It’s not new news that all business leaders, and indeed employees, have a responsibility to protect themselves and the organisation from cyber threats targeting critical data. However, what remains an issue is the level at which businesses are investing in their employees when it comes to security training.
Business leaders are faced with the ever present threats cybercrime pose to their operations, which comes with a great level of responsibility to protect the organisation and its customers. It’s important not to underestimate the level of stress and anxiety that the potential of a cyber-attack may be having on their workforce. No business or employee is truly safe or immune, and the potential costs of this risk are very concerning, and not just about loss of revenue or financial costs to recover.
There are many events which could trigger a business to invest in training, Let’s take a look at some of these…
- Direct attack on the organisation – whether this be through a phishing email or ransomware attack there will be learnings which must be embedded in to staff ongoing
- Breach as a result of human error – with 95% of security breaches starting this way it’s a common trigger for investing in training across organisations
- New policies, processes & ways of working – this will often lead to information needing to be shared across the business and can cover specialised topics or more generic but critical aspects such as passwords, multi-factor authentication & device security
- Changes to an Incident Response Plan – whether the plan was enacted due to an attack or it was being tested there will likely be learnings that result in changes and these will need to be built in to the ongoing plan and shared with relevant staff
- Security incident within the industry – seeing other businesses being targeted and identifying the same risks in your own organisation can often lead to a need to increase awareness within both the leadership team and wider workforce
- Outcomes of a cyber security audit – whether an audit results in systems or process changes, it is highly likely that there will be changes which must be embedded in to people’s roles and training has a great impact than most other communication methods
- Identifying an insider threat – not all insider threats are intentional or malicious, but when something is identified there must be a response which highlights the risks and increases awareness among staff that protective measures are in place
- New leadership – whether it’s about making an impact or quickly seeing a need for training, a new senior leader will often push this topic up the agenda, which is no bad thing!
No matter the trigger, the benefits of investing in cyber security training are what should be focused on, taking a forward looking approach informed by experience will help foster uptake and an ongoing culture of openness. Better still, acting now, ahead of an attack or breach, will bring immediate benefits to the organisation, a few of which are:
- Creating an environment where staff and leaders can mix openly with others outside of the organisation to share & learn. Often we see secondary learning when teams mix with one another or people are trained with those from outside the business, this level of insight can be so valuable and fosters a sense of ownership of the topic
- Achieving a balance in building both technical and non-technical knowledge. Cyber security doesn’t have to be a technical discipline, in fact focusing on people and their role in protecting the organisation can often foster a desire to grow technical knowledge
- Being pragmatic and ensuring the business still runs. Increasing awareness of risks will better enable staff to be pragmatic and realistic regarding data & information security, which feeds in to ensuring that they can still do their jobs and keep the business running
Training isn’t going to eradicate the risks, but it builds competence in the workforce which in turn increases organisational resilience. Following the increase in awareness and communication around cyber risks, behaviours will need to change and this is more likely when staff are trained together. If people don’t change the way they do things, then no level of informing and updating is going to have any meaningful impact on the security posture of a business, therefore following up on training and raising awareness ongoing with communications activity is key.
Developing a business is a multi-faceted and takes a lot of time and effort, so the value of knowing that yours is operating securely and your staff are a line of defence you can rely on is not to be underestimated. Cyber criminals will always try and find a vulnerability they can exploit and this often starts with targeting people and not systems. To not invest in your people could be argued as a conscious step towards not protecting your business. Speak with us today if you want to take the next steps in your cyber security journey.