Why training your employees is the best cyber-security defence
by Prasanna Kulkarni,
Why training your employees is the best cyber-security defence
For most small businesses, dealing with cyber-security is new territory. But they don't have to reinvent the wheel. They can gain insights from the trials and tribulations of large organisations who've long been dealing with cyber-threats.
In 2017, cyber-attacks cost the overall UK economy about £10 billion. And the numbers are going up. According to the UK government, last year nearly seven in ten companies in the UK had a cyber-breach or attack.
From the financial to the political, cyber-crimes are touching every facet of our lives. In the past, only large enterprises were are at risk. But today small and midsized businesses are targeted as much as their enterprise counterparts.
Whenever a breach happens, businesses invest in infrastructure updates and security measures. Yet cyber-attacks are carried out using social engineering principles. A lot of the problems and vulnerabilities can only be solved through education. Employees need to be trained properly to prevent successful hacks.
Small and midsized businesses are at risk
In the past, cyber-criminals paid less attention to small and midsized businesses. But as more companies move online and the financial stakes grow bigger, the nature of attacks are changing. The WannaCry ransomware was indiscriminate of business size.
Today companies, both small and large, understand the importance of cyber-security. According to Willis Towers Watson 2017 Cyber Risk Survey Report, 72 percent of UK companies see cyber-security as a top priority for their organisation. Another key finding was that even though companies were chiefly concentrating on technology in the past, the emphasis is shifting towards employee behaviour and operating procedures. Businesses are realising the benefits of comprehensive training programmes for their employees. Around 63 percent of the surveyed companies are planning to complete their comprehensive employee training programme in the next two years. (Source: Cyber Security Breaches Survey , 2017 - Department for Culture, Media and Sport)
Who else is using employee training to reduce cyber-attacks?
For most small businesses, dealing with cyber-security is new territory. They are having a hard time with their cyber-security strategies. But enterprises and large organisations have been dealing with cyber-threats for a long time and they have a more solid understanding of how to train their employees. So small businesses don't have to reinvent the wheel. They can gain insights from the trials and tribulations of these large companies.
1. Pentagon's centrally managed training
The Pentagon is the headquarters of the United States Department of Defence. Naturally, it's one of the biggest targets for cyber-attacks in the world. According to a Harvard Business Review report, between September 2014 to June 2015, the Pentagon prevented 30 million malicious attacks. Fewer than 0.1 percent of systems were compromised. The department deals with more than 41 million scans, probes and attacks every month. Given the scope of the operation, these numbers are very impressive.
A big Pentagon initiative is to create uniform standards across the board. It allows them to centrally manage employee training. They are moving towards a programme that has been developed by the navy group that deals with nuclear armaments. It includes classroom instructions, self-study, and a graded examination. All personnel get educated about cyber-security. This quality employee training programme is one of the reasons for Pentagon's success in maintaining a high-reliability organisation.
2. IBM's initiative to train more cyber-security experts
IBM is trying to deal with employee training on a large scale. According to a Frost & Sullivan and (ISC)2 study, there will be more than 1.5 million unfilled cyber-security positions by 2020. The workforce shortage can be attributed to current market expectations. Most companies look for traditional computer science majors to fulfill these jobs. But cyber-security is not a system level problem only, it's a problem that encompasses every aspect of a business. So IBM is trying to train cyber-security experts from every walk of life.
IBM's Hacker Highschool and Pathways in Technology Early College High School (P-TECH) will help teens and young adults become proficient in cyber-security. IBM will also participate in coding camps, professional certification, and vocational training programmes. This will give future employees the necessary expertise for cyber-security jobs.
Lessons from WannaCry
The WannaCry ransomware was one of the biggest attacks of its kind in cyber history. It brought up a lot of issues to the forefront. It showed us that education and backup are crucial. Also, employees were not keeping their systems up-to-date. The lack of understanding of cyber-security risks made a bad situation worse.
Another important part of the WannaCry story is that a lot of small and midsized businesses were also affected by this ransomware. It kind of became a wakeup call for this sector to reconsider their approach to employee training. The lack of awareness of the workforce can bring the whole organisation down. So more small and midsized companies are investing in cyber-security training due to the WannaCry ransomware.
The effectiveness of cyber-security training
Businesses need to have a comprehensive strategy & IT Asset Management Tools to get the full benefit of educating employees. There are elements such as patch management, firewall settings and usage monitoring which can form first line of defence. Here are a few ways businesses can promote cyber-security to their employees:
⦁ Simulated training: Businesses can engage their employees through “live fire” or simulated training. For example, the IT team can try to use phishing techniques on employees to teach them about possible attacks.
⦁ Start from the beginning: Companies should emphasise cyber-security from the on-boarding process. It will create a culture of paying attention to cyber-risks.
⦁ Continuous updates: Cyber-threats change regularly. Businesses need a method like a newsletter or a wiki to keep employees updated about regular threats.
⦁ Continuous training: Businesses have to invest money in training programmes that can sharpen their employee's security skills.
⦁ Regular evaluation: Companies need some form of metrics to evaluate how their employees are performing, so they can objectively compare the effectiveness of the training programme.
⦁ Rewards for good behaviour: You will have to keep your employees motivated and alert about future threats. Rewarding employees, who take steps to find problems and solve them, can lead to a more proactive workforce.
The internet has opened new possibilities for small businesses. Today a small business can serve a worldwide audience. But the same technology has brought the criminals to the doorsteps. It's not possible to ward off these threats through technology alone. The best method for the business is to train their employees. Well-trained employees can help organisations secure their infrastructure and prevent cyber-breaches.
Contributed by Prasanna Kulkarni, Founder and Product Architect of Comparesoft.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.