Cyber Awareness Training and its Worth to the Business
I’m going to cover off a couple of subjects today, starting with an excerpt from a Data Breach Investigation Report by Verizon, from which I am openly cribbing. The bit that initially grabbed me attention was the number of recorded business email compromises (BEC) reported which have apparently, doubled over the past year, with this threat comprising nearly 60% of social engineering incidents studied.
The report was based on an analysis of 16,312 incidents and 5199 breached over the past year and the report suggests that BEC is now more common than phishing in social engineering incidents, although phishing is still more prevalent in breaches.
Social engineering, that is to say the gathering of information and profiling a target company is a very real reason why most breaches involve a high proportion of human interaction. It is especially prevalent amongst senior management who are often exposed to such attacks. In fact, I reported last week that AI is now being used to spoof emails and even phone calls, purporting to come from senior management, instructing staff to carry out an action that will involve some form of financial penalty.
This means that the protections in use against this type of attack can’t simply rely on technical solutions, but that staff must be made aware of, and kept up to date with, the latest techniques, as they will be the ones who will be targeted in the first instance. Training must also involve senior management; they are most certainly not immune.
As I go around the SME community, it never ceases to amaze me that many SME owners don’t see the value of cyber awareness training for their staff, and I can’t help wonder why not. After all, we would argue that it is one of the single biggest wins against cyber-crime that an SME can take, at a minimal cost in turns of time and money. So why do I think this is?
Statistics reveal that around 60-70% of UK SMEs have suffered a cyber-attack, and amongst those, only 11% had cyber cover. While we are beginning to slowly see a rise in the number of businesses seeking insurance cover after becoming more aware of the risks of cyber-attacks since the pandemic, we still have a long way to go. Now, cyber insurance is another very thorny issue which really deserves a blog of its own. However, briefly let’s say that there are many clauses in most, if not all, policies that will require named precautions to have been taken, before any pay out can be considered, and those pay outs are not common, shall we say.
Returning to the subject of Cyber Awareness training, this is a favourite hobby horse of ours, particularly as it affects non-technical staff where it is vitally important for both managers and employees to make them aware of what they could be facing. If you don’t know what threats exist, them how can you look out for the signs, and how can you effectively target your security spend. Likewise, staff must know what to look out for, how attacks are formulated and how they are carried out. A good motivator for staff is that, to put it bluntly, their jobs are on the line if the business is hit badly and loses money. Most SMEs are involved in businesses where cash flow is king, and they simply can’t afford the kind of hits that are being experienced almost daily now.
It cannot be stressed enough that whilst your staff are your greatest asset, they can also be the biggest threat regarding cyber security. Most data leaks are caused not be personnel doing anything deliberately wrong, but by doing things they didn’t know they shouldn’t, and by not fully understanding the processes in place to fight off such attacks.
Moving on, and unashamedly cribbing from another article, this time from Forbes, which was all about the need to prioritise cyber security and the culture needed to promote it continuously throughout the organisation. This of course, continues to reinforce the need for adequate cyber security awareness training throughout year, and not just as a tick in the box, point in time exercise. A very real perspective, not just at the SME level but at all levels of business size, is that “cybersecurity is a cost centre”, a cost to the business that doesn’t help drive revenue and therefore it’s an expense line item; expensive employees, expensive tools and processes that can hinder operations. With the explosion of internet connected everything constantly collecting data, security is a SALES DRIVER. Being secure and having the ability to prove it (via audits/certs) builds TRUST and makes for a stronger brand. For most SMEs it is already well known that if they want Government contracts or want to be in the supply chain for bigger company’s servicing Government contracts, then Cyber Essentials and Cyber Essentials Plus, is a must, so It is time to shift the old mentality and to start focusing on how security can help drive sales and revenue. We are seeing a shift in that direction, albeit slowly, but even so, many in SME management are reluctant to embrace this reality. It often takes a customer, or potential customer, to carry out due diligence before placing an order, to convince an SME to take this seriously.
Recent Comments