Cybersecurity awareness is more than simply knowing about cyber threats. It’s a series of trainings, policies, and actions that lead to a higher level of security in your business or organisation.
Why do you need to be cyber security aware?
Rather than give you a lot of words, here’s the “Global Study at a Glance” from an IBM report:
The average total cost of data breach is $3.62 million
The average cost per lost or stolen records is $141
The likelihood of a recurring material data breach over the next two years is 27.7%
2017 Cost of Data Breach Report, IBM Corporation
“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behaviour.” - ChiefExecutive
The above statement has been repeated in one way or another for years.
If 9 out of 10 cyber attacks stem from human activity, the first logical step is to start with the humans in the organisation.
There are a number of elements that your staff security awareness training needs to have:
- A clear explanation of what cyber attacks are and what to look for - This includes letting them know what a dangerous link might look like and what a computer might do after being infected.
- In-depth explanations of the dangerous activities - Speak very clearly to the idea that clicking links, downloading attachments, and other actions can cause the problems. It’s important to make it clear that it’s the action that causes the problem.
- Discuss alternative ways of getting things done - For example, if a staff member gets an email from the bank, they should call the bank or at least go to a browser and log into the bank directly.
- Teach people what to do if there is a problem - Don’t just leave them hanging. For example, if ransomware pops up on someone’s computer, tell them to shut down their computer, shut down all of the other computers in the office, and turn off the server. Everything can be turned back on by the technicians.
- Be skeptical - Some of the most successful scams are the ones that include someone calling or emailing with a strange request. One invoicing scam involves the accounting department getting an email that says, “We got hacked. Your previous payment for invoice number 56845 is being returned. Please remit to bank number 986685105.” Of course, the new bank number belongs to the hacker and they’re sending money right to them.
This is not all that needs to be in your training, but these are important elements that are often forgotten.
The key to training is that it’s not a one-time thing. Everyone should get monthly reminders and annual follow-up trainings.
Keep security awareness top-of-mind and you’re much less likely to have a problem.
Policies will not stop cyber attacks or the behaviour that makes them possible. What policies can do is give everyone clear guidance on what to do if there is an attack and everything they can do to prevent it.
Here are a few examples of effective policies that you can implement:
Every device, even personal ones, must have active anti-virus software
Provide your staff with antivirus software on their personal devices, like mobile phones and laptops. Often, employers will complain that this will cost money. The average cyber attack is breathtakingly expensive. Look at the IBM report above; the average data breach costs $3.62 million. The ROI on proper security is very high. It’s worth the investment.
All staff members must be trained to avoid problems
Everyone, including the CEO, must be trained to stay out of trouble. There is a term for scamming the CEO online; it’s called whaling. It has name because it happens often enough to earn a name. The famous data breaches at the Democratic National Committee and high-level government officials in the US in 2016 were caused, not by a brute force attack, but by emails with malware in them. Everyone is vulnerable.
No one will get fired for making an honest mistake, once - No one will get fired if they simply made a mistake.
This is an important policy. If your staff is afraid they’ll get terminated, they won’t tell you there’s a problem until it’s too late.
These are just a few ideas, but they should help you to get started.
There are a number of things that you can do to stay cyber secure:
Look for next-gen anti-virus software
Most traditional antivirus software is static. It updates once a day and only scans when it’s told to. New antivirus software is cloud-based. It is updated constantly as the maker updates their files online. The software is also constantly crawling your servers and workstations looking for problems.
Lock and guard your server room
One of the silliest ways that information gets stolen is when someone just goes into the server room and steals the data. Better yet, put your data in the cloud and you won’t have that worry.
Add new levels of security
Passwords are no longer enough. Add biometrics and extra layers of security to keep your network safe. This is especially important for any device that might leave the building and the possession of a staff member. Laptops stolen from cars are notorious for lost data. Lock them down tight.
What is cyber security awareness?
Cyber security awareness the knowledge that your data is under threat and knowing what you can do about it. It’s not a “learn it and leave it” idea. It’s an ongoing battle to keep your data and that of your customers safe.