Today, companies spend tens of billions of pounds on cyber security protection against external threats, despite a majority of risks actually coming internally and from employees themselves.
A survey from Wills Towers Wilson shows us that 58% of cyber claims are down to employee’s behaviours of negligence, disclosure and lost devices. This makes clear that technologies to prevent cyber security issues are not the only prevention measure needed in order to protect your organisation.
Since most of the UK’s financial, IT and technology companies are based within London, the survey makes evident that the city of London’s company’s main risk lies with employee’s negligence.
The biggest security vulnerabilities are not immediately obvious but are indeed staring you in the face. Although technology is continuously advancing, the heart of any organization is the people, which is why technology can only aid to a certain degree. According to the survey, 86% of respondents stated that employees understanding of cyber risks is to at least some extent a barrier preventing their organisation from managing its cyber risks. It’s clear the key to effective cyber security management is with the people.
Below are 5 different considerations to make in regard to your organization and its cyber security.
Bring about awareness
There is an evident lack of awareness among employees on the basic principles of cyber security. The survey states that 44% of employees think that it’s safe to open any email on their work computer. Although there are technological preventions in place, these can’t protect against all threats, and social-engineering is something which can be difficult to prevent on a technical level. More training needs to be done on a basic technological level and on a non-technical level.
Delivering targeted and tailored training
As stated in the previous section – social engineering attacks can’t always be prevented by technology such as firewalls. The best way to combat this issue is effective training to all employees on how to notice and not fall for any of these kinds of attacks. Away from just social engineering attacks, security awareness training is a key in improving workplace security. However, many employees will not feel an urge or willingness to learn these issues as they may not think it directly affects them, therefore training should be tailored and targeted. An example to help increase the employee’s investment in the training is to go about gamification (point systems, competition with other employees etc.).
Employees need to understand what actions in and out of the workplace lead to these risks. Through the use of feedback mechanisms employers could gain a greater understanding of how employees think and why their way of thinking may actually lead to cyber risks. This understanding can lead the employer to make the relevant changes and deploy effective training based on these ways of thinking.
Lead by example
It’s well enough to say that employees need to ensure they’re fully aware of security risks, and are actively learning about these risks and taking measures to prevent threats, but it’s equally important to make sure all executive staff lead a good example. The chances are that if an employee is told to follow and be aware of certain practices but do not see someone in a higher position doing so – they will believe they do not have to do so also. On the other end of this, if they see management being self-aware of their security and working to minimize these risks, this behaviour may pass down onto the employee.
The hiring process
A lot of these issues can be prevented from the get-go by including cyber security assessments in the interview and hiring process. Looking to hire someone who has the relevant knowledge to carry out the job but also someone who has a good awareness of cyber security could save a lot of time and effort down the line.
For more information please visit: https://www.fnlondon.com/articles/the-biggest-cyber-security-threat-is-your-staff-20180501