British Airways. Equifax. The Adobe Hack. WannaCry and the NHS. That time Target lived up to its name.
High-profile attacks like these bring cyber security concerns into sharp focus for many of us. However, the headline coverage that these attacks garner belies a concerning truth: that any organisation can fall victim to cybercrime, no matter how big or how small.
In fact, one British small business gets successfully hacked every 19 seconds, according to Hiscox. These attacks don’t make the national headlines, but they are certainly “headline news” for the companies affected.
Let’s bring another statistic into the mix, this time from the Department for Digital, Culture, Media & Sport (DCMS). Of all of the businesses who suffered attacks in the 12 months prior to their 2019 survey, 86% reported experiencing phishing attacks. The same research also identified phishing attacks as being the “most disruptive” type of attack that organisations face.
The DCMS report corroborates our stance on cyber-awareness entirely:
“One of the consistent lessons across this series of surveys has been the importance of staff vigilance.“
It’s those two words – “staff vigilance” – that should sit at the core of any company’s cyber preparedness strategy. Yet cyber-vigilance training is often put on the “nice to have” back-burner. And when they do get around to it, many organisations only train certain teams and not others.
But “staff vigilance” isn’t just for entry-level teams or even middle-management. Everyone – and we mean everyone – in your organisation should receive regular cyber-awareness training. Technicians, manual workers, remote personnel, C-Suite – everyone.
Any organisation’s softest cyber target: people
There’s a dangerous misconception that as long as you have a good firewall, reliable antivirus software, and other security accoutrements that you will be pretty much immune from cybercrime. This is incorrect. Though these solutions are downright essential for organisations of any size, hackers still have a shortcut into your network: your users themselves.
As security solutions become more able to detect zero day malware and unusual network traffic patterns before a vulnerability even reaches a human member of your team, hackers are starting to “work smarter, not harder”. Rather than spending time building potentially detectable data-stealing malware or laboriously hacking through to sensitive resources, they’re increasingly using psychology to influence users to do their bidding.
This concept is called social engineering, and it’s the core component of any phishing attack. The term “phishing” usually refers to fraudulent messages received over email, but phishing can also take place over text message, online messaging platforms, and even over the phone.
Due to fallible human psychology, it’s relatively easy to convince a potential victim to click a link they shouldn’t, download a file they shouldn’t, plug in a device they shouldn’t, or share sensitive information that they shouldn’t. Anyone who’s seen psychology-driven “mentalists” perform knows just how oddly pliable our minds can be.
Yet with the right information and repeated positive reinforcement, your team can learn to understand the psychology that these criminals use, and how to spot phishing attempts before any damage is done.
Even with the best network security setup that money can buy, a single action from an untrained, cyber-unaware worker can unwittingly bring an organisation to its knees. Your first line of defence always should be a fully cyber-aware workforce.
Cyber-awareness training: the ultimate leveller
Which brings us to our main point. EVERYONE who comes within a gnat’s whisker of your IT estate should receive regular, thorough cyber security training with no exceptions.
Just as a chain is only as strong as its weakest link, a network is only as secure as its least cyber-vigilant user. And just as everyone has a responsibility to not let suspicious individuals into your physical premises, everyone has a responsibility to keep your network safe from cyber-harm too. If you want your workforce to be as cyber secure as possible, you need to train your whole workforce. From your entry-level administrators to your C-Suite execs. From the factory floor technicians who only use networked IoT/SCADA devices to clerical teams who only use PCs. From the totally office-bound worker bees; to the off-site teams who generate buzz out on the road.
The higher they are, the harder they fall
We know all too well how difficult it can be to convince upper management to attend any kind of training sessions, be they in person or virtual. But your organisation’s most high-ranking and high-profile individuals should receive cyber-resilience training as a priority.
Why? Because their visibility and authority makes them a massive target. They are likely to act as the “face” of a company on platforms like LinkedIn and at networking events, and that visibility may pique a criminal’s interest. Because they’re higher up the chain of command, it’s more likely that they’ll have access to sensitive information, hold privileged access to systems, and carry financial authorisation power. Understandably, these factors all make your upper management a really juicy target for a criminal.
Criminals might even try to interact with specific high-ranking individuals over email, so they can then spoof their email address and imitate their particular email-writing style, to convince subordinates into doing the criminal’s bidding.
When upper management are visibly receiving the same training as the rest of the team, there’s an important psychological knock-on effect too. If the same managers who are trying to encourage the team to attend cyber awareness training don’t attend that same training themselves, it smacks of “do as I say, not as I do”. This potentially makes the rest of the workforce apathetic – even resentful – towards the training. But when those same managers are active, visible participants, it demonstrates that the training is important, and that it’s something that everyone should take seriously.
In short: when team-wide buy-in and uptake is so important, it pays to lead from the top.
The best training comes from repetition
You’d be forgiven for thinking that a single round of cyber-awareness training is all that it takes – and if your team have never received cyber training before, it’s certainly likely to help. However, as any good teacher or trainer will tell you, in order to fully embed learning, you need repetition, repetition, repetition!
Ebbinghaus’ Forgetting Curve shows that if we’re only exposed to information a single time, we tend to forget most of it pretty rapidly. However, if we’re consistently exposed to that information on a regular basis, it embeds more firmly in our minds.
Therefore, in order to properly embed cyber-awareness training, a campaign of consistent reinforcement is needed. Personally, we recommend virtual or in-person cyber refresher training sessions every 3-6 months, further enhanced with tools like PhishAware which help to embed learning around fraudulent emails.
Cyber security training: more than just phishing awareness
Phishing is a huge issue, but it’s far from the only threat doing the rounds. Any cyber-awareness training worth its salt should also cover a number of different threat vectors, like shadow IT, safe browsing habits, password security, criminal cyber recon tactics, and staying safe on WIFI.
During our own cyber training sessions, we like to round things out at our training sessions with a (perfectly harmless) live hacking demo. It really helps to highlight the sort of access that a criminal can gain in a short time under the right circumstances!
So if you’re new to the idea of cyber training or if you’re overdue for a refresher, then give us a call!
Our training sessions are accessible to all levels of technical expertise; from complete novices to IT boffins, we’re confident that everyone on your team will walk away with new, practical cyber knowledge that can be implemented straight away.
Take the first step towards company-wide cyber vigilance – get in touch about cyber-awareness training today!