22/05/20 | Security
By: Peter Bailey, General Manager, Aura Information Security
When it comes to online security, people are the new perimeter. In the past businesses would often rely on technology and processes to protect their confidential information; firewalls and security gateways were the heart of most organisations’ security infrastructure. But with human error causing around 90% of data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO), it’s easy to imagine how many incidents could be avoided by empowering end users to practice good cyber habits when at work.
Training your staff, your managers and your leadership team on how to stay safe online helps build cyber resiliency from top to bottom. Being able to understand the risk cyber threats present, and how to deal with these, not only protects your company from breaches but helps your leadership team put robust response plans in place, so your business has the best chance of recovering from a hit.
Whenever you are designing a cyber security awareness programme, make sure your education programmes encompass all areas of the business, to ensure various different levels of your organisation are geared towards the same cyber safety goals.
Many cyber-attacks rely on people clicking on links or downloading something that gives the attacker access into a network or system. Attackers often target businesses through their staff — using phishing campaigns, for example. Training your staff to understand the kind of security risks your business faces will make them more likely to identify potential attacks and report them before any damage can be done.
While some organisations have comprehensive written policies and procedures in place, it’s unlikely that most staff will read, absorb and retain all the information enclosed. A better approach is to use interactive, engaging training sessions with real world examples that will help make cyber security concepts more accessible and relatable. The ‘gamification’ of training is a great way to help people remember information and will help ensure employees adopt the learnings into their everyday work habits.
Cyber security isn’t just a matter for the CISO, or the IT department. It’s an area of risk that can potentially impact every level of the business, like health and safety, and therefore needs support from the wider business to be fully integrated into your company culture. One effective way to address this challenge is to create security champions within your organisation who can act as the voice of security in any team, project or business unit.
OWASP recommends regularly conducting workshops and information sessions for your champions, as a forum to share security best practices and educate on new threats, discuss your company’s security posture, and gain buy-in for new strategies being implemented. This is an effective way to support the culture change needed to embed security into your operations and amplify the efforts of the IT department and security leader.
Boards and directors
With data breaches and cyber-attacks posing the risk of both financial and reputational loss, cyber security awareness must be elevated to director level to be truly addressed. Boards can no longer rely on having one technology minded director at the table. All members must comprehend what digital risks their organisations face to know what they should be asking of their management teams when planning for or responding to breaches. Having a robust knowledge of cyber security concepts helps boards make better strategic decisions and gives directors the confidence to gauge the maturity of their organisation’s cyber security posture.
Aura offers comprehensive training programmes for both boards and employees via our Cyberwise training modules. For more information, click here.