Parliament’s procurement team is seeking a partner to help it change the wicked ways of MPs and staff when it comes to cybersecurity — saying it’s looking for an expert in “behavioural and cultural change” to maintain Parliament’s cyber-capability.

The Parliamentary Procurement & Commercial Service says it plans to roll out a “cyber capability change programme” over the next 24 months, and is initially putting out feelers with a soft market-testing questionnaire (deadline: October 14, 2019).

It’s seeking workforce capacity support, as well as cultural change…

See also: Phishing the BIRD: ECB Website Hacked

The ideal partner will support it with the following:

  • Ensuring “behavioural and cultural change to maintain Parliaments Cyber Capability
  • Creating a “target operating model review and validation for delivery of Cyber Capability”, and
  • Developing a “workforce management strategy for maintenance, development and retention of Cyber Capable personnel

The team hasn’t put a budget to the contract at this stage, saying the questionnaire will provide “a greater awareness of consultancy solutions that currently exist in the market place and to enable Parliament to see if their ambitions to deliver broader Cyber Capability & Cultural Change can be supported by an external provider.”

Read this: Microsoft Warns Over Sophisticated, “Peculiar” New Malware using Node.js

Like any enterprise workspace, Parliament is no-doubt struggling with the perennial issue of staff clicking phishing/whaling links; one of the most enduring behavioural challenges for businesses and a key vector for broader cybersecurity attacks.

It will find no shortage of businesses dedicated to user awareness of malicious urls, elegantly spoofed emails purporting to be from ministers, and other such campaigns.

As the NCSC notes, however, relying on users to change their behaviour/spot malicious campaigns will only have limited success.

“Instead, you should widen your defences to include more technical measures.”

As the NCSC notes, various resources exist to help users spot the common features of phishing messages, such as urgency or authority cues that pressure the user to act. CPNI’s Don’t Take the Bait! Campaign provides a range of materials to support this.