You could be forgiven for thinking cyber security is solely the job of the IT department – after all they are the experts. The companies with the strongest cyber security realise, however, that every employee has a role to play in protecting the business, its customers and its data. While that may seem obvious, as any of us could potentially click on a phishing link in an email that tricks us into sending personal credentials or enables malware to be silently installed on our machine, there is a sense of naivety that keeps us thinking that these attacks only happen to other people.
There is a lot the IT department can do to protect the business, but the team cannot do it on their own.
Companies often have the policies and induction processes in place to make sure staff know how they are expected to use the technology given by the company, but this generally focuses on what is, and is not permitted. The missing element is arming employees with the skills and knowledge to protect themselves and the business against cyber attacks designed to trick them into giving criminals access to IT systems – causing disruption, a data breach, or a ransomware attack that will paralyse a company and encrypt its systems.
The ever-changing threats
The workplace has of course changed immensely over the last year, with more of us than ever before working from home. Most of us will be returning to the office in some form, but remote working will continue to be more common than before. This creates an opportune environment for cyber criminals, because even though the nature of attacks might be the same, employees are not as careful and less protected by technology defenses out of the office.
Phishing emails, for example, continue to be a big threat for remote workers, and criminals are using new, sophisticated techniques such as offering government tax rebates and services, or fake charitable activities to try and steal employee credit card details.
The use of cloud software is another area of risk, though many assume it is safe. Using the cloud isn’t necessarily a risk in itself, but when misconfigured or using personal accounts rather than company accounts to share or store files, it can result in unauthorised access, with sensitive data being stolen, potentially leading to a reportable event to the local data protection authorities.
Bridging the strategy gap
There is a lot the IT department can do to protect the business, but the team cannot do it on their own. What is often missing are the strands of the cyber strategy that bring IT, HR and employees together in a way that builds a secure framework designed to keep all involved one step ahead.
Active staff training is a key way HR can contribute to this. Teaching staff how to identify suspicious emails and other security threats and changing behaviour that previously put the company at risk. It is unrealistic (if not impossible), however, to expect every employee to regularly attend training sessions on new cyber threats they might face, and how would you measure success?
A traditional ‘tick box’ approach does not work when it comes to cyber security as a company has to be able to measure adherence to its IT policies and identify where additional training is needed. Coming to that realisation in the middle of a cyber attack is like shutting the stable door after the horse has already bolted.
A different way to train
Employees need to be safely exposed to new threats and quickly learn how to deal with them. Security awareness training (SAT) is a great way to do this and, with the right software solution, can truly bridge the gap between employees, HR and IT. For example, HR and IT teams can work together to schedule simulated phishing campaigns in the SAT solution, sending emails to employees, and depending on how they interact with them, identify training needs. These simulations can evolve which each new approach hackers employ.
Security awareness training solutions can be integrated into a company’s IT systems very easily, giving both IT and HR the information needed to assess and improve the security posture of the organisation through real-time training and behaviour monitoring of employees.
For employees, one of the biggest challenges is getting support at their exact moment of need, when they take a risk or breach policy, and they don’t even realise it. The best security awareness training systems are able to monitor employee behaviour and offer real-time intervention training, as staff use applications, transfer files or plug-in USB keys whilst using their devices. This identifies when a user is exhibiting risky behaviour, and activates real-time bite-sized ‘nudges’ that train and ensure staff change their behaviour into the future. This would be immediately logged with HR and IT, and repeat offenders identified for more detailed training. It can also help identify behaviour trends requiring more general training needed in those gaps.
Human firewalls: the most important weapon
Remote working is here to stay with most employees, whose job allows, likely to spend two or more days a week working outside of the office. For new employees, it is likely to be something that candidates demand, and companies need to develop cyber strategies that embrace this new expectation.
Creating ‘human firewalls’ is the most important line of defence in any organisation, whether working remotely, or in the office. Cyber threats are evolving all the time, and security awareness training can be a key component of the cyber security strategy when implemented correctly, allowing companies to measure and assess training needs in the context of that changing threat environment, to ensure consistent and effective training is given to every employee in their moment of need.
Interested in this topic? Read Online security: how HR can help prevent cybercrime.