October is Cyber Security Awareness Month, an annual initiative which started in 2004 to remind businesses and individuals of cyber security risks. Security agencies around the world are promoting awareness with information and events. The EU agency, ENISA is highlighting the challenge of combating phishing with their #ThinkB4UClick campaign. The UK Cyber Security Council has links to recent articles on Cyber Security Awareness and the US National Cybersecurity Alliance are using the #BeCyberSmart tag for everyone to post and access safety tips and reminders via social media.
Whilst it is important to put the spotlight on cyber security challenges and awareness annually, we do need to be vigilant all year round. Over the last year we have seen the number of phishing attacks grow and become increasingly sophisticated and personalised to users based on their roles in companies and organisations. This is making it even harder for users to identify potentially malicious emails, SMS and social media messages.
Phishing is not the only aspect to cyber security that needs to be addressed as part of a cyber security awareness programme, but with employees being at the forefront of any phishing attempt, it is the most crucial aspect to address. Employees are still the last line of defence and, with more and more time spent outside of the office, employees are also in a precarious position without colleagues by their side to check and validate whether an email is authentic or not.
Businesses are now placing cyber security as one of their highest risks and challenges, and leaders are looking to encourage good security behaviour throughout their organisations from the top down. What many companies are realising is that they need to establish a cultural change and proactive approach to addressing cyber security throughout the workforce via effective education and awareness. Such programmes are fundamental to company risk management.
It has often fallen to IT managers and IT departments to roll out awareness training. Whilst IT have security covered from a technical perspective, and can provide technical support, they don’t always have the time or skillset required to plan and deliver effective employee training over the long term. Keeping up to date with security threats and intelligence is also a challenge when you are an IT manager running IT in a small or medium-sized company. Providing a successful cyber security awareness training programme requires time and commitment from all parts of the organisation. Recent academic research1 has shown that the most successful approach to protecting against phishing is preventative technical countermeasures running alongside well-designed continuous cyber security training and education, which needs to be fully embedded in the organisation for the most positive results.
So, what do you need to do to build a successful cyber security education and awareness programme, and how can you ensure that everyone is on-board and it becomes part of the everyday company culture? Here are some recommendations from our experience: