When we think of cyber security threats, many of us conjure up images of shadowy figures conducting attacks from the privacy of their bedrooms. As hard as it might be to believe, though, an organisation’s biggest security risk is actually its own employees.
75% of large organisations suffered staff-related security breaches in 2015, with 50% of the worst breaches caused by human error, according to a report published by Axelos.
More often than not, employees compromise security unwittingly. The Cyber security breaches survey 2017 reveals that 72% of reported cases of cyber security breaches occur after a staff member receives a fraudulent email. Shockingly, only 20% of staff surveyed had attended any form of cyber security training.
Education is prevention
Ensuring that every employee is aware of the potential threats they could face, whether it’s a phishing email or using an insecure network, could be the difference between getting hacked, and avoiding the risk altogether.
Organisations wishing to mitigate such risks must stretch beyond traditional methods of cybersecurity awareness, such as computer-based education, emails and posters (the messages of which are often easy to ignore).
Instead, the aim should be to create a cyber security culture through staff awareness training. Here are our top five tips for getting started.
1. Clearly communicate the potential impact of cyber incidents
Most employees may not even realise how they are potentially undermining your business through poor cyber hygiene. That’s why it’s important to clearly communicate the potential impact of a cyber incident on your business – from financial losses or fines to damaged customer trust.
2. Make cyber security everyone’s responsibility
Start from the top – nobody should be immune from your organisation’s education programme, so be sure to include management and IT in any company training. Remember that your company’s infrastructure is only as secure as its weakest link.
3. Tailor training to your organisation
When it comes to staff awareness training, one size does not fit all. Training needs to be specific to your organisation – this can range from confidential waste destruction through to encrypting data in emails and attachments. If employees are able to apply their knowledge to their day-to-day role, they are more likely to take it in, thereby reducing the risk of future breaches.
4. Teach effective password management
Passwords can make or break a company’s cyber security system, so organisations should implement a strong password policy by issuing guidelines on password requirements, emphasising the need to create strong and unique passwords, and by warning employees against sharing their passwords with others.
5. Train employees to recognise and respond to an attack
Organisations should not wait for a cyber attack: training needs to happen before there’s a problem. It is essential to have a documented remediation plan in place, and training should include specific rules – such as unplugging a machine from the network in the event of attack. You should also give your staff a clear channel, such as an emergency number, to alert your administrator to any suspicious emails or unusual activity.
Failure to act now could spell trouble for organisations in the coming months, thanks to incoming General Data Protection Regulation (GDPR). The new legislation will take effect from May 2018 and will see fines of up to 4% of annual global turnover or €20 million (whichever is greater) for companies found to be in breach of the Regulation.
Concerned that the lack of security awareness among your staff could result in hefty fines?
Don’t let your staff be your point of failure.