Training is central to a Cyber Security Strategy

It would be very easy to get in to a panic and high state of fear relating to the risks of cyber-crime to your own business, or your employer, especially if you are in a position of responsibility relating to data, information or security. With the UK governments latest Cyber Security Breaches Survey reporting that “Four in ten businesses and a quarter of charities report having cyber security breaches or attacks in the last 12 months”, we should not be overlooking that to be forewarned is to be forearmed.

Any cyber security strategy, to be as strong as it can be, should involve a combination of technical, people and process elements.

Cyber criminals are always looking at ways to overcome technical solutions, which will never be 100% infallible, and they have the time to dedicate towards finding ways to bypass them. Phishing campaigns are becoming more sophisticated and harder to spot, targeting companies at times they consider peoples guard will be down the most. Add to this that we see more and more that the technology side of an organisation is people dependent, as alerts need to be responded to, updates need to be made and the right questions need to be asked if people are unsure of something.

Although not glamorous at first thought, security processes and policies are arguably the bedrock of your cyber security strategy. They outline the organisational standards for the controls you put around the confidentiality, integrity and availability of data, and can also help employees know what to do under certain situations to further minimise risk. This element of your strategy is ultimately about people and how they understand, implement, follow and respond to any security related process or policy requirements.

Now above I said “arguably” as we often hear that people are seen as a key problem when it comes to cyber security. We prefer to see people as a potential strength and central to any robust cyber security strategy. So, what is the bedrock?…Educating staff about what to look out for, why they should/shouldn’t do something, and what to do if something does happen is paramount to a company’s defence against cybercrime.

Whatever data or sensitive information your organisation handles, the importance of awareness across the organisation cannot be underestimated as this can and will ensure a more vigilant workforce. One simple error can lead to catastrophic effects for any organisation. The sooner a mistake can be identified the better the chance of the company recovering quickly and minimizing the damage. Without awareness and emotional investment from employees, security will be forever seen as that mundane or intimidating topic that people will generally avoid.

Having your cyber security strategy clearly defined and accessible will also ensure that you are able to increase customer confidence and compliance with their (and your) supply chain requirements.

So what are we really talking about here? - building a culture of security within your organisation, a key element of which is investing in cyber security training for your staff. Depending on where you are on your cyber maturity journey cyber security training will often begin as non-technical, tailored to the teams and their needs, and will always be developed to be made understandable and accessible

Mistakes made by people can lead to cyber security breaches so placing staff training at the centre will help mitigate this. Greater awareness can lead to overall improvements in defences especially against the most commonly used tactics such as phishing.

By personalising your cyber security training, making it mandatory and part of staff onboarding, keeping it updated and on repeat to ensure everyone is kept abreast of the ever-changing landscape, all goes towards keeping the topic alive within the business. As change involves asking people to do something, they need to feel supported in this.

We believe that with face-to-face training, we can provide context and that human perspective on why security not only matters at a business level, but at a personal level too. People should be at the front and centre of security, they can spot a suspicious email, report if something doesn’t seem normal about their computer, they are the first line of defence and that should never be overlooked. We can also deliver remote sessions providing the same quality and value which are more accessible for people who can’t travel or are not comfortable with in person training.

So what now? Don’t sit on what you now know, make sure you talk to the relevant people in your organisation or reach out to us if that’s you and start building your cyber security strategy.