It’s not been a good year for cybersecurity. The UK government’s 2023 reports estimate that there have been 2.39 million instances of cybercrime across all businesses. Alongside this, the financial cost of an attack increases year by year, with the single most disruptive breach for any UK business on average costing £1,100. For medium and large businesses, the average rose to approximately £4,960 for one breach.
So, now is a greater time than ever to ensure you are equipped with robust cybersecurity measures to protect your company from cyberattacks.
Whether you’re a small to medium sized London-based business or a huge multinational corporation, there’s no hiding place from the online threats. You must prepare to protect your IT infrastructure, digital assets, enterprise, people and customers. These preparations start with spreading awareness and educating your staff through training.
Put your people and their training first
So, how do you protect your business from cyberattacks? Start with your weakest link – your people.
In fact, it won’t matter how good the high-tech security systems are which may be at your disposal. These systems can only ever be as good as the way your staff are trained to recognise and respond to cyberattacks.
A lack of training leads many employees to make mistakes, which can significantly affect the cybersecurity of your business. A study from QBE found that 31% of employees had made mistakes which could damage the security of their workplace. These actions, although made unknown and in error can be detrimental to your business’ protection of sensitive data.
So, in this blog post we’re taking a closer look at how training your team in cybersecurity is now mission critical for every London business. In this article, we’ll cover:
- Why the individual is not to blame
- Staff training must be an ongoing commitment
- Cybersecurity awareness must be a priority
- It’s got to start at the top
- Password best practices
- Train your people to recognise the threats
- Make cybersecurity part of your induction process
- Test your cybersecurity protection process
Why the individual is not to blame
With today’s busy working lives and overflowing inboxes, people sometimes click on a questionable link without thinking. So, it is never fair to blame any member of your team for not having the knowledge. Without rigorous and up to date training, it is difficult to recognise, remove, and report a threat.
However, it is your organisation’s responsibility to provide your people with the training and capabilities they require to keep your network and data secure.
It’s not good enough to put your cybersecurity rules, regulations, procedures and processes in a manual or on the staff intranet. Cybersecurity training has to be proactive, hands on and ideally, refreshed at least quarterly.
So how can companies protect against hackers? Your aim should be to develop a data security strategy, training plan and reporting and coping infrastructure. This approach tackles cybersecurity holistically and empowers your team to make the right decisions and take the right actions.
Staff training must be an ongoing commitment
Cybersecurity threats are an ever-moving target. Cybercriminal tactics and their threats are constantly evolving, so you must ensure your organisation is evolving with them. This means revisiting and updating your staff’s training is key to forming more effective cybersecurity.
You won’t be able to guard against new and sophisticated threats with a once-a-year training programme. Your organisation needs to be regularly available to attend updated cybersecurity training courses and fulfil the necessary safety measures. As such, training requires an ongoing commitment in the same way as, for example, updating your software does.
Cybersecurity awareness must be a priority
Don’t believe that businesses in London can just cross their fingers and hope. That’s not an effective strategy for survival. You must be prioritising cybersecurity awareness in your organisation to ensure the risk of a cyberattack is minimised.
The UK government’s current data suggests that small businesses are prioritising preventative measures less compared to recent years. In contrast, according to the Federation of Small Businesses (FSB), 80% of UK businesses experienced cyberattacks in 2022 – an increase of almost 10% from the year before. This is vastly troubling as businesses are waiting to act until after the damage has been done, unbeknown to them the consequences of a successful breach.
There are two simple ways you can keep your team focused on cybersecurity. First, distribute a regular cybersecurity newsletter highlighting the volume and frequency of attacks your business or industry experiences. Also, to spread the word appoint a cybersecurity ambassador for each functional team.
It’s got to start at the top
As with any important topic in any business, change needs to be driven from the top. You need to find a senior level champion who can lead the discussion to help protect your company from cyberattacks. They must understand the risks, what you’re doing by way of planning and prevention, and the time and cost needed (especially in the ongoing training) to strengthen cybersecurity.
When making the case for how to protect your business, talk to your executives in a language they understand. It may be helpful to use examples of security breaches you’ll find reported in the press and online.
Compare the potential costs of any security breach with the costs of preventing them. And don’t forget that under the General Data Protection Regulation (GDPR), if your customers’ personal identifiable information (PII) is lost, stolen or leaked you can be fined up to €20 million or 4% of turnover for such losses.
Password best practices
We all complain about the various complex passwords we have to remember, but a strong password is vital to blocking potential hackers. Passwords are great way to start securing your devices and provide a fundamental building block to your security plan. Make sure your team consider these pointers when they create strong passwords:
- Is it long enough? Longer passwords are exponentially harder to crack; it should contain minimum eight characters.
- Does it use multiple character sets? Each character set (uppercase, lowercase, numerals, symbols) adds another layer of complexity.
- Does it use complete words? Common and complete words are easier to remember but are also easier for a hacker to crack.
- Is it changed regularly? Passwords that are used over the long-term are more likely to be compromised. Ensure your team set reminders to regularly change passwords as even a single character change can make a difference.
- Is it shared across accounts or people? The same password used in multiple places or shared by many people are simply more vulnerable to attack.
Train your people to recognise the threats
Many of the most powerful and effective cyberattacks rely on human error. Attackers can spoof email addresses, domains and even something like Google’s two-factor authentication form to compromise the best-protected data.
Industry experts believe the training your team needs to protect your company from cyberattacks should include:
- Checking sender e-mail names and addresses for spoofing, especially if the sender is making an unusual or unexpected request.
- Checking an e-mail’s format and considering if there’s anything unusual about it.
- Making a phone call to the sender or the cybersecurity team if there’s a sudden request for key information such as login credentials.
- Hovering over any links before clicking on them, to make sure they go where they say they should.
- Scanning any attachment before opening it, and checking the file extension for anything unusual, like multiple file types.
Social engineering attacks can be difficult to defeat because they target your team’s need to help people, but common-sense rules must be applied here too. Train your team to take a step back, think before they act and, if in doubt, check.
Make cybersecurity part of your induction process
It’s said you don’t get a second chance to make a good first impression, so make cybersecurity training an integral part of your new staff induction process.
Ensure people are fully up to speed with current and potential new threats, covering bases such as password security, phishing, and social engineering attacks. Don’t just go over the rules but explain why these best practices are so important – cybersecurity is everyone’s job.
Create the following:
- Clear and easy to use resources, such as an employee cybersecurity policy. This will be the central point your team goes to if they have any questions or concerns.
- Fast, simple reporting processes so potential breaches can be acted upon as soon as they happen.
- An environment where honesty and sharing are encouraged, so no one tries to cover up an error only to make a risky situation worse.
Test your cybersecurity protection process
Regularly put your process and people to the test so they can take the right preventative action. Through making and learning from their mistakes, testing helps accumulated training and awareness to transform into habit.
You could use your own security team or even an outside vendor to regularly test your strengths and weaknesses with simulated ‘real world’ attacks. Think of these as like a fire drill, where running regular practices embeds good practice.
We’re the go to IT support team for London when it comes to cybersecurity technology and consultancy. Choosing our managed IT service allows your business to streamline technology, ensuring reliable performance, proactive issue resolution, and enhanced security. But as we’ve shown there’s much more you can do yourself to help prepare and protect your company from cyberattacks.
If you’d like to know more about the cybersecurity solutions available to your London business, please reach out to our team for a confidential, no obligation chat about your requirements.