Recent high profile cases have highlighted how the cost of cyber security breaches is rising dramatically. Too often technology is seen as the solution, yet it’s regularly reported upwards of 90% successful breaches succeed because of human error. Mark Jones, Commercial Director at Unicorn Training, looks at how effective and engaging training can help firms better manage their ever changing cyber risks.
Following the recent high profile TalkTalk cyber attack, Dido Harding, TalkTalk CEO described cybercrime as “the crime of our generation.”
Ms Harding’s observations explain why cyber resilience has become such a complex, ongoing crusade to manage the risks and impacts that businesses face not only from malicious external hackers but also poor information handling behaviours.
No matter what you are doing to improve cyber resilience and raising the awareness, skills and insight amongst all your staff you can never do enough.
The TalkTalk security breach in late October 2015 hammered home the message. The news in December that children’s tech toy maker, VTech, had seen the personal details of 11.2 million of its customers, including over a million in the UK, hacked showed that even the biggest companies and our kids are not safe from those intent on targeting and stealing the information that is most precious to us.
However more often than not, it is not IT that is the issue it is the human factor. No matter what you are doing to improve cyber resilience and raising the awareness, skills and insight amongst all your staff you can never do enough.
What’s the financial impact?
Published in June, PWC’s 2015 ‘Information Security Breaches Survey’, commissioned by the Department for Business, Innovation and Skills (BIS) surveyed known cyber incidents across UK companies. It revealed some alarming findings.
Nine out of 10 large companies, quantified as having over 500 people (up 9% on 2014) and three quarters of small businesses (up 14% on the previous year) suffered a security breach in 2015.
The survey also calculated the average cost of these breaches as between £1.46m – £3.14m for large companies (up from £600k-£1.15m in 2014) and between £75k – £311k for small businesses (an increase from £65k-£115k the previous year). ‘Cost’ can include anything from business disruption, lost sales and recovery of assets to fines and compensation payments.
Most importantly for the training industry, the report found that despite an increase in staff awareness training, people are as likely to cause a security breach as viruses and other types of malicious software.
When asked about the single worst breach suffered in the year, half of all organisations attributed the cause to inadvertent human error.
This all highlights how cyber attacks are now part of ‘business as usual’ for everyone.
No longer an IT problem
Just a week after the TalkTalk breach hit the headlines, Nick Wilding, Head of Cyber Resilience, AXELOS Global Best Practice, addressed delegates at our annual Unicorn client day. To say his observations made a few ears prick up is an understatement.
Earlier this year we partnered with AXELOS – a joint venture between the UK Government and Capita plc – to help raise awareness of the critical importance of engaging all your people, following the launch of AXELOS’s RESILIA Cyber Resilience Best Practice portfolio.
The RESILIA portfolio is aimed at putting employees at the heart of an organisation’s cyber resilience strategy and providing companies with the confidence they need to recognise, respond to and recover from cyber-attacks effectively. As part of this, Unicorn joined forces with AXELOS to host a comprehensive suite of cyber resilience learning modules on Unicorn’s learning and development platform SkillsServe.
At the client day Nick detailed how cyber resilience is not something that can be solved by IT anymore, although that remains the belief of many companies he meets. A significant breach, like TalkTalk, he said, can radically undermine the fundamental level of trust between a corporate business and their customers as well as damaging their hard fought competitive advantage not to be mention being felt in the pockets through regulatory fines or reduction in market value.
As Nick put it “48hrs can be a very long time for a board and their business in managing a cyber crisis”.
Nick outlined how ‘industrialised’ cyber-attacks are changing the face of how any organization should manage their risks. All organisations are at risk and it is no longer effective to spend all your time and money on protecting and detecting attacks. Instead organisations must assume they will be successfully attacked, if not already, and that it is now as important to plan and test how you are going to respond and recover from an attack as and when it happens.
Every individual within an organisation can be a target, from top to bottom, so everyone has a role to play in enhancing cyber resilience. Engaging employees is critical to this, as staff have to sit at the heart of an effective resilience strategy.
Because of the human factor, Nick insisted firms could no longer take a ‘compliance based approach’. Typically, if a firm carries out any information security awareness learning at all, it puts all of its people through annual, unengaging eLearning. All too often this learning has little or no impact on driving new cyber resilient behaviours.
He also highlighted the importance on inextricably linking your cyber resilience strategy to business strategy, and the business and IT have to collaborate together to build the resilient culture required amongst everyone
Addressing the human imbalance
So if our people are our biggest vulnerability to attack how can firms most effectively influence and enable positive change in their staff behaviours? The reality is most people take more care of their own cyber security at home than they do at work. To get them to think about their work responsibilities in the same way requires a training approach that promotes effective learning that suits them.
Learning needs to be ongoing and regular, short and concise learning modules with supporting updates and refreshers. It should be adaptive and personalised, with the same learning developed in different formats to suit different learning styles. It must be engaging, competitive and fun, with the option to learn inside and outside of work time. The learning also has to be measurable so changes in behaviours can be tracked over time to demonstrate the value in the human investment.
As well as the RESILIA Awareness learning hosted through SkillsServe, for firms with an existing LMS Unicorn supports with an LCMS option. Whichever method is used to access the learning, users can adopt a learning method to suit, with the cyber resilience modules including games, simulations, animations, videos, eLearning, posters, as well as refresher learning and ‘up-front’ tests if someone believes they already know what they need to know.
The learning design has been carefully considered to suit all individuals regardless of their preferred learning style or when and how they like to undertake their learning, with SkillsServe supporting 24/7 mobile JIT learning at the point of need.
This new approach gets to the heart of cyber resilience – engaging learning to all staff enabling them to take personal responsibility for better protecting their employer’s most valuable and precious information. As the PWC survey highlighted, the alarming escalation of attacks and breaches in the last year means the only guarantee is that cyber criminals will continue in their mission to target and steal commercially sensitive information from those who are the easiest to target.
Making your staff aware of how they can be all too easily targeted, and providing pragmatic guidance to better manage this risk is now more critical than ever.
The impact of not engaging all your people is too great a risk to take for most – are you ready to make a change?