Staff education can help strengthen cyber defences

Leaving cyber security to the IT department and believing an organisation is secure because it has the most up-to-date protection is no longer viable. Recent research has found three-quarters of cyber breaches involve a human element, demonstrating that education awareness programmes are an important part of protection.

The most recent data from Verizon’s 2023 Data Breach Investigations Report highlighted that 74 per cent of breaches involve a human element. The report found social engineering attacks – cyber breaches which involve manipulating people into taking action that compromises systems such as sharing sensitive information – have doubled. Business Email Compromise, a form of phishing where people might be tricked into transferring funds, revealing sensitive information, or clicking on an attachment containing a virus, were found to make up more than 50 per cent of the social engineering incidents highlighted in the report.

While technology can filter out many potential threats and is becoming ever-more sophisticated, so too are the hackers’ routes and means of attack. The unfortunate reality is that security breaches could still reach your employees, which is why engagement and training are included in the 10 Steps to Cyber Security by the National Cyber Security Centre (NCSC).

The Cyber Centre of Excellence (CCoE) – an initiative which aims to make the UK the safest place in the digital world to live, work and play online – is now helping organisations access NCSC-assured training at subsidised rates through its collative purchasing power. The training is provided by OSP Cyber Academy and various options are available, from its Cyber Risk & Resilience Board & Executive Awareness Course for senior management teams, through to a range of online courses aimed at all staff. These include a Cyber Security Staff Awareness Course, GDPR Staff Awareness Course, OT Cyber Security Awareness Course, Ransomware & Malware Course, Phishing and Social Engineering Course, Mobile Device Security Course and Supply Chain Cyber Awareness Course. All of these and more can be purchased directly for multiple users via the CCoE online learning portal. There are also some Total Protect Package options for various groups, such as councillors and sole traders, where a selection of the most appropriate courses have already been included in the package.

Irene Coyle, Chief Operating Officer at OSP Cyber Academy, said awareness of the human element involved in cyber security needs to be greater at senior management level first and then filtered down through the organisation. “Senior management might think cyber security is about firewalls and detection and software tools handled by IT but, in fact, most data breaches are caused by humans. The staff are the people operating the software, securing the networks, accessing and sending data in and out of the organisation and those staff should be constantly aware of the latest methods of cyber- attacks and the risks they pose. Education awareness training is key to assist raising awareness and changing behaviour towards potential cyber risks and to fully understand the business issue at the highest levels within an organisation,” she said.

The risks are now greater than ever with the increase in homeworking and hybrid working. Employees are now more likely to connect into their organisation’s systems from unsecured networks such as a coffee shops or home internet connections and using a range of personal devices, including phones, laptops, and tablets. Knowing the risks these elements pose and how to protect themselves and their organisation is vital.

While having an accreditation such as Cyber Essentials, Cyber Essentials Plus or ISO 27001 all help a an organisation to meet a certain benchmark for cyber security, Coyle warns these are mainly about network security rather than demonstrating that your staff have been tested on their knowledge of cyber security risks. Utilising access to the courses offered through the CCOE will enable organisations to reduce risk, improve cyber resilience and demonstrate compliance with legal requirements.

The Information Commissioner’s Office (ICO), the UK’s data protection authority, spells out that staff must be trained regularly. The ICO states: ‘The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice. You should provide appropriate initial and refresher training’.

OSP Cyber Security has already delivered a board level course for parish councils for the CCoE and is currently onboarding a group of participants to their online courses as part of the CCoE offer. The NCSC-assured training is written by subject matter experts, regularly updated to address new threats and developments, and is designed to be engaging and memorable. Coyle advises organisations to offer several of the short training courses throughout the year to keep cyber security front of mind and to keep refreshing employees’ knowledge. Once an employee has access to a course through OSP Cyber Academy they can revisit it again as many times as they want within a year to keep the awareness level current and active.

“We are constantly looking at the threats and making sure we update our courses but also if a new route to target people and organisations is identified we develop a course, so people know about the threat rather than being a victim and then finding out about it later. We are abreast of the current threats and trends and make sure our training material is going to enable employees to recognise cyber threats and equip them with the right information,” Coyle added.
Making cyber security a regular point of discussion and offering an ongoing education programme can help generate a culture where employees are aware of and reacting to possible threats as a matter of course: “We are all online now most of the time and so cyber security needs to be a responsibility for everyone, it is no longer something that can be left solely to the IT department,” she said.

If training sounds like something that might benefit your senior management team and wider employee base, but you aren’t sure which courses are most appropriate, the CCoE is on hand to assist with this and your other cyber security concerns, please just get in touch.

To find out more about the CCoE and the OSP Cyber Academy education awareness programme or to see the different Total Protect Packages which include training click on the buttons below.

Subscribe to Our Cyber Comms

Get content like this delivered directly to your mailbox.

By subscribing to our cyber-communications, we can keep you up to date on the latest in cyber-protection. Click on the button below to subscribe.