Cyber attacks are on the rise, with the National Cyber Security Centre recording an increase in criminal online attacks against UK businesses in 2017. These included ransom attempts, which increased by 91% between the first and third quarter of the year. However there are many different types of cyber attack, launched across a range of different sized organisations.
Although hacks of multinational conglomerates are the most widely reported on, attacks levelled at small and medium sized businesses are also on the rise, with hackers looking to exploit the weaker cybersecurity at these organisations.
Reflecting these trends, over half of the organisations included in the 2018 CIO 100 reported that they had detected a security breach in the last year, while 82% expected an increase in the security budget to reflect greater defence against cyber attacks.
Some of the most common attacks aimed at businesses of all sizes are phishing, viruses and ransomware, with phishing emails proving the most successful. But often the knowledge of these forms of cyberattacks at small or medium sized businesses is negligible. In fact, a 2017 survey found that around 25% had not heard of phishing, a third were unsure what ransomware was, and almost 50% didn't recognise the concept of point-of-sale malware. This is shocking considering that this type of malware was involved in about three quarters of cyber breaches in the hotel and restaurant industry in 2017.
While businesses might be reluctant to invest heavily in cybersecurity infrastructure, they will be relieved to hear that often it's human error that proves the weakest link. This means that many forms of attack could be circumnavigated by increased security awareness training for employees. In fact, around 80% of breaches in cybersecurity could be prevented by enforcing fairly basic security measures at organisations such as using secure passwords, using antivirus and malware software, downloading software updates and educating staff.
Why should your business introduce security awareness training?
One major reason to introduce security awareness training at your organisation is that you may not be compliant with the law if you don't. Certain types of organisations such as financial or government institutions and healthcare organisations have always been required by law to ensure their workforce has thorough cybersecurity training. With the introduction of GDPR, it became necessary for a much wider array of organisations. It's now necessary to educate your staff on the concepts of cybersecurity across a range of potential attacks and how to correctly handle clients' sensitive information.
Another major reason to introduce security awareness training is that educating staff can sometimes be enough to defend against some of the most common types of attacks levelled against businesses. Take popular 'phishing' attacks, for example. These involve emails from spoof domain names that allow the attacker to pose as someone familiar or reputable to the staff member and ask them to click on fraudulent links, or provide sensitive information.
Whaling attacks are the same as phishing attacks but target people in position of seniority within the company, such as executive level members. Similarly, they use spoof email domain names to trick the victim into believing the email comes from a trusted source. They will then attempt to solicit sensitive, confidential information from the target via email which can then be used to compromise further secure information. An example of this taking place was when a senior employee at Snapchat was tricked into divulging employee payroll information by someone posing as the CEO in 2016.
In addition to phishing or whaling attacks, emails can also be a vehicle for ransomware, where an employee will be asked to click on an attachment that downloads malware onto the company's network.
Therefore, it's obvious that the risk of certain types of attacks can be hugely diminished with the simple practice of educating employees through security awareness training.
What should security awareness training cover?
The best security awareness training will cover many different areas which provide attackers a means of extorting data from employees, gathering important sensitive information about them or targeting malware attacks.
Beginning with the most basic cases, employee training should certainly cover best practices for password strength, including how passwords can be compromised, how to reduce the chance that someone could guess their password, and using two-factor authentication and different passwords for different sites if possible.
Given that phishing and ransomware attacks can come packaged in emails, it's vital to educate employees on how to spot fraudulent emails from spoof addresses, not to click on anything suspicious and the potential consequences of doing so. In the most advanced cases, perpetrators will skim personal information about the employees in question from social media and other sources to appear as legitimate as possible. If impersonating reputable outside sources such as banks or the government, they will use official logos and convincing email templates in order to trick the victim more successfully.
But organisations can go a lot further than simple training days.
"Digital literacy is regularly communicated at all levels of the organisation through workshops, intranet, noticeboards or email briefings and advisories," United Living CIO Greg Morley told CIO UK. "An example has been cybersecurity and keeping staff informed via regular email and intranet advisories such as 'Anatomy of a malicious email', a cybersecurity section at our welcome day for new starters, a collection of cybersecurity do's and don'ts posters for staff noticeboards around the country, and a board workshop about cybersecurity risk and mitigation."
Employees can also be tested on what they've learned.
"Around cybersecurity we are putting good practices into IT and investing in the technology to help protect us but clearly, the weakest link is always going to be the workforce," Mark Stanton, Dudley Group NHS Foundation Trust's CIO, told CIO UK. "As part of the mandatory training there is an IT security module which staff members have to undertake annually so we have a lot of mystery shopper type activities where we have been creating and testing our own viruses. We are sending out emails to our staff with fake viruses and seeing who have clicked on those links."
Mobile security is another area it's vital to educate staff on, given the popularity of working from mobile devices today. Staff should be told about the risks that come with using mobile devices and the most popular ways security can be compromised. Some of the same issues can apply when staff are working remotely, which should also be covered.
Another growing issue is how staff can use social media safely, while at work and in their personal lives. This could cover how to avoid sharing personal details publicly on social media and how to prevent against the most common forms of exploitation.
In technology-focused companies, getting staff engaged in the cybersecurity strategy can be a good approach. For example, the BMJ organises hack days where employees are asked to get creative when solving business problems of security. BMJ's CDO Sharon Cooper said: "Security is a skill that everyone should have at varying levels, bringing diverse teams together and sharing knowledge. The hack day would bring suggestions that would fix business problems, develop new products or improve existing policies."