[BreachExchange] Defence at the frontline: The importance of cyber education

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 1 18:57:31 EDT 2017


Cyber-attacks are no longer out of the ordinary for businesses – we’ve seen
various high profile data breaches and hacks hit well-known brands, from
TalkTalk back in 2015, to Wonga more recently. While it’s the household
names that typically grab the media headlines, it’s important to remember
that no business is immune to cyber threat, whether it has five employees
or a workforce of 5000. In fact, 90 per cent of our cyber claims by volume
in 2016 came from businesses with less than £50m in revenue.

With this in mind, from our recent research, we found that cybercrime is
the second biggest concern for SMEs, topped only by Brexit. However,
despite this, we also found that over a quarter of small to medium sized
businesses (27 per cent) still don’t educate and train their staff on cyber

Changing crime

The world of crime is changing as organisational value shifts away from
physical property towards intangible assets, such as company data and
sensitive information. That fact that criminals know that these assets are
far more valuable, and far easier to access and exploit, is reflected in
the findings from the National Crime Agency which last year revealed
cybercrime had overtaken traditional crime rates in the UK.

Years ago, employers would educate staff on the importance of locking the
files cupboard, or office doors before leaving. Now, as crime has changed,
education and training needs to also, and surprisingly, much of it is
incredibly simple with only a small shift in company culture and
mindfulness required.

Avoiding the avoidable

Whilst it’s true that many hacking techniques are evolving to keep pace
with better cyber security defences everywhere, a lot of cyber incidents
occur as the result of fairly unsophisticated methods. Take phishing, for
example. These scams involve tricking people into trusting malicious
websites, directing them to malicious links, or unknowingly downloading an
infected file.

This tactic accounted for 38 per cent of our claims in 2016, which means
over a third of claims could potentially have been avoided if simple
education and training measures had been put in place to help staff detect
these threats. Many phishing scams have signature marks that can be easily
spotted if employees know what to watch out for, which makes it one of many
good places to start when it comes to educating staff.

Steps to education

There’s a massive human element to cyber risk and having staff understand
that this human link even exists is a good start in trying to get everyone
within an organisation on board with making their work environment more
secure. Staff awareness of the potential threats – and of what they can do
to help mitigate them – is a huge stride forward in adopting a best
practice approach to cyber security.

Currently, over a quarter of SMEs (26 per cent) say that they do not train
and educate their staff on the threat of cyber because they are “not sure
where to start”. This may well be a result of not understanding their cyber
risk profile – 20 per cent say they never assess their business exposure to
this risk. This needn’t be a time-consuming weekly or even monthly task,
but it should certainly be on the agenda for the beginning of each year.

By understanding their exposure to cyber risk, business owners can more
accurately assess where vulnerabilities lie. Once these have been
addressed, business owners would be wise to recognise the role that their
employees play as a first line of defence. Although this is not a silver
bullet when it comes to protecting an organisation from cyber threat, it is
a fundamental component.

In practical terms, this could include teaching staff how to detect a
potential phishing email and implementing a reporting procedure to ensure
that it is dealt with quickly. Or, for example, it could mean having a
process in place whereby staff follow up requests for wire transfers with a
phone call before following through. In addition to this, business owners
should be encouraging staff to be vigilant with company devices - losing
one could easily lead to a privacy breach if sensitive information is
accessible. A lot of problems start when employees use company computers
for personal use, so having rules in place to limit that trend may also be

Implementing an incident response plan

Should the worst happen, and a business does fall victim to a cyber-attack,
it is important that there is an incident response plan in place to
mitigate its impact. This should outline the roles and responsibilities in
the event of a breach so that the incident can be handled quickly and
effectively. Worryingly, over half of SMEs (56 per cent) report that they
do not currently have such a plan in place.

With limited resources, it’s by no means the expectation that SMEs should
have the cyber and IT experts in-house to handle the aftermath of an
attack. This is where a cyber insurance policy can play an important role.
Cyber insurance exists not only to cover the financial losses associated
with a hack, but a good policy will also provide access to IT specialists,
forensic investigators, specialist PR firms, legal experts and more. This
enables victims to quickly manage cyber incidents, minimising their impact.

Good cyber security is a solid foundation for a defence strategy, but
failing to educate and train staff on today’s threats leaves SMEs
vulnerable to sometimes avoidable attacks. Cyber threat is one of the most
high-profile risks that businesses of all sizes are facing at the moment,
yet SMEs are not equipping their staff effectively enough to deal with the
less sophisticated attacks. If they are to implement a 360 cyber defence
strategy, education and training must be addressed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170501/cc7e3abb/attachment.html>

More information about the BreachExchange mailing list