When you read about large data breaches, companies like British Airways, Yahoo! and Uber, and fines of £100s of millions immediately spring to mind. The business leaders of these large corporations are widely criticised and held accountable for failing to protect their consumer’s data especially in the light of the vast IT and training budgets that are at their disposal.
Article written by Stephen Burke, CEO Cyber Risk Aware.
But SMEs need to be just as serious about their data: Tens of thousands of UK SMEs could collapse following a serious cyber-incident, which impacts their ability to trade, according to new research commissioned by Insurance company Gallagher. The research found that 1.4 million businesses were hit by major attacks last year, costing £8.8bn. The average cost of attacks to the affected business was around £6400, but the impact of an attack could be far more serious than being forced to pay a few thousand pounds in related cost. And a quarter of SMEs told Gallagher they’d survive for less than a month if a crisis meant they were unable to trade.
These are troubling statistics for every business leader but a far more compelling and actionable statistic is that over 90% of data breaches are caused by human error. This means that the tens and sometimes hundreds of thousands of pounds that are invested in state-of-the-art information security tools can be undone by one absent minded click on a phishing email.
Organisations can have the best security tools in place, but the human element is the last mile and it’s the one that can make or break an organisation’s defences. the great lest security asset, if given the right help through effective security awarenessWhilst companies and cyber criminals often think staff are the weakest link, they are in fact training. The CIISPsec has accredited and reinforced this real time delivery in response to specific user actions. Business leaders need to acknowledge that cyber security is not an IT issue - it is a serious business risk. One approach to mitigate against this is to make the employees the first line of defence – the human firewall. Organisations that have successfully defended against cyber attacks have seen that building a strong cyber security awareness culture is key.
This is where education becomes most important and needs to happen at every level of a business: Employees are one of the biggest cyber security vulnerabilities and considered a “soft target” by criminals, due to their lack of understanding of the risks faced. Instead of using highly technical and time-consuming hacking methods to breach a company’s systems, cyber criminals often prefer to target the employees themselves in order to get access to information and systems.
To combat this, cyber security awareness training is a cost effective and proven way of reinforcing a company’s resilience to cyber attacks. There are many types of training available, but the ideal is to combine engaging and interactive CyberSecurity awareness training content with a software solution that works hand in hand with a company’s IT infrastructure. The ideal is a real-time solution that helps assess the level of human cyber risk within the business, by running simulated phishing attacks and cyber knowledge assessments to see where the risks lie in the business.
Finally, enterprise risk and compliance reporting is also vitally important so companies can demonstrate and meet their legal and regulatory compliance requirements in protecting proprietary and personal data, systems and finances.
There are many routes to finding out the best solutions available. The Chartered Institute of Information Security (CIISec) is a non-profit independent organisation that gives accreditation to the best training and solutions available.
All organisations need to elevate the importance of cyber security awareness amongst their employees and arm employees at every level with knowledge, tools and support that help them become the best line of defence for the business.