Making employees your strongest defence against cyber-attacks
Once upon a crime…
Here’s a quick story. My eldest son is a pretty typical 17-year-old. He has his own bank account, with a card, and loves finding great deals online, mostly via the family’s tablet. Recently, an advert for a well-known retailer grabbed his attention. It was selling a favoured brand of trainers at an incredible price. He clicked on the link, was taken to a site he recognised, registered the usual information – including bank details – and placed an order. The trainers should have arrived within two days, but a week later nothing had appeared. It was around then that I noticed a ‘Thank You’ pop-up related to the order, which also promised more great deals on the website. It looked suspicious so I closed it down, asked my son about it and heard about the deal. I then checked the website of the retailer directly, only to find there was no such offer. We contacted the bank, cancelled the card, performed an antivirus scan on the device and changed the passwords for all its apps and accounts. Suffice to say, the trainers never arrived. We’d been defrauded.
The reason for recounting this tale is a belief that personal stories can play a really valuable role within training, giving people the confidence to talk about and share experiences with colleagues and managers – and that matters, because now more than ever employees have a vital role to play in businesses’ resilience against the ever-growing threat of cyber-attacks and data breaches.
The scale of cyber-attacks
To give you an idea of the size of the current problem, 88% of all UK companies have suffered reported cyber-attacks or data breaches within the last 12 months. The average cost of a data breach for UK businesses is £2.9m and 33% of UK businesses have lost customers as a result of one. Despite all this, 22% of UK organisations do not provide regular employees with cyber awareness training, while most of the rest only provide annual, tick-box training. Oh, and another UK SME has been hacked in the time that it took you to read this paragraph (every 19 seconds, to be precise).
Another figure worth knowing is that over 90% of all cyber-attacks and data breaches occur due to human error and unwitting mistakes, the kind that we can all make during our busy work and home lives. In fact, cyber-criminals probably understand how to impact and influence the behaviours of our employees better than we do. They play on our curiosity, our desire to help and our fears, all of which have been particularly exploited during the lockdown of the last year, with a vast array of Covid-19 related phishing and social engineering attacks coming to light. It’s important to understand that the target is people, not technology. After all, at the end of every system, piece of technology or process is a person – and everyone is vulnerable, from CEOs to those on the front line.
Fighting back effectively
Thankfully, there are various ways that firms can help prevent cyber-attacks and data breaches. For example: creative communications and messaging for all staff; the executive sponsorship of strong information security across the firm; ensuring your brand values and culture support strong information security; phishing tests; and the analysis and diagnostics of wider training needs.
There’s more good news to be had from the fact that while we’re all at risk from forms of digital hostility, people can be our strongest defence against cyber-attacks and data breaches if we give them the right awareness, knowhow, confidence and insights. Effective awareness training is therefore vital for supporting the technologies, processes and security policies that should be the mainstay of firms’ cyber security strategies. So too is ensuring that workforces understand the role they must play in keeping organisations’ valuable information safe.
Regarding the risks that we all face on a daily basis, here are some questions that all of us can ask ourselves:
- How much personal information do you put on social media that could be used against you? (Cyber-criminals are expert at using your personal info against you.)
- Is your password strong? (They’re typically relatively weak, but it’s easy to create strong ones.)
- When was the last time you sent some information to the wrong person? (We all do it occasionally and it remains the biggest reason for data breaches.)
- Do you know how secure your suppliers are? (Cyber-criminals will look for other ways to get into your systems if they find your defences are strong, such as investigating your supply chain.)
- Are you working securely in your home-working environment? (Working at home, often with more distractions, can make us less secure.)
Further steps for greater security
So, organisations clearly need to consider the effectiveness of the security awareness training they’re providing. Here are some further pointers to take on board in order to help change employee behaviours:
- Don’t rely on tedious ‘tick-box' annual training sessions. Behaviours can be tweaked through creative repetition and providing the confidence and know-how to do the right thing.
- Do make your training personal. Any guidance, stories and actions relevant to our personal lives will go a long way towards engaging our people and encouraging them to discuss and share their own experiences.
- Don’t assume that employees’ knowledge of your security policies will impact behaviours. Knowledge is only potential power – we need to find creative ways to encourage and prompt action.
- Do make training short with simple, easy-to-use advice. Bite-sized learning communicates simple key points and can be repeated and updated to reinforce messages over time.
- Don’t rely on tired, overused training content. Aim to continually develop new content and comms techniques, to keep up-to-date with the latest scams and keep engaging your employees.
- Do listen to your employees. Security training and policies need to fit around your people and their work, not the other way around, so adapt training in response to the day-to-day challenges they face.
The benefits of behavioural change
As my Access colleague, Emma Parnell now explains, helping people to learn in a way that actually alters their actions is a real focus for us. “Behavioural change is something that we look at very closely and we do that by providing short, engaging and relevant learning. This is not training that is just at an organisational level, this is training for you and how you can protect yourself as well. From animations to audio stories, we use various techniques to engage the learner, including case studies, because we feel that case studies add so much value. If you can hear about real stories, some of which you might already be able to relate to, we know that relatable training really, really helps to engage.”
Again, the power of storytelling is something we seek to take advantage of. So too is training that’s multi-format, that allows learners to choose their preferred learning style and lets organisations form creative, targeted awareness campaigns that relate to their specific risks.
This approach to security awareness training, engaging employees and developing new behaviours provides a number of invaluable benefits:
- Reduces human error, cyber-attacks and data breaches
- Enhances organisational resilience against cyber threats
- Creates a shift in employee mindsets and behavioural change
- Generates buy-in and commitment towards cybersecurity initiatives
- Demonstrates regulatory compliance
- Enhances boardroom understanding of critical cyber risks
So, with the right cyber security strategies, tailored Access training and a bit of relevant storytelling, you can ensure that your employees are empowered to make effective changes for themselves and your business. Find out more about our Cyber Awareness and Resilience training.
