It’s not been a good year for cyber security. According to the IT Governance blog, in June 2019 alone nearly 40 million records were hacked into and leaked.
Victims of cyber attacks ranged from the EU’s embassy in Moscow, US Customs border control and the Australian Catholic University to Leicester City Football Club’s fan’s financial records.
Whether you’re a small to medium sized London-based business or a huge multinational corporation, there’s no hiding place from the online threats. You have to prepare to protect your IT infrastructure, digital assets, enterprise, people and customers and those preparations start with staff training.
Put your people and their training first
So, how to protect your business from cyber attacks? Start with your weakest link – your people.
In fact, now matter how good the high tech security systems you deploy they’ll only ever be as good as the way you train your staff to recognise and respond to cyber attacks.
So, in this blog post, we’re taking a closer look at how training your team in cyber security is now mission critical for every London business. In this article, we’ll cover:
- Why the individual is not to blame
- Staff training must be an ongoing commitment
- Cyber security awareness has to be a priority
- It’s got to start at the top
- Password best practices
- Train your people to recognise the threats
- Make cyber security part of your induction process
- Test your cyber security protection process
Why the individual is not to blame
With today’s busy working lives and overflowing inboxes, people sometimes click on a questionable link without thinking.
So never blame any member of your team for not having the right knowledge at the right time to recognise, remove and report a threat. It’s your organisation’s responsibility to provide your people with the training and capabilities they require to keep your network and data secure.
It’s not good enough to put your cyber security rules, regulations, procedures and processes in a manual or on the staff intranet. Cyber security training has to be proactive, hands on and ideally refreshed at least quarterly.
So how can companies protect against hackers? Your aim should be to develop a data security strategy, training plan and reporting and coping infrastructure that empowers your team to make the right decisions and take the right actions.
Staff training must be an ongoing commitment
Cyber security threats are an ever-moving target. They constantly evolve so your training and your people’s know-how have to evolve with them.
You simply cannot effectively guard against the risks with a once a year training programme – it requires an ongoing commitment just as, for example, updating your software does.
Cyber security awareness has to be a priority
Don’t believe that businesses in London can just cross their fingers and hope. That’s not an effective strategy for survival.
According to the Federation of Small Businesses (FSB) here in the UK, small businesses were subject to almost 10,000 cyber-attacks a day in 2019 – that’s one in five small firms – and the annual cost of such attacks totals some £4.5 billion.
Two simple ways you can keep your team on focused include distributing a regular cyber security newsletter highlighting the volume and frequency of attacks your business experiences and appointing a cyber security ambassador for each functional team, to spread the word.
It’s got to start at the top
As with any important topic in any business, change needs to be driven from the top. You need to find a senior level champion who understands the risks, what you’re doing by way of planning and prevention, and the time and cost needed (especially in the ongoing training) to protect the business.
When making the case for how to protect your business from cyber attacks talk to your executives in a language they understand and use the many examples of security breaches you’ll find reported in the press and online.
Compare the potential costs of any security breach with the costs of preventing them. And don’t forget that under the recently introduced General Data Protection Regulation (GDPR), if your customers’ personal identifiable information (PII) is lost, stolen or leaked you can be fined up to €20 million or 4% of turnover for such losses.
Password best practices
We all complain about the number and variety of passwords we have to remember but they matter and are a fundamental building block of your security plan. Make sure your team consider these pointers when they create strong passwords:
- Is it long enough? Longer passwords are exponentially harder to crack and should contain at least eight characters.
- Does it use multiple character sets? Each character set (uppercase, lowercase, numerals, symbols) adds another layer of complexity.
- Does it use complete words? Common and complete words are easier to remember but are also easier for a hacker to crack.
- Is it changed regularly? Passwords that are used over the long-term are more likely to be compromised, so have your team set reminders to regularly change them.
- Is it shared across accounts or people? The same password used in multiple places or shared by many people are simply more vulnerable to attack.
Make it fast and easy for your people to create, remember, use and – where applicable, share – strong passwords with a password manager such as LastPass or 1 Password.
Train your people to recognise the threats
Many of the most powerful and effective cyber attacks rely on human error. Attackers can spoof email addresses, domains and even something like Google’s two-factor authentication form to compromise the best-protected data.
Industry experts believe the training your team needs to protect your business from cyber attacks should include:
- Checking sender e-mail names and addresses for spoofing, especially if the sender is making an unusual or unexpected request.
- Checking an e-mail’s format and considering if there’s anything unusual about it.
- Making a phone call to the sender or the cyber security team if there’s a sudden request for key information such as login credentials.
- Hovering over any links before clicking on them, to make sure they go where they say they should.
- Scanning any attachment before opening it, and checking the file extension for anything unusual, like multiple file types.
Social engineering attacks can be difficult to defeat because they target your team’s need to help people but common sense rules must be applied here, too. Train your team to take a step back, think before they act and, if in doubt, check.
Make cyber security part of your induction process
It’s said you don’t get a second chance to make a good first impression, so make cyber security training an integral part of your new staff induction process.
Ensure people are fully up to speed with the current and potential new threats, covering bases such as password security, phishing, and social engineering attacks.
Don’t just go over the rules but explain why these best practices are so important – cyber security is everyone’s job.
Create the following:
- Clear and easy to use resources, such as an employee cyber security policy are the central point your team goes to if they have any questions or concerns.
- Fast, simple reporting processes so potential breaches can be acted upon as soon as they happen
- An environment where honesty and sharing is encouraged so no one tries to cover up an error only to make a risky situation worse.
Test your cyber security protection process
Regularly put your process and people to the test so they can form the right prevent and protect habits, through making and learning from their mistakes.
You could use your own security team or even an outside vendor to regularly test your strengths and weaknesses with simulated ‘real world’ attacks. Think of these as like a fire drill, where running regular practices embeds good practice.
We’re the go to IT support team for London when it comes to cyber security technology and consultancy. But there’s much you can do yourself to help prepare and protect your business from the threats out there in the online world, as the above pointers prove.
If you’d like to know more about the cyber security solutions available to London businesses, please just call us for a confidential, no obligation chat about your requirements.