Business advice: The importance of staff training to combat cyber threats

One message of recent years that continues to be aimed at the entire business community is ‘do more to ensure your IT systems are protected and your business is cyber secure’.

While the message is loud and clear, where to find good, easy-to-follow, effective advice is not. Which is why we have teamed up with Cheltenham experts ReformIT in a new series aimed at providing that guidance for businesses big and small from across the county and beyond.

About the expert – Neil Smith, founder and managing director of ReformIT

Neil Smith is the founder and managing director of ReformIT, a nationwide IT support specialist, headquartered in Cheltenham. Its skilled technicians can advise on all IT matters, from security, software and cloud solutions to IT support and managed services, such as VoIP telephone services and website hosting.

ReformIT is a small business specialist, Microsoft Silver partner and Microsoft Office 365 consultant, as well as an expert in Apple technologies, that also provides a customised range of managed IT services for business. From a full out-sourced IT department to third-line support and project management, the firm can customise its service to suit a range of requirements.

For more information, visit reformit.co.uk.

How significant is the human factor in the battle to keep a business safe from cyber attacks?

You could say the human element is the weakest link. Many organisations are not supporting their staff with the appropriate training. Just 29 per cent of staff received cyber security training in 2019, compared to an incredible 81 per cent of directors, trustees, or senior management.

Cyber criminals know this and will target email accounts with phishing attacks in the hope that someone will click on a link or process a payment to a false bank account.

What can a business do to help tackle that weak spot – and will it cost the earth?

Refresh your cyber security training for yourself and your team, invest in cyber training, lots of MSPs (managed service providers) offer ‘phish threat’ campaigns to test staff to see if they would succumb to an attack with tailored online training courses to help them understand what to look out for. The cost is relatively low in comparison to what it might cost the business if an attack were successful.

A phishing threat is any attempt to fraudulently solicit personal information from an individual or business in order to deliver malicious software (malware).

Other things to consider?

Work with your IT team or outsourced IT company to review monitoring systems to identify and understand how the threat entered. Document your process from identification to containment and recovery. This provides valuable learning information for future events and can be used to improve your business continuity plan.

Finally, it’s important to invest in continuous ongoing training to address the evolving phishing threats and keep up to date with the latest trends.

What are the main points a business should be looking to cover with that training?

Raise employee awareness with tailored phish threat campaigns targeting your staff to identify individuals who could potentially put your security at risk. Regular reports can be provided to senior management teams to help them enforce a robust cyber policy.

Provide online training material covering all areas of cyber security, so employees know what to look out for in the future.

Keep your employees vigilant with real-life targeted attacks tailored towards your organisation, with reports available to senior managers as to who went on and completed the online training course. These can be run monthly or quarterly, but the investment is worth it to avoid your business falling victim to an attack.

Repeat the above steps to keep on top of emerging threats and build a foundation of security awareness to help protect users at work and at home.

If all businesses are likely to fall victim to a cyber attack at some point, is it really worth investing too much in educating staff?

It is only human that at some point we will forget the training, as we are very busy at work and sometimes we switch off. No training at all increases your risk.

I haven’t had a car accident in 20 years, but I still get fully comprehensive insurance for my car. You are also protecting your staff, giving them that peace of mind that they know not to click on that phoney amazon delivery email.

How can a business make sure training is effective, and that it has not wasted its money?

Working with your IT team, or outsourced IT company, you should run regular campaigns with reports available so you can see who went on to complete the training, identify who is the weakest link and keeps clicking on the phishing emails.

Hopefully, over time, you will notice staff becoming more vigilant, carrying out checks before clicking on emails and if you have cyber insurance, your premiums may be reduced as you are investing in educating your staff.

Accepting that education is the way forward, how would you describe the type of culture a business should be aiming for?

Everyone is a target, from the CEO and FD (financial director) through to the people who keep the business running. We all have a part to play in keeping our business online secure and compliant. Aim to build a culture that supports learning, and not one that punishes mistakes

How do I get the ball rolling to get that training started?

Speak to your IT department or outsourced MSP. At ReformIT, we offer tailored phish threat campaigns to all our clients, the cost is relatively low, but the impact is huge.

For more information, visit reformit.co.uk.

Follow SoGlos on LinkedIn and sign-up to the weekly SoGlos business newsletter for the very latest Gloucestershire business news stories.

© SoGlos
Monday 09 May 2022