Businesses of all sizes still harbor the belief that simply having a cybersecurity strategy and implementing the right policies is the complete answer to defending against cybercrime. However, the reality is that much more is needed to achieve strong defenses in today’s heightened threat landscape. In fact, according to the recent UK government Cyber Security Breaches Survey 2020, almost half of UK businesses (46%) reported a cybersecurity breach or attack in the last 12 months.
About the author
David Emm is principal security researcher at Kaspersky.
Some data breaches are easily avoidable, but have successfully infiltrated systems due to a lack of awareness and knowledge within a company. To achieve optimal cybersecurity, businesses must ensure that they adopt the right culture and attitude towards it.
This change must be driven from the top, with company leaders embedding a culture of cyber-awareness across an entire organisation, and ensuring staff are trained in cybersecurity and educated in defending against cyberthreats. A chain is only as strong as its weakest link, and the weakest link in a company’s cybersecurity defense is often its people. Thus, the root to achieving true cybersecurity – on top of the right policies and practices – is education.
The human firewall
Cybersecurity training is imperative to the success of any modern workplace. Whilst advancements in technology continue to drive productivity and efficiency levels within the workplace, these same advancements have also left many organisations vulnerable to more advanced forms of cyberattacks.
In fact, employees are often the primary targets for hackers looking to infiltrate critical business systems as they hold vast amount of data, including extensive customer data. Indeed, employees remain the weakest link in the security chain, with 52% of businesses admitting that employees are their biggest weakness in IT security.
While it’s crucial that businesses implement technical defenses such as email filtering and antivirus software, companies need to invest in their ‘human’ firewalls, to effectively protect their networks. This requires businesses to invest in and introduce more education and ongoing training programs, and help to reduce the risk of a data breach. As the first line of defense, employees must be able to help keep a business safe from malicious sources.
Cybersecurity culture within businesses
As both businesses and individuals continue to embrace new workplace technologies, software and technical solutions designed to protect against cybersecurity threats have multiplied. However, the number of reported data breaches continues to rise, with nearly half (46%) of UK firms reported suffering a security breach or cyberattack over the past year. This highlights that organisations cannot just rely on protection; they must also maintain and adapt their cybersecurity culture according to changing business needs, and ensure everyone understands the risks of a successful breach.
Poor security practice can cause significant financial loss and reputational damage. C-suite executives should familiarize themselves with their organisation’s security measures, as this can help them better understand the scope and severity of potential cyberattacks. At the same time, all employees, ranging from executives to CEOs, must be aware of the potential threats and have a clear understanding on how to handle them.
Since the introduction of the EU General Data Protection Regulation (GDPR) in 2018, three in ten businesses (30%) say they have made changes to their cybersecurity policies or processes as a result of GDPR. The implementation of this policy has meant that some organisations over the past 12 months have engaged formally with cybersecurity for the first time, whilst others have strengthened their existing policies and processes.
It’s important that organisations create a cybersecurity culture where everyone understands the rules for the protection of both personal and corporate data. Introducing defined cybersecurity policies and practices will help significantly reduce the threat of an attack, whilst also helping to build a strong foundation that protects an organisation’s corporate and customer data.
Whose responsibility is it to deliver a culture shift?
The need for ongoing employee awareness and education raises the question of who is ultimately responsible for enforcing this culture change, and who is responsible for delivering educational and training programs for staff members throughout UK businesses.
With the business landscape now in complete chaos, with COVID-19 enforcing staff to work from home remotely in many sectors, it is more crucial than ever that education is provided across all departments, across all companies. With less tech-savvy members of staff now working online using remote devices more than ever, they are more vulnerable to falling foul of a cyberattack. It is up to businesses to make sure their staff are cyber-aware and following good practices whilst at home – as well as when they return to the workplace.
The government has a role to play in setting a good example and helping businesses stay safe – its Cyber Essentials certifications are a great example of this – but the collaboration between governmental bodies and businesses must continue if the culture around cybersecurity is to change. And ultimately it comes down to the companies creating a business-wide security culture, from the top to the bottom.
CEOs and MDs have a crucial part to play in spreading awareness, changing cultures and delivering training – and every single person in a business has a role to play in keeping it safe and protected. Only when everyone joins together to embrace good cybersecurity practices and follow protocol will businesses truly have an effective cyber-culture in place.