While technological advances have transformed the way that we work, a lack of cyber security training is putting companies on the back foot with valuable data at risk.
With constant news stories of leaks, breaches, hacks and data dumps, there is a growing crisis of trust among the public that companies can keep their private data secure. And businesses now routinely hold more intensely personal and private details on their service users than ever – perhaps it’s credit card information, purchase histories, or in the case of sectors like dating or health, even more personal information.
Leaked medical data, for example, extremely valuable to criminals. A review of the sector revealed that stolen records are often worth 20 times more on the black market than credit card details.
The sector also gives us a salutary example. When the NHS was hit with a massive, co-ordinated ransomware attack in May 2017, the dangers of inadequate cyber security training were brought sharply into focus.
A computer worm called WannaCry infected thousands of machines in hospitals, GP practices and primary care trusts across England and Wales. The damage was immediate and long-lasting. When staff arrived at work they found themselves locked out of their own systems, their normal desktops frozen with a note demanding a ransom in the Bitcoin cryptocurrency to unlock digital files.
Because patient data was encrypted, Accident and Emergency departments had to turn away ambulances and thousands of appointments and surgeries had to be abandoned or rearranged.
NHS England estimated the attack cost £73 million to restore systems, along with £19 million lost from cancelled appointments.
A February 2018 lessons learned study stressed the importance of up-skilling IT workers in the latest threats, along with making sure staff know their responsibilities and how to escalate potential threats to the right department.
What is the cost of poor cyber security?
While it may appear obvious how to tell a scam email from a customer query, or how to detect a phishing attempt, the same may not be true across all levels of your organisation.
A staggering 40% of UK companies and two in ten charities have suffered a data breach or cyber attack in the last 12 months.
According to research from the National Crime Agency, the average cost of an attack on small businesses is more than £9,200, with many costing significantly more.
The most common attacks include fraudulent phishing emails and thefts from cloud storage, usually by tempting unaware staff to open unsafe attachments containing fast-spreading malware and viruses.
77% of companies do not have a consistent cyber security plan, and only a third set realistic budgets for training.
The reality is that, no matter how comprehensive your cyber security plan, staff are always the leakiest part of any organisation.
While online IT courses won’t turn your staff into master hackers, they could help to stop the most common intrusion attempts.
How to combat cyber security problems
IT security courses can offer a solid outline of the most common threats and promote awareness of active cyber security management.
The key messages are:
- Enable two-factor authentication
This form of data management has become much more mainstream in the past five years, mainly with the rise of smartphones, which often require a fingerprint scan or even facial recognition as an extra step of security in order to access files.
Sensitive files and folders should be locked behind walls that only registered workers can access.
- Use password management programs
Studies consistently show that password use in UK business is highly insecure.
In fact, password re-use is maddeningly common, with ‘123456’ and ‘abc123’ among the most used in 2018.
Semi-random alphanumeric strings – those containing both letters and numbers – are more secure and harder to guess.
- Train staff, and train them again
The fallout from an IT security incident can include financial pain as well as long-lasting reputational damage.
Improving your cyber security always starts with your staff. At the very least, employees should be aware of company-wide strategy, who to contact in the event of an incident or suspected threat, and when to follow basic measures like encrypting outgoing emails containing personal data.
Regular training promotes target-hardening, reducing the very real risk that your organisation will fall prey to the most routine attacks.
Check out our cyber security courses here.
