Portrait of a Young Female Professor Explaining Big Data and Artificial Intelligence Research Project in a Dark Room with a Screen Showing a Neural Network Model
Workplace war-games: simulating common cyber security threats can be a good way to increase employee awareness and responsiveness © Getty Images

Cyber attacks are increasing both in number and complexity, yet many businesses are still failing to provide adequate cyber security training for their employees.

Although British companies experienced 2.39mn cyber attacks over the past year, only 18 per cent of them provided cyber security training to their staff, according to the UK government’s 2023 Cyber Security Breaches Survey.

Such a lack of security training often means staff are unequipped to deal with existing — and emerging — cyber threats. A study by the UK’s Chartered Management Institute found that just one in 10 managers understood security basics, such as setting strong passwords and spotting malicious emails.

This knowledge gap persists despite humans playing a role in 74 per cent of cyber security breaches — according to the Verizon 2023 Data Breach Investigations Report — for example, by clicking on malicious hyperlinks or opening documents in phishing emails.

Businesses must therefore view cyber security hygiene as a “top priority” and develop a “cyber-conscious company culture”, says Tris Morgan, managing director of security at UK telecoms group BT.

He says companies should provide their staff with regular online safety training and empower them to make better decisions regarding cyber security risks.

As part of the process, they should promote transparency, so that staff “openly discuss safety concerns and report these”, while not “apportioning blame to employees if they fall foul, and celebrating when they do spot a cyberthreat”. He says companies can complement their cyber security training programmes with additional protections such as password discipline, secure corporate WiFi, antivirus and anti-malware software, and virtual private networks.

“Well over half of businesses (61 per cent) in the UK find it challenging to keep up with cyber security measures,” Morgan adds.

“However, by establishing a cyber-focused company culture and a solid foundation of security protocols for staff, businesses can boost cyber resilience for the year ahead.”

An effective cyber security hygiene strategy includes “leadership commitment”, where executives practise good security habits and “encourage employees to do the same”, according to Bharat Mistry, technical director at IT security company Trend Micro.

It is a good idea to “consider restricting access to data and systems, based on roles and responsibilities — to minimise the impact if one account is compromised”, as well as performing “regular access reviews” in an attempt to “ensure privileges remain appropriate”, he advises.

Mistry adds that simulating common cyber security threats, such as phishing emails, through an interactive training programme can be a good way to increase employee awareness and responsiveness.

But threats are not always obvious. While it may be easier for staff to spot phishing emails if they contain spelling mistakes or improper formatting, they will probably struggle to identify targeted attacks, according to James Watts, managing director at Databarracks, a business continuity specialist.

“Attackers will research your customers, your suppliers and your staff, and include this detail to make the emails more convincing,” he explains. “They may purchase domains to send emails that look like they are from your organisation.”

Watts says “generic cyber security training” is not enough to counter these risks, and urges employers to “be clear about what kinds of communications employees can expect from the organisation” and “what should stick out as suspicious”.

He also recommends that companies nominate and signpost a specific person or group who can cross-check and verify suspicious digital activity.

“Employees don’t tend to circumvent cyber security policies through laziness or incompetence, they are often just trying to find the fastest way to do their work,” he says. “Make it easy to have potential phishing emails checked and validated.”

Neil Thacker, Emea chief information security officer at cloud security company Netskope, warns against developing a yearly cyber security training programme, because it is unlikely to change employee behaviour or mitigate cyber attacks.

“At a human level, annual training can often be seen as a tedious chore and an obstacle between the employee and their daily workload,” he says. “At a corporate level, these training programmes achieve little more than the ticking of compliance boxes.”

Instead, businesses should offer real-time coaching that will “instantly flag a high-risk behaviour” and “propose alternative actions for the employee”. This will help staff “make safer decisions” and ensure businesses can “prevent cyber incidents the moment the threat occurs”.

As new technologies emerge, the cyber security threat landscape will also evolve.

Catherine Mulligan, a visiting lecturer at Imperial College Business School, uses the example of generative artificial intelligence potentially exposing trade secrets.

These new threats require employees “to be adaptable in how they think about security”, and to consider the “cyber resilience implications of their actions in all parts of their everyday activities”.

She says companies must ensure that everyone within the organisation develops “the right mindset” for responding to “entirely new and unknown threats” — rather than just “known threats” — while ensuring that cyber resilience is “embedded in every part of a person’s job”.

“Quite simply, even the best-trained cyber security team will be unable to keep pace with emerging threats — it will require cross-organisational collaboration and trust,” she concludes.

Copyright The Financial Times Limited 2024. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article