QA | 15 May 2017
Cyber criminals and robots could be hacking into your organisation right now - to steal yours or customers’ data. Although criminals can attack anyone, QA’s latest research shows that organisations are focussing on educating in cyber security - to reduce their vulnerability. Employees rarely have the most up-to-date information on the current methods that cyber criminals use to attack because hackers are continually improving their methods. This, therefore, is causing organisations to be extremely vulnerable to an attack. The results of QA’s research show that 25% of organisations have employee awareness and training in their top priorities, as well as up skilling their cyber teams (22%) and cross-skilling their IT teams (18%).
Organising specialist technical training will, most often, sit within the CIO’s teams, but general employee awareness and training needs to be a joint effort of the HR function and the technical teams. Given that the majority of organisations see the threat of a cyber attack as being ‘much worse’ in recent years, this is something that should be readdressed within HR and management’s priorities, if it is not already part of their agenda.
It is highly likely that anyone in your organisation could receive a ‘phishing email’ today; the most common type of cyber criminal activity. Research shows that alarmingly, 1 in 3 employees are duped into giving up their credentials when targeted with a phishing email. HR professionals can play a part in assisting with this to ensure that they are working collaboratively with IT and cyber security teams to prevent employees being tricked into passing over private information, or data getting intercepted through cloud based file storage and sharing.
So, as a HR, IT, cyber security professional or manager of people - what can you do about it?
Here are some practical tips to help the fight against highly advanced cyber security hacking devices.
- What impact do cyber-attacks have?
- Is it my responsibility to help?
- How can I make a difference?
Many cyber attackers can take customers’ data from organisation and sell it. IT or the cyber security teams may not pick up on this for many months afterwards as attackers rarely leave an obvious trace that they have entered the systems. Cyber attacks are becoming much more difficult to recognise through ‘phishing’ emails which are sent mimicking a known and trusted brand, are personalised to the recipient and therefore, look entirely trustworthy
The cyber security industry are concerned about this trend, where hackers and their robots can collate that much information about a person through their ‘digital footprint’ such as their social media use, through ‘social engineering’. They can easily pose as a brand or personal contact known and trusted and this regularly results in people being fooled into providing their personal details voluntarily. People are not stupid if they fall for this trick. Hackers and robots are highly advanced so it is often difficult to tell if an email is legitimate or not - so awareness is key for staff; and more so for those handling confidential company data, insight, or banking information.
Our research shows that staff training is the key investment area over the next 12 months to help prevent attacks and 56% top tech and cyber decisions makers within large organisations view the cyber threat as “much worse” in recent years. This is not surprising – the digital world is a complex one and people are working on many devices and in many locations sharing data and using Wi-Fi hotspots in different locations. Commonly, training in cyber security for the IT and Security teams is top priority for organisations however, it is shown in the findings that general employee awareness and training is highest on the agenda for cyber crime prevention. This is because most employees will not be aware of how cyber attacks happen, and are, therefore, the easiest targets for criminals. Hackers know who the easy targets are.
Below are 10 actions we suggest can be put in place and get the ball rolling:
- Benchmark your vulnerability. Does the IT team have phishing emails testing facilities? If yes, what are the results? Once you know how vulnerable you are – put some measures in place to make your employees aware of methods that criminals use to attack your business. You can re-run the test after each piece of employee awareness, and repeat this until you are happy with the results and you are seeing an improvement. See video.
- Start at the beginning. Ensure that cyber security training forms part of employee induction at the beginning of their journey with your organisation. You wouldn’t let a new driver get in a car without driving lessons, because it is dangerous. And, likewise with letting your employees loose on a company laptop and your internal systems and storage drives. It is dangerous for your company to not provide easy to digest and practical training on cyber security, at the earliest possible opportunity. But ensure to keep cyber security training and awareness an ongoing piece of work, because cyber attackers are constantly improving their methods, which means they are more and more difficult to detect. Your staff need you to help them to give them the most up-to-date tips, to ensure that company or personal information does not get into the wrong hands. Your security or IT teams should work together with you on this, to provide you with the information that you need to make it relevant to your workforce, then you can make it accessible to your workforce. See video.
- Get insight on digital sharing. Survey your staff to see what file sharing systems they use. You could do a survey to your entire workforce to see if they are passing data to one another using third party sites such as wetransfer.com, and Dropbox. Although these are credible sites to use for cloud storage and file sharing – sending work related and confidential information is not always appropriate to do unless the IT department have cleared that it is ok to use them. Ask your IT team or cyber team to put alternatives in place if necessary. See video.
- Professional Social Networks. Did you know that when someone who you have never heard of tries to add you on LinkedIn – that it could be a phishing robot?! Nope. Most employees are not aware of this. If your employee accepts this invite, they can use the email address on your profile and send a phishing email to them with relevant and personal information on it from their profile, to try and convince you to login to a system or enter bank details to what you think is a trustworthy and known brand. See video.
- Get creative. Try and make your cyber training memorable – because it is easy to forget. I was recently at a cyber security conference at the Department of Culture Media and Sport at Westminster and the cyber expert from Channel Four said that for a recent piece of staff comms about the use of Dropbox – he dressed up in a large box and filmed his message – to ensure that his employees remembered and talked together about the presentation. Cyber is serious but engaging with your staff can be tough when you are trying to cut through their daily tasks and they are not focussed on cyber security. See video.
- Wi-Fi hazards. ‘Digital Nomads’ are the new generation of workers. They have a laptop and work from anywhere at any time. Sound familiar? So – they will be connecting using Wi-Fi spots in cafes at airports or chain coffee bars. Any file that they share through these networks could be seen by someone who has hacked into the network. This is not uncommon – and staff should be aware of this. See video.
- Build a cyber security community. Get your employees thinking about cyber security and sharing stories from the news. Perhaps you could start a page on your intranet and ask different teams and individuals to contribute to it each week, so that you focus people’s time on cyber, and ensure that every team contributes. A new ‘cyber ambassador’ could be allocated each week to collate relevant news and share it at a meeting or add to a central drive or intranet page. See video.
- Regular bite sized chunks. When your staff are trying to take in all this information about cyber from the HR team, or from their manager or cyber team, the delivery of the messages needs to be short and hard hitting – so you can use different means and media to deliver the messages. Look at how they react to other message that are sent, and how they work. Should it come from the CEO? How about posters around the office? Email is always a great way to get a message through but try other ways too, and test them to see which is the most effective method, by potentially testing their awareness using an ethical phishing email tool to test their awareness before and after the messages are sent. See video.
- Eat your own food. Any training and awareness that you are asking your employees to do, ensure that you are completing it too. It sounds so obvious but unless you experience it yourself you won’t understand their reactions and behaviours, so that you can keep improving your approach. See video.
- Practice Practice Practice. Ensure that your staff have practical cyber security experience. There are dedicated training programmes for non-technical staff, or those outside of the IT and cyber teams, available and definitely worth the investment to accompany your ongoing awareness plan, driven by the HR team (supported by the cyber or IT team, or vice-versa). With the new data laws looming (GDPR) – if a company is deemed to have put their customers' data at risk – they risk paying a 4% fine (of their entire global turnover). So, moving towards a culture of formal training for all employees handing sensitive data is definitely something to seriously consider, and a worthwhile investment of resources. See video.
QA offers hands-on cyber security awareness training for all employees and can be completed as eLearning or in the classroom.
Protecting a business is a team effort. Responsibility lies within every employee to ensure that data is not compromised and insights and customer contacts are not reaching the wrong hands.