In the immortal words of Anne Robinson, unfortunately you are the weakest link.
Well, not you specifically, but employees in general are the weak point in an organisation’s cybersecurity set-up. If you ever managed to get hold of a cybercriminal’s hit list, ‘human beings’ would sit at the top with a big tick in red marker pen next to it. Maybe even the LOL emoji.
Of course no-one is immune from human error. It is, after all, what makes us human. Alexander Pope told us that ‘to err is human, to forgive, divine’ but does that remain valid when your servers have been cleared out and someone’s got their mucky paws on every bit of sensitive data you own.
Be Prepared (Or At Least Pretend You’re Prepared)
The Scouts are, and it’s excellent advice that every business, big and small, should heed but sadly, security training in most businesses is either woefully inadequate or embarrassingly non-existent. Which is it in your business?
In this age of big data and daily reports of massive and eye-wateringly expensive security breaches, why is it that so many businesses have given security training a swerve?
It’s hard to say. Laziness? Unprofitable? Ain’t gonna happen to us mentality?
It all comes down to fundamentals. Essentially, security training is about making employees more aware of the likely threats they’re going to face and more sceptical of what they’re receiving via email, messaging or social channels. Therefore they are – or should be – less likely to enact damaging behaviour such as clicking on a malicious email link, oversharing on social or not verifying digital requests.
But, here is the key to all this – the training given (if any) is likely to be irrelevant, infrequent box-ticking and is highly unlikely to change user’s behaviour. It may – may – make them more aware but they still won’t care. Why should they? It’s not their business and reputation on the line is it?
Proper security training is no longer an option. Don’t delay, organise your security training today!
It Starts At The Top
Anything that is going to positively affect the performance of a business must have approval and the full-throated support from those on high. A board who takes security seriously and gives it the priority – and funding – it deserves filters down through the company. If they are taking it seriously, everyone else better be.
Don’t Skirt Around The Edges
It’s not OK anymore to get your staff in a room and tell them they shouldn’t click on emails that look like they come from their bank or the IT admin.
Effective security training goes much, much deeper. Every employee needs to be aware of targeted spear phishing attempts – what they look like and what to do – as well as oversharing information on social channels. The more a hacker knows about someone – family information, personal details, even favourite shops or restaurants – the easier it is for them to craft personalised messages tricking them into inadvertently doing or sharing something they shouldn’t.
Little And Often
Once a year isn’t enough, nor is a quick half-hour with the IT guys when employees first join. Regular, targeted sessions are key to ensuring that the information given sinks in and it’s especially true for higher-value targets.
Senior company executives will need additional training as they’re more likely to be at the receiving end of attacks. In addition, phishing and other awareness tests are essential to evaluate the effectiveness of the training and to identify any knowledge gaps or blind spots but they must be genuinely random or they won’t give a proper indication of how effective the training has been.
A test fail means more training. These days, it’s as simple and as brutal as that. It has to be.
Again, it comes down to fundamentals. Asking people to react and respond to potential security issues is asking them to change their behaviour. You’re asking them to be more sceptical and less gullible when they come (metaphorically) face to face with a cybercriminal’s attempts to hoodwink them. Be it via dodgy emails, iffy attachments, bothering to verify who’s trying to contact them and holding back on sharing that you go to the same football stadium, restaurant or massage parlour every week.
As a business, you can only do so much. You can spend a fortune on digital defences, a solid technical infrastructure and layer upon layer of firewall, spam filters and anti-virus solutions but if Steve in Accounts clicks on an email attachment purporting to be from Nando’s offering him free chicken forever and it somehow lets the baddies in, you’re not going to be overly happy.
The end goal of effective security training is to stop this from happening.
As we’ve bleated on about for months, the technological landscape is ever-changing and the only way to keep your business secure is to layer your strategy. Tech plays a major role, but then so does a solid security training programme. If you get both layers right you can sleep easy. Neglect one or the other (or, heaven forbid, both) and you’ll be tossing and turning wondering who’s trying to get in and take what you have.
One last thing to mention is the training itself. You won’t rouse a set of employees into taking action but getting them into a room and lecturing at them. Make it enjoyable or at least engaging. Add elements of gamification if you can but be mindful of what we said in the third paragraph at the start of this blog.
Everyone is human and humans make mistakes from time to time but if Steve in Accounts repeatedly clicks on ‘free chicken forever’ links he probably needs a bit of a talking to…
Contact us today on firstname.lastname@example.org or call 020 7078 0789 and we’ll talk cloud, training, security, cutting-edge IT solutions or who’s better, The Beatles or The Rolling Stones. Whatever you want.