Monday, 12 November 2018

Staff Training: Your First Line of Defence in IT Security

Staff training has a key role to play in any cyber security and information management strategy and key aspects of staff training must be considered.

Staff training has a key role to play in any cyber security and information management strategy. So how do you begin to plan what needs to be done?

In any cyber security plan, there are several key aspects of staff training that must be considered:

• General threat awareness and identification for all staff
• Strategic training for senior executives and board members who can lead, shape policy and ensure compliance
• Education about incident identification, classification, and escalation for the IT and technical staff tasked with spotting and stopping attacks
• Training for incident response plan development, incident response and how incidents should be escalated to regulatory authorities

To see these changes through, it is important to identify a senior individual who will have overall responsibility for cyber security.

The First Line of Defence

The UK Government’s Cyber Security Breaches Survey 2017 has found that in 72% of companies where a breach or attack was identified, they suffered at least one breach as a result of staff receiving fraudulent emails.

It’s clear, therefore, that staff awareness and vigilance have a key role to play in business cyber security.

The same UK Government survey identifies the next most common types of breaches to be related to viruses, spyware and malware (33%), people impersonating the organisation in emails or online (27%), and ransomware (17%) – statistics which further underline the key role staff have to play in cyber security.

Your staff need to be made aware of the risks arising from:

• Email fraud, including phishing and spear phishing
• Viruses
• Malware
• Ransomware
• Social media
• Impersonation

As well as understanding the risks, training should include practical examples which help to illustrate how to identify such an attack. As risks and threats evolve, the training must be updated and reinforced regularly – don’t just leave it to a half-hour session during induction and hope that’ll do.

Boardroom-level Leadership

One part of ensuring the cyber security training is given the strategic importance it requires is through board level commitment.

This is something of a “chicken and egg” situation; senior management and board-level awareness and cyber-security training must be part of any cyber security training plan in order to build this commitment.

However, the GDPR legislation is serving to help put cyber security at the top of the boardroom agenda.

The possibility of fines of up to €20 million or 4% of global turnover – whichever is greater – is crystallising the idea that cyber security is a business-critical issue.

Tightening up policies around reporting a breach, in particular, becomes increasingly important now that the GDPR has been enforced.

Incident Identification & Escalation

Another important mechanism for driving cyber security up the boardroom agenda is to put in a formalised system in place for reporting security risks and breaches.

Because of the new GDPR requirements, it is actually mandatory to notify the Information Commissioner's Office if your company suffers a severe data breach. This kind of reporting requires a system to be put in place to monitor attacks and, ideally, to classify them both in terms of the type of attack, and in terms of system, service or user under attack.

By gathering this data, and developing an incident response plan, you will be better placed to prioritise and investigate incidents and attacks, and take decisive action.

Of course, this will require systems and training being in place to support the staff responsible for identifying, prioritising, investigating and escalating any incident or attack.

When customer data is compromised, or there is evidence of another breach covered by law or a regulator, your business needs an effective way of notifying the board and regulatory authorities quickly about the nature of the threat and your business response. Clear policies must be in place, and staff – and the board – will need training about the policies in order to ensure effective compliance.

Regular Review

These four types of training – to secure general security awareness, board-level commitment, effective incident response, and compliance and escalation best practice – need to be reconsidered on a regular basis to ensure they incorporate the latest threats, regulation and compliance.

For more information on the issues raised in this article, see our Cybersecurity Awareness Training & Testing for Staff or contact our Security Team at Grant McGregor on 0808 164 4142.