Security Awareness - Return on Investment
Small and Medium Business Training in 2021
In 2021, the reality is that any organisation has the potential to fall victim to an information security attack. Though there are many technical measures that can be taken to help mitigate this risk, it is invariably the practices and behaviours of employees which serve as an organisation’s ‘weak link’.
With attackers and malicious actors utilizing a variety of tactics to target weak spots in your organisation’s networks and systems, your staff’s security awareness plays an enormous role in defending information assets.
Key Information and Cyber Security Statistics
- In 2021, 4 in 10 businesses (39%) and a quarter of charities (26%) report experiencing cyber breaches or attacks within the previous twelve months.
- The number of insider-caused cyber security incidences has risen by 47% since 2018, with the average annual cost of insider threats increasing to £8.32 million.
- Organisations spend around £2.9 million recovering from security incidents, with malware recovery costing a shocking £3.4 million.
- According to UK government research, in 2020, 83% of businesses experienced phishing attacks against their organisation.
- 77% of all UK workers have never received any form of information security training from their employer.
Why Invest in Information Security Awareness Training?
With employees and teams now working increasingly remotely, as well as mounting threats such as phishing attacks and intellectual property theft, one thing that remains a constant in this shifting landscape is the value of having an educated and informed staff.
From issues such as compliance (e.g., UK General Data Protection Regulation), to defending against information security attacks, awareness training should be considered an essential for any SME operating in 2021.
One fact that should stand out to any organisation, SME or otherwise, is that 91% of all cyber attacks begin with a simple phishing email. An easily detectable and avoidable threat vector that relies entirely on employees not having the skills to mitigate such a basic risk.
By investing in security awareness training program, your entire organisation will not only be better equipped to defend against information security threats and attacks but will also be demonstrating to clients and potential customers a dedication and commitment to ensuring robust information security.
Essential Information Security Topics for Employees
There are many topics which a comprehensive and effective security awareness training program should include, from encryption, out-of-office security, and the dangers of Wi-Fi, to backing-up, incident response and physical security.
With that in mind, below are just some of the most important training topics to educate employees that are essential to helping your organisation mitigate threats to information security.
Given that the vast majority of cyber attacks begin with a phishing email, the importance of providing your employees with effective anti-phishing training cannot be overstated.
Though it may appear to be a threat vector that is easily mitigated, understand that to be truly successful at defended against phishing attacks, you and your organisation need to be accurate 100% of the time, whereas an attacker only needs one successful phishing email to break through to launch an attack.
From identifying the traits and signs of a malicious email, to understanding the need to take the time to inspect links etc., defending against phishing attacks is a fundamental to ensuring strong information security within your organisation.
Password Security Training
The integrity and security of our networks, systems and accounts all rely upon passwords, Since 2020 a significant portion of organisations have established a password policy, better late than never.
With access to key accounts, such as an email account, there is little an attacker cannot do once they have captured your passwords.
From setting out a clear and security focused passwords policy, to basic password management techniques and tools, the foundations of password security are far from complex, meaning password security as an security awareness training topic is not only essential for all SMEs, but also simple and easy to understand.
Social Engineering Training
There are many ways in which people can be exploited, from phishing attacks which peak curiosity with promises of discount consumer products, to more complex schemes such as targeting a disgruntled employee into providing network access, though attackers typically rely on a small number of tactics to get what they are after.
For example, ‘baiting’. Several years ago, a group of Google researchers conducted a social experiment, scattering 300 USB drives across a university campus. Designed to understand how people react to this curious, but highly unsecure ‘bait’, the experiment found that over 45% of drives were plugged in and had their contents examined.
Though in this case the devices were harmless, it serves as a prime example of how employees may be socially engineered into making decisions and carrying out actions which can compromise the security of information.
Other methods, such as ‘pretexting’, ‘tailgating’ and ‘quid pro quo’ are all techniques which, by investing in information security awareness training, your employees are equipped with the tools to defend against.
Mobile Device Training
Personal devices such as smartphones, tablets and laptops typically contain an extraordinary amount of valuable company information, presenting a significant security risk. Therefore, to ensure information security, it is crucial for your employees to receive proper training in keeping personal devices secure.
From understanding security settings, to the importance of setting up biometric security protocols, training staff in the topic of mobile device security is ever more essential in our increasingly remote work environments.
Although many elements of mobile device security will be handled primarily by an IT/security team (i.e., remote wiping etc.), if employees are dealing with sensitive information, having staff appreciate and understand the information security risk that mobile devices present is a foundational element of any robust cyber security awareness training program.
Secure Culture Training
As previously mention, there are many information security topics that are absent from this short list, but perhaps one of the most overlooked elements is the topic of creating a secure culture.
Though there is no ‘fix-all’ solution regarding the issue of information security, but by helping to foster and maintain a culture in which information security is a consistent consideration and concern, where secure behaviour is second nature, will have an immeasurable effect on your organisations ability to mitigate risk and maintain effective information security.
By investing in cyber security awareness training, your organisation, or any SME, will be not only protecting themselves and others against a wide range of potential threats, but additionally demonstrating to clients, partners, and the public a commitment to security.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Inside Attacker, FOREX Data Leak & NCSC Warning - InfoSec Round-Up March 26th
MoD Security, $4.2B Cybercrime Loss & Hacker Teen Sentenced - InfoSec Round-Up March 19th
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Uni Cyber Attacks, Security Camera Hack & Norwegian Gov Data - InfoSec Round-Up March 12th
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Malaysia Airlines Breach, SolarWinds $3.5M & PrisimHR Ransomware - InfoSec Round-Up March 5th
Security program policies blog by information security awareness training provider Hut Six Security.
Jet Maker Attacked, Central Bank System Downed & Medical Data Leak - InfoSec Round-Up Feb 26th
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.