I that I've always banging on about is being careful what you attach to an email because that's a big risk because people put you'll be amazed what people are text to emails in my world so saying now actually I've now got the tools to be able to show you a different way of doing it that was a real kind of I can do this you know I can actually give you a solution that meets my needs as your DPO but it also meets the needs of your clients because it's an easy way of sharing things that they can accept and that you can be fairly certainly secure so I think that's probably one of those light bulb moments it's probably just that little bit of a crossover to being much more of a Hands-On techie than I was previously when you can't do data protection without good I.T security just doesn't work
yeah that's great yeah as we sort of bring things to close one of the things that I like to invite people to do is to give me sort of three things that our audience can take away what are your three things
I would say the best way to get people on board is by relationship there's no point beating the stick you've got to be it's got to be a relationship take people with you that's so important understand your audience understand their circumstances it's not one size fits-all understand the people that you're working with and understand their Baseline where they're coming from because you can't well it's not fair to try to push people into something that they either can't understand or can't afford so I think that's really important I think the final thing really is I don't know whether it's just me but I couldn't get out of bed in the morning and do something I didn't enjoy and I always say to young people when I'm talking to them if you get a job and you're not enjoying it change it Life's too short you know have a bit of fun
yeah no excellent thank you for that and do you have any sort of book recommendations or anything like that?
I'd like to listen to podcasts of things like desert island discs because you listen to really inspirational business people on there because I'm and The Archers I can't live without the Arches sorry to me listening to people who've done it and learned from it often the hard way actually they're the people that inspire me and you can always pick out something from them about the way that they handle people the way they handle situations which can inform the way you deal with people going forward
Okay, So final question, people who would like to chat to you more, where can they find you online?
if anybody likes to talk to me my website is processmatters2.go.uk or you can email me at firstname.lastname@example.org love to chat to anybody if anybody out there is go to charity or something and they'd like some help we help Charities wherever they are in the country and if you'd like to learn more about our new app we'd be very happy to talk to you about that as well
Well, thank you so much for coming, Lauren. It's been really interesting sort of taking this little journey through local government and through the aspects as well with you. So thank you so much for sharing your experiences.
Thanks for the opportunity, not chatting to you.