There is every chance that your cybersecurity strategy may appear to be watertight, with the best hardware, software and other resources to protect your organisation in the event of a breach. However, there is only so much protection that technology can deliver if your employees are unaware of the potential threats posed by phishing attacks, ransomware, malware and other security threats.
Very often, businesses will invest an awful lot of money to protect themselves against external cyber attacks, but fail to act against the equally damaging internal risk and exposure to threats that are exacerbated by members of their own team.
Internal negligence is considered among the leading causes of security breaches, many of which are carried out using information that has been stolen from lax members of staff. In addition to this, the recent Cyber Security Breaches Survey reveals:
● More than four in 10 (43%) of businesses have experienced a cybersecurity breach or attack in the past 12 months
● Less than three in 10 (27%) of businesses have a formal cybersecurity policy
● Large companies reported an average of 12 attacks per year that they knew about, while six attacks per year were reported by medium-sized enterprises
A lack of awareness
One of the primary issues when it comes to protecting company data is a lack of awareness among staff. In many cases, staff have received no formal training in best practices for cybersecurity, which means they are more likely to adopt weak passwords that are duplicated across a number of accounts.
Evaris recently carried out a survey, which revealed that 65% of UK professionals working across all industries had not been given mandatory IT training that they had to take without exception during their first month of employment in their current or most recent role.
Of these individuals, 74% had never received any IT training at all in their current or most recent job role, despite 86% of all respondents working on a computer every single day.
There is a widespread assumption among businesses that new employees have at least a basic knowledge of IT - and cybersecurity best practice. However, this assumption could prove incredibly costly and cause potentially catastrophic issues.
In the modern era, businesses are highly unlikely to be able to secure themselves against the threat of cyber attacks unless they share the responsibility of securing their business data and infrastructure among members of staff. Yes, the main responsibility for network protection lies with the IT department, but all employees have a vital role to play.
This collaborative approach can derive from clear and concise company policy and strong leadership that advances the cybersecurity position in order to overcome the biggest risks. This is obviously somewhat of a departure from tradition because IT departments have historically been responsible for data and system security in the past, as opposed to the personnel who use them.
However, the old approach underestimated the complexities of modern business processes and workflows, as well as the manner in which employees manage and consume their data.
As a result, businesses across all sectors should, as standard, provide mandatory IT training - carried out by the IT department - to all new starters within their first month of employment to ensure they are able to work on the company network without exposing the business to security risks.
Existing staff should also receive formal security training that is carried out in line with the company’s wider security policy on a regular basis. It is vital that all employees treat their employer’s IT network and security with the same care and thought that they would protect their personal devices.
Written by Terry Saliba, Solutions Architect at Evaris
GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/
comments powered by Disqus