Cybersecurity Insights

Kirsty Trainer

Why Cybersecurity Training Is Important As An SME.

27/11/18 10:25

You can’t load up a tech news source at the moment without seeing the word ‘breached’ somewhere; and for good reason. Attackers are constantly targeting businesses, searching for vulnerabilities they can exploit to siphon away sensitive data. If you think that as an SME you’re exempt from being hacked, you’re wrong.

Why would they focus on you instead of a juicy target like a bank or big business?

The answer is simple: because it’s easier.

Big businesses, corporations and banks have the money and infrastructure available to put together a dedicated cybersecurity team. Whilst some hackers are dedicated enough to find a way past their defences, most will move on to easy prey. It’s far simpler to attack a plethora of smaller businesses deploying out of date or weak security measures.

According to the 2014 Cyber Security Intelligence Index, 95% of data breaches involve human error. Employees across the span of the entire business need to have cybersecurity training. Protecting data isn’t just down to the IT department, it needs to be in the minds of every person in the organisation. Anyone with access to the building is responsible in some way for security.

Hackers utilise sophisticated social engineering techniques to trick people into clicking links, downloading files and giving up details. You can have the best security defences in the world, but if your employees don’t know how to spot a threat, the whole thing can crumble. Training is key to keeping your network secure.

Cybersecurity education needn’t be an arduous task. There are a few easy methods to raise cybersecurity awareness:

  • Hold regular security meetings: Put together an engaging and informative presentation to showcase emerging cybersecurity threats and how to handle them. Holding a quarterly meeting to discuss cybersecurity will keep it fresh in their minds.
  • Start with security basics: The most important threat for the majority of staff to be aware of are phishing attacks. Phishing attacks have evolved from poorly scripted emails, to expertly crafted imitations of legit communications from businesses. Phishing attacks reportedly make up 73% of all malware delivered to organisations. Some awareness training on how to spot them can dramatically reduce the chances of a breach.
  • Make training relevant to your business: Password security, confidential waste destruction and data encryption are all important and easy to cover. If employees can relate the training to their day-to-day roles, then they can take it in and reduce the risk of breaches.
  • Set up a security policy: Set out a security policy in plain English that avoids the use of jargon. Introducing your security policy as a part of staff induction can help to create a culture of awareness.

That said, investing in professional training always has and likely always will hold the best results for educating people. Companies such as PopcornTraining offer creative, informative and engaging ways to show employees how to identify and deal with various cybersecurity threats.

Cybercriminals commonly exploit human nature in their attempts to gain access to sensitive data. Verizon’s 2016 Data Breach Investigations report highlights the themes that play off human nature:

  • 89% of all attacks involve financial or espionage motivations
  • Most attacks exploit vulnerabilities that have never been patched. Keeping your applications updated is critical to remaining secure, some online retailers go months without updating. The top 10 known vulnerabilities accounted for 85% of successful exploits.
  • 63% of data breaches involve using weak, default or stolen passwords.

The same report showed that phishing attacks had become a major concern. 30% of phishing emails had been opened, with a startling 13% of those leading to the click of a malicious link or attachment download. Whilst awareness training won’t completely solve the problem, it will certainly help to reduce the risk. If you can spot a phishing email, you’ll know what to avoid.

Quick tips to identify a phishing email:

  • The message contains a URL that doesn’t link to the legitimate website. For example, if you receive an email claiming to be your bank, but the link leads to somewhere else, it’s probably a phishing attack.
  • The message contains poor spelling or grammar. If a company sends out mass communications to customers it’s likely they will be reviewed for spelling and grammar. If you receive an email that’s full of mistakes, then it may have come from an illegitimate source.
  • They ask for personal information. A reputable company should never send you an email asking for your password, credit card number or the answer to a security question. No matter how official it looks, alarm bells should be ringing if they’re asking you for your personal data.
  • The offer seems too good to be true. If something seems too good to be true, it probably is. Phishing scams will sometimes make bold claims to try and entice you to click a link. If it’s from an unknown source, or you didn’t initiate the action, you should be wary.
  • The message makes unrealistic threats. Some phishing attacks try to play on fear and use intimidation to get people to click their links. For example: You receive an email seemingly from your bank informing you that your account has been compromised. If you don’t submit a form containing your account information, it will be closed. No bank is going to close your account for not replying to an email. If in doubt, telephone the company.

You may think these tips are obvious, but the phishing stats speak for themselves. Simple awareness training is all it takes to stop a potentially crippling attack.

The punishments dished out by the ICO for breaching data protection, alongside fines from card schemes for losing customer cardholder data are soon to be joined by sanctions from GDPR legislation. Online threats are increasing in frequency and if you can’t keep your environment safe, you and your customers are going to suffer.

 

BOOK TIME TO DISCUSS YOUR WEBSITE SECURITY

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More