The Importance of Cyber Security Training For Employees

Why is cyber security in the workplace important?

As well as the increase in working from home, developments in modern technology have contributed to today’s cyber security threats, such as mobile devices and the Internet of Things (IoT). The more stored on mobile devices, and the more they are able to access company networks, the greater the risk they pose.

Cyber criminals are using automated attacks far more, enabling them to target multiple computers and networks at the same time. Whilst larger corporations are more aware of the importance of cyber security and protecting their business, small businesses have yet to catch up.

With the introduction of GDPR in 2018, every business, no matter the size, now has the legal responsibility of protecting the data they hold on their customers, suppliers and other stakeholders. This makes cyber security critical for protecting confidential and sensitive information.

A recent Cyber Security Skills report by the Department for Digital, Culture, Media & Sport showed that just 1 in 9 businesses (11%) have provided cyber security training or conducted a security awareness programme in the workplace. Although some companies ensure promoting awareness of cyber issues is mandatory, for 30% of companies in the private sector it isn’t.

7 reasons why cyber security training for employees is important:

1. To prevent data breaches and phishing email attacks.
2. To make technological defences, like firewalls and software updates, more robust against cyber threats.
3. To create a cyber security culture incorporating security values as a key element of the business, across any location of work, through security awareness programmes.
4. To comply with GDPR and security requirements and regulations.
5. To boost customer confidence – a 2020 survey by Arcserve found that 70% of consumers don’t think businesses are doing enough to protect against cyber attacks.
6. To promote and improve the wellbeing of employees; keeping staff safe at work from phishing emails, social engineering and other cyber threats.
7. To promote the business as socially responsible and cyber-aware, benefiting customers, suppliers and other stakeholders.

Who is responsible for cyber security in a company?

Whilst the main responsibility is usually on the shoulders of a senior manager, like the Chief Information Officer or CEO, in reality everyone is responsible in some way for ensuring a business remains protected.

A cyber attack can target anyone in the business and when you consider that more than 90% of attacks are via email, be it information phishing, compromised attachments or malicious links, the responsibility then sits with each individual employee. Involving everyone in encouraging the adoption of cyber security best practices and ensuring all employees take part in cyber security training is one of the best ways to keep your business secure.

Most common cyber threats in the workplace

Any data security breach is a serious issue but there are some cyber threats that are particularly common, and dangerous.

Phishing emails

Phishing emails have become increasingly sophisticated in recent years, imitating genuine businesses and charities with a worryingly high degree of accuracy. These scam emails can either be looking for information or encouraging recipients to click on a link or open/download an attachment. Phishing emails are the entry point for hackers to launch more damaging attacks, such as ransomware.

The problem with phishing emails is they have become so sophisticated that many automated threat intelligence-based security solutions can’t detect them. This means it is down to the individual to spot these emails before they can cause damage.

Ransomware

A recent trend that has emerged is hackers using Ransomware as a Service (RaaS) to carry out attacks on businesses. Successful ransomware attacks lock businesses out of accessing their data unless a ransom is paid.

The costly and damaging nature of a business being locked out of its own data means leaders are often forced to pay the ransom. One noteworthy example is the 2021 JBS attack, where the largest meat producer in the US was forced to pay an $11 million ransom after hackers disrupted operations.

Remote working

The pandemic meant that businesses had to rapidly adapt to a remote work environment. Home networks are not as secure as corporate infrastructures and are therefore an easy target for cyber criminals. While many initial issues have since been sorted, cyber security training for employees is critical when working remotely – there’s less security on home networks, so staff must be vigilant for online threats.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks

These types of attacks use ‘zombie’ computers, sending thousands of requests to overwhelm a business’s network resources, rendering them unable to process legitimate traffic. With advanced malware able to compromise hundreds or thousands of computers at the same time, these attacks can force businesses to completely go offline and deal with the issue.

Man-in-the-Middle (MITM)

Cyber criminals target two-way transactions, intercepting the transaction and stealing the data. With the increase in mobile and remote working, particularly using Wi-Fi networks that are unsecured, MITM attacks are on the rise.

Social engineering

Cyber criminals set traps to gain access, usually through a user providing sensitive information, tricking them to install malware on their device. The types of social engineering attacks include smishing (text messages), vishing (voice phishing), piggybacking and baiting.

SQL injection attacks

Hackers exploit vulnerabilities in security systems and insert malicious code into web applications and other coded software.

Cyber security best practices for employees

The best way to implement cyber security training for employees can often be a dilemma for companies. There are cyber security training courses that can get your employees started, but there are also a number of ways to ensure that cyber security best practices are maintained. This is particularly important if there are employees that are remote workers.

Cyber security best practices include:

Clearly define the company’s cyber security message

Make sure it is clear and understandable, so avoid jargon. Employees have to be able to relate to cyber security protocols. Focusing on personal cyber protection, such as keeping their home networks safe and the danger of clicking on emails from people or businesses they don’t know, helps them assimilate with the dangers.

Teach employees how to identify suspicious activity

The first step to cyber security is prevention. Teaching employees how to spot suspicious emails or activity, like unauthorised access, new apps, programs or extensions on mobile devices and in browsers, unusual pop-ups, or even a device suddenly slowing down, gives cyber security teams more opportunity to prevent a data breach.

Device security

• Training on how to look after mobile devices could significantly reduce the potential of a data breach. For example:
• Explain the difference between corporate and personal device usage.
• Implement mandatory monitoring and management of work accounts, such as restricting installations or downloads.
• Ensure operating system updates and security patches are enforced, which can be carried out remotely.
• Teach how to prevent theft and loss of devices

Encourage cyber security awareness

Keep up regular cyber security awareness messages in a variety of ways, such as top tips on intranets, informative infographics and periodic awareness training.

Cyber security tips to protect employees at work

When creating a robust programme of cyber security training for employees, one aspect that must be addressed is human error. These tips should form part of the business’s cyber security procedures and policies.

Education

Educating your employees is the first step to prevention. Set up and implement a cyber security induction programme for new starters, along with regular cyber security refresher training for existing staff. Quarterly courses that take up no more than a couple of hours will keep everyone up-to-date on cyber security best practices.

Physical cyber security precautions

Encourage employees not to leave USB devices, laptops or smartphones in full view, particularly if they move away from their desks.

Username/password management

It’s very easy to use the same password for all devices and logins, but a hacker that works that password out can then access all of your devices and systems. Educate employees on the importance of creating long passwords, i.e. 12 characters or more, that incorporate multiple characters. Implement a system that automatically generates a new password every three months.

Implement and enforce mobile security measures

With the continued increase in the use of mobile devices, many of which are personal devices being used to access corporate systems, it’s important to protect endpoint devices. Educate employees in using PINs or passcodes, initiate geofencing capabilities and incorporate remote locate tools to ensure devices used for work are secure.

Educate on safe website browsing

Encourage employees to only access websites that are well-known and reputable. Manage online downloads by implementing a permission-based process. Educate employees on how to access and use social media safely.

Cyber security training for employees is one of the best ways to protect your business

Knowledge is power; ensuring the right cyber security protocols are implemented and maintained is the first step in protecting your business from data breaches. With ongoing cyber security training for employees, businesses are in a better position to protect their most valuable assets and maintain customer trust and reputation.