When you’re putting together a cyber security policy, everyone will tell you that there are three elements that you need to look at: people, processes and technology. But to think of these things as three completely different things is misleading.
This is particularly true of the people aspect. You know your staff need to be taught to follow good cyber security habits, but how does this fit into your overall cyber security strategy? We have a couple of examples to show you how it should be done.
Integrating staff awareness training
Let’s begin with phishing emails. Staff awareness is generally considered the most important factor in preventing these attacks because your employees are your last line of defence.
But that’s not to say that staff are the only line of defence. Email filtering systems are effective in mitigating the risk of phishing – but they’re not as effective as some organisations think. According to Mimecast’s third quarterly Email Security Risk Assessment, 24% of emails that pass through spam filters contain malicious attachments, links or social engineering tactics.
Technology is similarly relied upon to protect organisations’ physical premises – such as a key code to access a building. However, these measures will be useless if a cyber criminal can persuade an employee to let them in.
This is where staff awareness fits in. Training your staff on the risks they face and their security obligations fills the security gaps that technology leaves. Staff should be thoroughly educated during their induction and those lessons should be reinforced at least annually or whenever you experience staff-related security incidents.
Then there’s the third part of cyber security: processes. To return to the example of phishing, organisations should put measures in place to mitigate the damage of attacks or prevent them altogether. But for these policies to be effective, organisations need to make sure their employees are aware of them.
Password policies instructing staff to create unique passwords for their work accounts will protect the organisation if someone’s personal account is breached. Access rights to stop employees from viewing certain parts of the organisation’s internal systems have a similar effect, as cyber criminals who hack into someone’s account will face the same restrictions.
Our staff awareness solutions
Staff awareness programmes and training courses are the building blocks of a culture of cyber security, but there are many other things organisations can do – both big and small.
We recommend that you begin with e-learning courses, because they provide a cost-effective, flexible and efficient way of educating large numbers of people. Our courses cover ISO 27001, the Payment Card Industry Data Security Standard, the EU General Data Protection Regulation, information security, phishing and ransomware.