Corporate leaders should realise that investing into technology is not the only possibility for reducing cyber threats. It is at least just as important to increase the cyber risk awareness of all employees, not only IT specialists, and constantly train personnel.
When it comes to protecting cyber security in your company, two questions should be answered. First of all: what are the most valuable assets (including information assets) that require protection? Secondly, how would they likely be attacked? For instance, in the retail business, merchants have access to customers’ personal data including their purchase history – this is sensitive information. What happens if the data falls into unauthorised hands?
Once the company has answered the questions about valuable assets and potential attacks, there will be a clearer picture of what the impact of realisation of cyber risks will be, including on customer relations. After that, it is possible to plan for how to reduce the risks. One thing is clear – prevention of cyber attacks starts with constantly thinking about the cyber security topic, reviewing processes and getting your employees involved.
Companies can invest into the finest cyber security technologies but this won’t necessarily prevent problems caused by one’s employees – people are the ones who open the e-mail attachment containing the virus or download malware that later encrypts the data on their drive.
It is clear that employees must be trained on the topic of cyber risks, but how to do this effectively? Web seminars and training programmes have been produced for years but people still fall prey to cyber criminals.
One option is to use shorter training formats. No one has the attention span to watch a video that runs for an hour; thus, the training video should be kept to a maximum two minutes. Likewise, constant reminders are needed to catch the eye, such as posters on office walls and short and impactful messages on computer screens to remind people of the ABCs of cyber security. One clever method is for a company to probe for weak spots by making its own spoof phishing attempts, and arrange for additional cyber security trainings for the people who took the bait.
At Grant Thornton Baltic, it is considered elementary to train all new employees. They get an overview of the state of cyber security, our security measures etc. At the trainings, we will also certainly cite examples and talk about how they relate to the rules. Face to face contact gives us the possibility of asking questions and it is ultimately more effective than a method where the person is just asked to read an information security policy. Naturally, once a year we recap the topics covered in training, for all employees.
In addition, our IT specialist will, once a month, for 20 minutes of the company’s general information hour, talk about any recent attacks against our company. This will get people to think and understand how attacks occur and what takes place in the background. We encourage employees to contact IT specialists if they have a problem or an email seems suspicious. This is a win-win for both sides, employees will learn something and IT specialists will get information on a new type of attack.
In closing, it’s worth repeating – the question isn’t about if your company is hit by an attack, but when. That is why it is important to be able to prevent an attack – and this will require good technology and also employees who are aware of the risks to cyber security, who are able to put that knowledge to use.
