For many employees, cyber security awareness starts and ends with an annual or six-monthly brief about best practice. Seen as a necessary evil, this routine approach often fails to drive home the important role that people play in your defence against cyber related crime. To get the message across more effectively, you may want to consider some of the ways you could embed a cyber security culture that your employees will truly live by once and for all.
Time to make a change…
In 2018, the UK enforced the General Data Protection Regulation (GDPR) to take over from the existing Data Protection Act (DPA). With tougher guidelines and penalties, the GDPR is designed to give individuals in the EU greater control over the way their data is used and kept by companies across the world.
Under GDPR, any incident that leads to the compromise of such data – e.g. cyber-attack – must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Individuals affected must then be notified without undue delay. This exposes businesses to negative publicity and loss of custom along with the wider burden of dealing with whatever caused the breach in the first place, not to mention putting it right. So now has never been a better time to overhaul your company’s approach to cyber security.
The problem at hand…
A strong cyber security culture can be your most effective tool against cyber threats and by far the cheapest. Yet despite this, only 1 in 5 businesses in the UK have had staff receive or attend cyber security training or seminars (Cyber Security Breaches Survey 2017). Consider this, it is rare to find a cyber-attack which relies entirely on technology alone to break into a computer or system. Most cyber threats are designed to take advantage of the weakest link of any system; the user. Tricking a careless or ill-informed user is typically the easiest way around any security system. In 2017, the most common type of breach experienced by UK businesses were;
- Staff receiving fraudulent emails (72%)
- Viruses, spyware and malware (33%)
- People impersonating the organisation in emails or online (27%)
- Ransomware (17%)
With many of these techniques carried out by email and a clear lack of awareness in many businesses based on the findings above, it’s easy to see how mistakes are made.
People and culture – the cure?
Culture is a funny thing, it develops over time in response to a thousand different behaviours, some of which you probably aren’t even aware of. Cyber security culture however should not be left to chance, so you must encourage it, engage and maintain it. One meeting every six months tells your staff that’s how much they should think about cyber security; a couple of times a year. Likewise, bumping IT security issues and questions straight down to the IT team tells your staff that cyber security is IT’s job, not theirs. Engagement is key to turn your staff into your first line of defence against cyber-attacks. The ideas below cost very little and take minimal time and effort to implement. Do them right and you could attain that rarest and most valuable of things; a cyber security culture of staff actively working to protect your company against cyber-attacks from the inside.
1. Bring everybody to the table
From the CEO to the office and shop floor, inclusion is key to creating an effective cyber security culture. Cyber security affects everybody so everybody needs to be engaged. It doesn’t matter how good your systems are if one person keeps leaving the door unlocked.
2. Education, education, education
In a study carried out by PhD researcher Jan-Willem Bullee, 162 employees were called by telephone and asked to download software. Forty percent proceeded to install the software. When interviewed before the study, each of the participants had said that they would never do this. Many cyber-attacks and phishing scams rely on these techniques, known as social engineering. Using the study as an example, Bullee reflected that the only true preventative measure to such scams is through user education and awareness.
3. Reward and recognise good practice
Consider a small bonus relating to cyber security best practice. It’s a great way to let staff know that you view cyber security as importantly as their day to day work targets. Carrying out spot checks is one of the ways you could do this fairly and effectively. You may wish to include checks on basic security measures such as locking screens when not in use. Flagging up suspicious emails and running penetration tests might be additional measures you could try. You may wish to reward staff who pass successfully with a small bonus or reward. However, these systems should not be used to encourage a culture of blame. The idea is to incentivise staff to help protect your systems. Active participation is proven to be one of the best ways to learn so keep it up and before long you’ll have a team of experts protecting your systems from potential threats.
4. Break it down
Ditch the general meeting, the idea of online security seems big and scary to some people. To cater for everyone, try doing shorter and more regular meetings in smaller groups. You may find that the once stony silence of the meeting turns into a more open Q&A. You may also wish to explore alternative forums such as webinars. This is a great way to bring larger groups of people together in a controlled and effective manner. Participants can choose to ask questions or remain silent. Those who do probe and ask questions will also help the more passive employees to learn something new. Given it goes well, you could make a recording and roll it out as a refresher course as and when required. This can help you fill gaps where you may have had absent employees and gets new starters on board from day one!
5. Reinforce, upkeep and encourage
It takes time for change to take hold, you won’t fix it all in a month and you certainly can’t expect it to stick straight away. To decide what you’re going to do, talk to staff and see what they think will benefit them most. In other words, gain their buy in from the off. You will then need to give them time to adapt, and ensure managers and team leaders are actively encouraging and upholding your new regime. Once agreed and established, you may wish to include a section on cyber security in your staff handbook and make it available on your staff intranet. It’s a good idea to cover this off in your induction plan for new employees too. Most important of all, keep learning as a business. Prevention is better than the cure when it comes to online security and education aids prevention.
Whether you consider yourself high risk, tech savvy or well equipped, the reality is UK businesses are low hanging fruit. With 1 in 5 companies reporting a cyber-attack in 2017 remember; new legislation is on its way. Doing nothing is not enough to protect your business, and it makes sense to educate your staff. After all, every day’s a school day!