Cyber Security: The Importance of Culture and Training

To understand the concept of cyber security, we must first understand what is meant by the word ‘cyber’. A buzzword in today’s workplace, but what exactly does it mean? The dictionary definition is as follows: “relating to or characteristic of the culture of computers, information technology, and virtual reality”. We are very much living in a cyber-age. So what defines cyber security? Well, it’s all about protecting your computer-based equipment and information from unintended or unauthorised access, change, theft or destruction.

Why is Cyber Security important?
Undoubtedly, your business uses a range of IT equipment and requires access to the internet, both for everyday operations and for marketing purposes. IT and the internet present us all with incredible opportunities and benefits, both for business and socially. Let’s focus on the business side of things today. In hand with the great benefits we are reaping, there is also a huge amount of risk.
Every single day there are cyber-attacks all over the world, attempting to commit fraud, steal your information and money, as well as disrupt your business. In 2014 alone, almost two thirds of businesses in the UK experienced a cyber-breach – the average cost of which was £65,000-£115,000! One example of a recent attack which was all over the headlines is the one affecting Talk-Talk’s website. Over four million customer records holding sensitive information was breached by hackers in a DDoS attack (Distributed Denial of Service), where a system is hit by such intense waves of traffic it can no longer cope and shuts down. This is only one of several, several possible ways that vulnerabilities in cyber security can be exploited. In this example, Talk-Talk’s share price dropped by 10% overnight, not to mention the trust it may never reclaim from its customers.
Clearly, as the use of IT increases exponentially over time, it is therefore increasingly vital to recognise and manage these risks to protect your business.

What Can I Do?
You can never be completely safe, but what you need to ensure is have the minimum covered. This will protect you from enough to begin with. First and foremost, you must GET THE BASICS RIGHT. It’s astounding how many companies still have no idea about the basics and get the simple stuff wrong, leaving them vulnerable to anyone who wants to take a shot at attacking their information.
So what are the basics?

  • Download software updates
  • Use strong passwords
  • Delete suspicious emails
  • Use anti-virus software

Of course none of these are any good unless they are implemented across the whole business, not just by you. Therefore, one of the most important things to ensure be done is:

  • Train your staff!

In fact, this is such an important part that we should expand on it.
Protecting the organisation’s information is not usually highly prioritised by managers. They are usually more concerned with immediate pressures like targets and meetings. One suspects things would be quite different if they had considered just how reliant their business is on their information systems in order to achieve business objectives, and the detrimental impact of having these systems breached or corrupted.

Culture
The culture of your organisation is the most important aspect to think about when it comes to promoting awareness and staff training regarding information security. Information security has always been perceived as the area of business that is a nuisance, as unnecessary costs, and as a responsibility of the IT department. It is of utmost importance that this outlook starts to shift, and security is viewed as a holistic, business-wide matter, and this begins at the very top of the organisation and then throughout. Your can either be pro-active and take the initiative, or re-active and be too late.

Purpose of Security Training
All staff and third parties accessing your information must comply with your information assurance policies and procedures to reduce the likelihood of mishandled data. Security training is relatively a low-cost assurance control that can create positive and lasting changes in user behaviour.
Not only is the purpose of training to ensure that staff know what they need to do and how to do it, but before all that it is also a case of simply promoting awareness within your organisation. Too many security issues come about as a result of staff having no idea whatsoever of their company policies regarding security, be it due to them being stated in documents no one ever looks at, or no policies existing at all.
Your provision of training must be tailored to the person or group of people in question. Ask yourself:

  • What does this group need to know?
  • Why do they need to know it?
  • What is their current understanding?
  • What should they do after delivering this message?

It is vital that security training is viewed as a continuous process rather than as a once-only exercise. Refresher courses are a must, as well as tackling new challenges that developments in technology have brought about.

How do I do it?
You have a variety of choices depending on your budget, the size and culture of your organisation. A few, but not all, of these methods are:

  • Face-to-face presentations – has the benefit of direct interaction, but can be resource-intensive. External trainers or training courses are also an option.
  • Training videos and DVDs – deliver a consistent message throughout the organisation, and easily transportable, but less personal.
  • Computer-based training (CBT) – similar to training videos but can be more interactive and delivered direct to the individuals, though only relevant to those that work with a computer.
  • Visual aids – posters, leaflets, booklets, etc. Low-cost and spread the message consistently, however can easily be overlooked or disregarded. Most impactful to be used WITH another form of training.