Training

Fixing the leak

by Mark Rowe

You can train staff to secure the business, writes Tony Glass, VP of Corporate Sales and General Manager EMEA, Skillsoft, an e-learning company.

Cyber security is a global concern. Whether for small businesses or global conglomerates; from IT service, solutions providers to supermarket chain stores, the protection of personal data and intellectual property have become the greatest priorities for enterprises across the board. But are businesses really taking this on board?
A recent government study as part of the Cyber Streetwise initiative, found that 78 per cent of small businesses believed their cyber-security practices would adequately protect them from online threats and 83 per cent indicated that they had put serious thought into attack contingency plans. However upon closer inspection the data also showed that only half of the organisations surveyed actually took the necessary steps to increase security, including regular security protocol reviews, secure password setting, monitoring for system-wide breaches and restricted USB device usage.

It’s well documented that due to advancements in technology, cyber-attacks have become considerably more sophisticated over recent years, but few businesses – especially SMBs – have allocated an executive to take responsibility for security within their organisations. This goes some way to indicating the confidence that many organisations still have in their ability to defend against attacks. However, an emerging trend – which few have recognised – identifies the largest growing threat to businesses as their own employees.

The weakest link

Data collected by PWC shows that businesses across the UK have seen significant increases in security breaches related to staff negligence and inexperience in recent years. This is not limited to SMBs, as three quarters of large organisations have reported incidents – in addition to nearly a third of small businesses between 2014 and 2015. Research has suggested that nearly 90 per cent of all malware requires human interaction before becoming an active threat, further highlighting the need to improve security awareness and practices at every level of the business hierarchy. The considerable vulnerability posed by employees to their organisations has even broader implications, which are just as detrimental to the worker as they are to the business as a whole. A core example comes from a recent enterprise IT survey conducted by Dell, which reveals that many companies show apprehension around adopting new technologies such as cloud storage and networking – as a direct result of growing fears around securing data. For businesses this means a barrier to the potential productivity gains and savings on infrastructure maintenance provided by cloud technology. What it means for the worker is reduced mobility – a step back in terms of bringing employee benefits in line with the expectations of the modern worker.

Whilst all indicators seem to point towards employees being unaware of the best practices in IT security, it’s important to note that PwC’s data also identified the continued importance of security training for UK businesses. Over two thirds of businesses on average are providing ongoing training programmes to increase awareness amongst staff. So what exactly is going wrong?

Wilful ignorance

Far from being clueless about cyber security, many employees simply fail to establish a meaningful link between their security training and practical usage. Recent research from Ping Identity revealed that whilst nearly two thirds (63 per cent) of respondents identified the risks of public Wi-Fi, 42 per cent were still likely to connect. Also concerning; over half (54 per cent) confirmed that it was risky to share passwords with colleagues and family members, but just under half of them (24 per cent) were still likely to do so. Worst of all, 30 per cent of all respondents indicated that they would use a personal device (unsecured) to connect to company networks despite the inherent risks to their business. The statement is clear. Traditional training programmes are not achieving the desired effect and there’s a pressing need to re-evaluate how L&D promotes safer IT practices in the workplace. Through only using the tried and trusted methods, employees are completing mandatory training without a real appreciation for what threats actually look like in the wild and the consequences should they fall victim to an attack.

Protection through practice

The outlook may be dark, but the solution is actually at hand. It involves taking advantage of technology to enhance learning to create resilient and long lasting knowledge for practical use in the workplace. Learners who simply read about the mechanics of a phishing attack and then pass a short multiple choice assessment are likely to fall for the next email scam that is sent their way. Why? Because habits don’t change without the reinforcement provided by experience – it is necessary to train individuals to recognise actual threats in the physical environment in which they occur. Companies should be looking at learning platforms with the capability to deliver simulations and interactive testing to reinforce a comprehensive understanding of the threats in the online environment. With more practical tools it’s possible to clearly establish the characteristics of legitimate and suspicious traffic in a sandbox environment, where no damage can be done to the company’s infrastructure. They also make it possible for employees to experience a hack environment, to understand both how to respond to a threat and how to keep a cool head in a situation which would often instils widespread panic.

Gamification is also an effective technique in advancing to security training. Using mini-games to make content more engaging and rankings to show how employees match up against colleagues promotes a deeper connection with the information whilst motivating workers to keep up the pace with other top performers within the organisation.

Securing enterprise with future-enabled learning

With the cost of data breaches higher than ever before, training employees in security and best practice for data handling is imperative for modern businesses. To reduce the vulnerabilities commonly associated the workforce, L&D professionals will need to work closely with the c-suite and IT departments to ensure that training doesn’t simply comply with regulations but engenders a greater awareness of modern cyber-threats and demonstrates how to avoid taking risks with company data. Where traditional approaches have failed to deliver – it’s time to bring in more advanced learning tools. By promoting the use of innovative learning approaches including game based mechanics and simulations it’s possible to foster deeper learnings for employees to ultimately change behaviours across the workforce and establish a more secure online environment for UK enterprises.

Related News

  • Training

    IFSEC door advice

    by Mark Rowe

    Nick Perkins is giving safety advice to gate installers and maintainers at IFSEC International, the security trade event in June. Nick, pictured,…

  • Training

    HABC conference

    by Mark Rowe

    The exam awards body Highfield Awarding Body for Compliance (HABC) is putting the focus on security at its conference later this year…

  • Training

    European event hailed

    by Mark Rowe

    ASIS Europe 2014 saw a record attendance of over 700 registered delegates from 51 countries at its 13th European Security Conference &…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing