Cyber crime is growing exponentially and is a real threat for organisations. Phishing campaigns, man-in-the-middle attacks, SIM swapping and account compromises are just some of today’s attack methods that can cause significant damage to businesses and their stakeholders.
This rise in cyber attacks is made easier by poor cyber hygiene practices and outdated cybersecurity methods. For example, 100,000 of the most-used passwords, including “123456”, have reportedly been stolen by hackers, but are still in use.
Considering the increasing complexity of the threat landscape, cyber attacks and how to prevent them should be a top priority for every organisation – whether their workforce is remote, hybrid or always on-site. However, there is often a remarkable disparity between the risks of cyber attacks and businesses’ attitudes towards them.
The wider impact of data breaches
Cyber attacks can certainly cause significant financial and reputational damage to targeted organisations, but they can directly impact their employees and customers too. When their data has been compromised, it can then be sold on the dark web making it easier for other cyber criminals to target these victims again in the future.
Indeed, according to Yubico’s State of Global Enterprise Authentication survey, 48 percent of UK participants experienced a cyber attack whilst at their place of work and 73 percent experienced an attack in their personal time.
With this in mind, businesses must assess how they can not only protect their staff and infrastructure from attacks, but also help to educate their employees and customers on the risks and how to respond. For example, employees should be taught how to recognise a phishing scam and who they should report it to.
Cyber training
How strongly employees value cybersecurity at work largely depends on how seriously the issue is taken by the organisations they work for. According to Yubico’s survey findings, UK businesses consistently rank below other countries in taking business-wide cybersecurity seriously and educating their employees.
In fact, just 42 percent of UK respondents stated that they are required to participate in frequent cyber training at the company they work for. Only 33 percent of respondents claimed that their organisation’s leaders frequently share security insight regarding what is happening in the industry to its employees. And, only 36 percent said leaders regularly talk about the importance of cybersecurity and what they are using and planning on using with their employees.
This data indicates that most organisations aren’t discussing security enough with their workforce, let alone training them on what to look out for regarding the latest threats.
Poor cyber habits
Insufficient education surrounding cybersecurity is giving rise to numerous poor security habits. For example, 47 percent of UK survey respondents confessed to writing down or sharing their passwords within the previous 12 months, despite citing that having their login credentials stolen is a top cybersecurity concern.
UK respondents also admitted to using a personal device for work (58 percent), allowing someone else to use a work-issued device (33 percent), and having an account reset due to lost or forgotten credentials (58 percent).
These habits make it much harder for users to keep track of where their data has been stored, who has access to it, and how easily it could be stolen if their work or personal device was compromised. Employees may inadvertently put their organisation at risk of a cyber attack or find that much more of their personal information was stolen if their company’s data was breached.
Considering 48 percent of survey respondents claimed to have been exposed to a cyber attack, such as phishing attempts, at work during the previous 12 months, it’s vital that organisations rethink their approach to educating their workforce on security.
Best-practice training
When implementing cyber training, it’s important to ensure that staff don’t view it as merely a tick-box exercise. Organisations must have enough people that are properly trained to create and administer effective training programmes. Treating security training as a collateral duty won’t have enough of an impact on teams.
Secondly, organisations need to think beyond a one-size-fits-all approach. Certain groups of employees are targeted more often than others, or targeted in different ways, so they need to be prepared accordingly.
For example, senior executives, IT system administrators, and HR team members are the top three target populations, and they are typically targeted using different techniques. Their training should therefore reflect that. Similarly, for different employee demographics, the lessons or examples that are most impactful for one group of employees may be less effective for others.
It’s also crucial that organisations update their training regularly according to the latest threats and methodology that apply to remote and on-premises workers. Cyber criminals are constantly innovating new ways to hack systems, so organisations need to think one step ahead.
Finally, organisations should consider developing a set of training outcome metrics and use them to continually assess and improve their training programmes. If companies have certain employees or employee groups that keep ‘failing’ some aspect of the training, that could indicate that the training and security mitigations are not sufficient. Organisations won’t know this though unless they measure and monitor.
Eliminating human error
In addition to mandating regular security training and following up-to-date cybersecurity practices, UK organisations should consider implementing stronger authentication methods that don’t compromise the user experience.
Instead of relying on passwords which leaves organisations vulnerable, strong two-factor authentication or multi-factor authentication (2FA/MFA) can offer both security and convenience. For example, hardware-based security keys have been proven to be the most effective phishing-resistant option for business-wide cybersecurity as well as being easy to implement and use.
By removing the reliance on passwords, these stronger methods are more user-friendly and can be used for both personal and professional data security.
Ultimately, companies need to be more proactive in changing attitudes surrounding cybersecurity, as employees at all levels can be the biggest strength or weakness in cybersecurity. Regular, targeted cyber training paired with robust passwordless security will equip employees to be effective cyber defenders.