Installing the right tools and monitoring cybersecurity performance doesn’t guarantee security. In fact, it’s barely half the story.
88% of data breaches in the UK are caused by human error. If your cybersecurity tools and processes aren’t backed up by a culture of cyberawareness, you could still be vulnerable. In fact, 93% of cybersecurity professionals agree that humans and technology need to work together to detect and respond to attacks.
But where people can be a problem, they can also be the solution…as long as you embed behaviours which support cybersecurity and encourage staff to take responsibility for keeping the business secure.
General cyberawareness training
What are the most common forms of cyber attacks? How can you tell if an attack or a breach has occurred? What should you do if you think this has happened?
Different businesses require different cybersecurity policies. Some industries – financial services, insurance, healthcare – are more regulated than others. But all staff, irrespective of the industry they work in, should know the answers to these questions.
For most people outside of IT, the language of cybersecurity is dense and unfamiliar. Employees hear about cyber attacks in the news, but they’re often unsure as to how attacks happen or what they involve.
This is why training is so important. It helps to demystify the problem and turn it into something which can be understood and prevented. In fact, research has shown that changing user behaviour through training can reduce the risk of a breach by 70%.
Cybersecurity is a technical field which requires deep expertise. Most employees can’t be expected to understand it in great detail. But a baseline knowledge of the most common threats and how to avoid them is a great place to start.
Another key area to focus on is the software that the business is using to protect itself. Whether you’re using Avast, Microsoft Security Essentials, McAfee or complementary monitoring tools like ThreatAware, it’s useful for staff to know what they are, how they work and why they’re important.
By understanding what the threats are and how the business protects itself, employees can clearly see their own role in keeping the business secure. Education and awareness means empowerment, allowing staff to take greater responsibility for their own cybersecurity decisions. And that means everyone, from top to bottom.
Every employee is at risk, whether they’re an intern, a freelancer or the CEO. In fact, in recent years board-level execs have been singled out and targeted in a number of so-called ‘whaling’ attacks. Snapchat and Mattel have both been impacted – with Mattel losing over $3 million in one phishing attack. The message? Education isn’t for the ‘staff’, it’s for the whole business.
Who are your cybersecurity champions?
Education, through CBT courses or communicated via the CISO or CIO, can be effective, but having certified ‘cybersecurity champions’ can help communicate risks at all levels of the business.
Elect, upskill and qualify people who can champion cybersecurity internally. This means that if others are having issues, they have a peer they can ask for help. The champion can then report back to management with an informed view on their processes and any problem areas.
If you’d like to offer cybersecurity training and certification to your employees, the National Cyber Security Centre has a great list of GCHQ-certified training on their website.
Having multiple people within the business driving cybersecurity forward is not just an employee benefit, it’s a great step towards a culture of ‘cyber-first’ thinking.
Creating the right culture
Cyberawareness is about vigilance. After all, it’s much easier to prevent a threat from happening than to deal with the repercussions.
Training and empowering key people within your business to champion cybersecurity is a great start, as is establishing a solid baseline of understanding across the entire organisation. But to be truly secure, cybersecurity needs to be front of mind for everyone in your business at all times. Training can introduce new behaviours, but a strong cybersecurity culture ensures ongoing vigilance.
There are a number of ways to do this:
- Create a ‘best practice’ guide, drilling down into the different roles and departments and making sure that every employee has a hard or soft copy.
- Make sure people lock their PCs when not at their desks.
- Make cybersecurity a regular topic of discussion in team meetings and invite feedback from employees.
- Build cybersecurity into the on-boarding process for new staff.
- Make regularly changing passwords a matter of policy – and use passphrases instead of passwords.
- Offer rewards for examples of cyberawareness and positively reinforce secure behaviours.
Repetition is crucial to learning, and the more ingrained your cybersecurity messages are in your team, the much more likely they are likely to act on them when confronted with ‘urgent’ emails or pop-ups. If you want cybersecurity to be important, the people at the top of the business need to constantly stress its importance – whether that’s a simple as posters on the wall, or more codified like monthly ‘cyber’ meetings.
What kind of culture do you want?
Culture forms, whether you shape it deliberately or not. Small behaviours, such as locking your PC when not at your desk, create a mindset that prioritises cybersecurity: it becomes a matter of habit. On the other hand, if people leave their PCs unlocked and set their passwords to ‘p4ssw0rd’, then that will be the culture.
There’s a reason why phishing is the most common form of hack. Technology is harder to exploit than human error or carelessness, so don’t let your staff leave you exposed.
The answer is to deliberately foster a culture of cybersecurity, not through scaremongering, but through awareness, training, certification and positive reinforcement.
Keeping businesses cyber secure is at the heart of everything we do here at ThreatAware. To find out more about what we do, click here.