Breaches are an ongoing issue that organisations face on a day to day basis. For as long as risk carries a level of uncertainty, preventing it is hard to do. But there is a difference between accepting this fact and doing nothing about it and accepting this fact and using all reasonable efforts to mitigate breaches from taking place. One of the measures observed in practice that organisations are failing to take is in training staff on cybersecurity. Here are just some of the reasons why the efforts of training staff requires more attention.
Cybersecurity is beyond the IT team as staff play a significant part too. As the drivers of an organisation, hackers commonly use them as vectors. This is especially evident when we look at the cyber kill chain’s first stage. It requires gathering information about the target. Here are where they exploit weak spots to obtain relevant information to carry out intended attacks. Hackers use social engineering as just one of the tactics but it is the most common as they can deploy it easily. They know about the lack of training that exists amongst staff in general and it sometimes just takes targeting one person.
It is important for staff to be aware of social engineering because together they make up more than the Board and IT team. Examples of areas organisations should elude staff to include social media content and being manipulated into allowing unauthorised visitors onto the work site. In addition, phishing emails are still on the rise, advancing each time and show no signs of slowing down anytime soon. Staff need training on avoiding being targets of this.
Human error leading to breaches
Recent articles have referred to significant flaws within organisations. As Kaspersky Lab’s recent article reveals, it still stands as one of the highest causes of breaches yet is dealt with so poorly. Organisations are not learning from other organisations’ failures reported publicly. One being with Gloucestershire Police whose employee accidentally emailed personal data belonging to victims of child abuse to unintended recipients. This is the most crucial reason as to why training is so important. Not only can errors occur from sending emails to the wrong recipients, but also by using compromised removable media, losing mobile devices containing business data and poor security management around these devices.
Staff training should be part of an organisation’s cyber hygiene to help maintain security. Benefits of implementing training will allow the following:
Staff will know what is vital information to share and with whom
The more knowledge staff have the more they understand and enables staff to adopt it into their everyday operations. Cybersecurity requires a team effort as well as staff individually taking responsibility for their actions when dealing with data. An example is with software and applications. Departments tend to download and use tools that will aid with daily tasks that IT are not aware of. This is known as shadow IT. If the IT team do not know the software exists, it is hard for the team to maintain security within the organisation. If staff are made aware of the need for security and dangers around potential extensions and applications, they will know when to liaise with the IT team and other relevant employees.
3 Important factors to consider when implementing training programmes
- Have training for staff from the Induction stage and maintain it throughout their employment life cycle.
- Have an online communal area, that allows staff to continue to engage in the topic. They can also share knowledge and best practice. It is crucial to have someone lead this to keep the momentum of discussion going. An organisation can additionally carry out workshops where necessary, if possible and where there are resources to do so
- IT or the in-house person responsible for IT, must receive adequate training themselves to lead in maintaining security and be the point of contact for staff queries. IT staff should also be aware of the common threats and its developments to provide the organisation with appropriate technical and network security.