Employees are an organisation’s greatest asset, but in cyber security terms, they also represent the biggest risk. Inadvertent insider actions were responsible for more than two-thirds of all records compromised in 2017.
In this blog, we highlight why cyber security awareness for employees is so important and offer some tips to implement a successful education strategy.
What is cyber security?
Cyber security is the technologies, processes and controls that are designed to protect systems, networks, programs, devices and data from attacks.
Most businesses are conducting business online and need to make some of their key assets available to the public domain in some form. Users within the organisation, customers, and sub-contractors all need varying levels of access to an organisation’s assets. This comes with inherent risk.
Why is cyber security important?
Allowing users to access your assets comes with a level of risk and that can always be exploited by people who understand how systems, processes, and people work.
The impacts of such risks include the direct economic costs such as theft of information, a disruption to trading and operations, and the costs of repair to an infected system. The average annual cost of a security breach in the UK is estimated to be £857,000. But cyber attacks can also bring reputational damage and potential legal consequences.
There are many ways to identify and protect your organisation from security threats, but too many organisations make the mistake of focusing on the technical controls, at the expense of the human side. Making sure your users understand the risks and how to avoid them is just as important as firewalls or antivirus. In this blog, we will focus solely on the importance of educating employees to foster the behaviour required to help minimise the risk.
Why is it important to educate your employees about cyber security?
Most cyber attacks attempt to exploit humans and not technology. Tactics and tools such as ransomware, spear phishing, malware and social engineering are used as people are easier to exploit at scale, as opposed to finding a single vulnerability in enterprise software for example.
Cyber security awareness is therefore an incredibly important part of your cyber strategy as the human element remains the weakest link in cyber security. No matter how good your technology is and how much you’ve invested in your technology, attackers can find a way around that.
42% of respondents of a cybercrime survey stated that cyber security awareness training of new employees helped to deter attacks, and the same report highlighted that organisations without the training suffered a 322% higher financial loss.
Often attackers capitalise on people’s helpful nature. For example, attackers have been known to pose as a distressed mother by playing a recording of a crying baby in the background to change account details on the phone to a customer service agent. These types of cases highlight that although employees might not be following the procedures, they are only trying to be naturally helpful to a person they perceive to be under stress.
Spear phishing is a more specific and targeted type of attack which usually involves a detailed knowledge of internal processes, such as billing runs, approval processes, and so forth, on the part of the attackers. This allows them to time and target their phishing emails when people are at their most vulnerable and inclined to respond quickly, without subjecting it to the same level of scrutiny as they normally would.
Despite all these threats and vulnerabilities, it would be wrong to see employees in a negative light, and just view them as a problem. Employees are also the first line of defence against cyber attacks, and if properly educated about the risk, potential exposures and correct procedures they can be a massive asset in the fight against cybercrime, stopping attacks before they even get started.
Often social engineering techniques are used in the early stages of an advanced attack, with more technically sophisticated measures being used at a later stage once a foothold has been gained within the organistion. A well-trained and vigilant workforce can help ensure that the attackers never gain such a foothold and the attack never happens. Their awareness and subsequent actions can help protect an organisation from an escalating attack.
8 tips to help educate employees on cyber security
To uphold the organisation’s security, employees need to possess the right information to make the best decisions. This emanates from strategic and proactive direction given to them by the organisation.
Below are some tips on how to best approach educating the employees in your organisation.
Create a clear cyber security policy
Make sure you have a cyber security policy which is clear and easy to understand. Avoid bamboozling your employees with too much complex information or technical jargon. Try to think about the key things that they need to know and communicate that in a concise way.
It’s also important to make it clear to employees what the internal procedure is for reporting an incident if one was to occur. Who are the internal security team? How do they contact them? Who’s responsible for what? What specific actions do they need to take if they spot anything untoward?
Give your employees the right insights
If employees know what the key threats are and the common ways in which attackers will try to get them to surrender information, then they will be empowered to take the right actions to avoid being duped if such threats occur. Keep your employees informed of the latest techniques cyber criminals are using and they can be one-step ahead.
Make employees aware of the risks
The risks of cyber security can be great. As discussed above, they can cost a business financially, legally, and perceptually. Letting your employees know the magnitude of the consequences will allow them to contextualise the importance of being aware and adopting the right behaviour.
Engage the leadership team
Just as important, if not more so important, is letting the leadership and executive team aware of the importance of a potential break or attack. They should be prepared to lead and set an example from above.
Once more, a good cyber security awareness training strategy inevitably involves the requirement of some budget, so getting the C-suite on-board is a must.
Start cyber security training at the beginning
Training and education should start the first time an employee walks through the door. This highlights to the new-starter that cyber security is an area that the business takes seriously right from the offset.
The new employee is also likely to be more attentive to training initiatives during the onboarding period and less distracted by day-to-day work, so it is a great time to start the education process.
Cyber security advocates
Appointing an advocate in every department is a great idea as they can act as an extension to the core team or individual responsible for cyber security to help keep employees motivated and educated.
Cyber security skills should be developed by everyone, not just a select few, and advocates can help facilitate this. It’s also a good use of using the resources you already have in the organisation beyond the IT team.
Avoid blame and give rewards
It’s important to remember that fostering a blame culture within the organisation will bring little benefit. If things go wrong, it’s a chance to analyse how that happened and close any weak-links, not a chance to shame an individual or team. Leaders should empathise with those who make mistakes.
Likewise, when you reward employees that find malicious emails or help thwart security issues, this encourages further desirable behaviour. Even simple recognition and thanks can go a long way.
Breaches are common, not rare, so a zero-tolerance approach is unrealistic. It’s important that your company culture allows visibility of the mistakes people make and the frequency with which they are making them. Otherwise, how do you fix a problem you can’t see?
Don’t see cyber security education as one-stop process. Educating employees needs to be an on-going excercise. The landscape is always changing, and people are always coming in and out of the organisation, so there needs to be a constant process of educating and re-educating.
Formulating a cyber security strategy and finding the right cyber security solutions can be a daunting prospect if you don’t have the right knowledge and skills in-house.
At Capita, we offer basic maturity assessments to help establish whether you have appropriate processes in place and can also assist with more in-depth excercises to implement a security framework in an organisation, which could be a first step in the direction of formal certification. Or there’s the certification itself.
Whatever your needs in the cyber security arena, Capita’s expert advisory capability can help fill the gaps and improve your compliance and overall security posture. Contact us to see how we can help.