Uninformed people are a risk to your business. Are you prepared to pay the price for their mistakes?
If businesses are to stand any chance of fighting cyber crime, they have to equip their people with the skills to spot when something isn’t right. That’s why cyber security training shouldn’t be seen as a luxury, but rather a defensive strategy that’s as vital as firewalls and anti-virus applications.
Businesses are increasingly becoming the priority for cyber criminals, possibly due to improved consumer security that makes individuals less of a soft target than they used to be. According to the National Office of Statistics, the overall rate of fraud and computer misuse dropped last year, but attacks on UK businesses leapt up 63%. From the criminals’ point of view, that makes sense: businesses and other large organisations are likely to have a lot more money to steal than consumers do. It’s no wonder a large number of CEOs now regard cyber attacks as inevitable.
In one significant way, it’s also easier to attack a business than an individual. Sure, they might have state-of-the-art firewalls and backups that make certain types of cyber crime more tricky, but they have one potential weakness that all businesses can have, and they bigger they are, the worse it gets.
The problem is people. Human error accounts for a vast number of successful cyber breaches, so the more employees a business has, the more points of weakness that can exist. Scammers can easily send millions of fraudulent emails to your business, and it only takes one to get through your spam filter for every single staff member to receive it. Then if just one person opens it and clicks the wrong thing or gives out the wrong information, your whole organisation can be left at the mercy of criminals. Malware can quickly spread through your network, possibly destroying or locking important data; a phishing email could lead to money being stolen from company accounts; passwords and usernames could be compromised.
Of course, there are no perfect solutions, but cyber security training can make a real difference. If people know what to look out for, they’re much less likely to fall for scams. They still need to be backed by strong technological systems as well, but if they’re properly educated, employees can become one of the most effective lines of defence you have – a human firewall, if you will.
But cyber security training can’t be treated as an occasional hassle you need to get out of the way with a company-wide memo a couple of times a year or a one-off training course that tries to cram everything into a day or two. Humans, unfortunately, tend to forget things too readily for that to be viable. A period of increased vigilance following training may be welcome, but we all too easily let our guard down and fall back into old habits.
The answer to this problem lies in a programme of sustained, regular cyber security training. Instead of occasionally educating your workforce and hoping they’ll remember what they’re told, you should be looking to make cyber security second nature to them, through repetition and assessment.
Webroot’s Security Awareness Training provides a practical approach to this. Instead of simply telling people how fraudulent emails work, it actively demonstrates it, via the firm's custom-built phishing simulator. Businesses who sign up to the service are sent pretend phishing emails, which mimic the real thing, right down to the spelling mistakes. These are sent at a random time each month, and they take various forms, including fake Amazon gift vouchers, password reset requests and pretend payslip logins.
If employees fall for the trick, they’re directed to a website with training material that explains what they’ve just done wrong and how they can avoid it in future. They’re also tested on what they’ve learned, so you know they’ve taken it in. Alternatively, if the business wants to keep the cat in the bag until everyone has got the email, they can be directed to a different location, including a fake error page.
Now you might be thinking, “What’s the point in doing this every month? Surely after a while everyone is going to be expecting these phishing emails?” In that case, you’d be entirely correct. But because the fakes look so much like real phishing emails, your users will naturally learn to identify and be on the lookout for those too.
And that, of course, is exactly the effect you’re after.
Cyber security training is just one layer of many that businesses need for a successful IT strategy. Read 'Technology and Trust' to find out why a multi-layered approach works best.