There are many ways to protect a business, but one method stands head and shoulders above the rest and that is training people. According to the UK Government's Cyber Security Breaches Report 2024 90% of cyber attacks on UK businesses are phishing attacks. These rely entirely on exploiting people. That’s why having a cyberaware staff is the single most effective way you can protect your business online in 2024.
Cyberattacks are a serious risk in today's online world. They can damage businesses and hurt personal lives. Businesses need to do everything they reasonably can to protect themselves, and their staff, from such exploitation.
If staff don’t have sufficient regular training they might click on a phishing link by accident and that is where it can all go wrong.
But there's hope. You can lower your risks by creating a strong cyber awareness culture.
Think of your organisation's cybersecurity as a chain. It's only as strong as its weakest link. Employees are the links in this chain. By creating a cyber awareness culture, you make each employee a strong link. This makes your whole organisation more secure.
If cyber awareness isn’t embedded in a culture, and driven from the top then it’s often overlooked by staff, or seen as low priority. It becomes viewed as an inconvenience and something that’s not important when really the very existence of the business could hinge on it.
In great companies, staff don’t even think about security. It is so deeply rooted in the culture that no one would dream of working insecurely. There’d be no shadow IT, no sensitive details would ever be sent as unencrypted attachments to emails, and everyone would have long, unique passwords.
Creating a cyber awareness culture doesn't need complicated plans or costly training programs. Here are some simple steps you can take to make a big difference.
Getting leadership on board is the first step to getting the rest of the business on board.
Gaining an understanding of the risks, and how powerful mitigation can be, can help drive management buy-in for raising the profile of cyber awareness. Once they understand the benefits, and realise that the cost is almost non-existent, it becomes an easy decision to get behind the initiative.
When executives support cyber awareness, it sends a strong message to the organisation.
Leadership can show their support by:
Cyber security training doesn't have to be dull and boring. Platforms like uSecure deliver engaging videos and quizzes that are great for captivating your audience. You can also find gamified quizzes, and role playing real-life scenarios that can all help raise understanding among your staff. Keeping it fun keeps employees interested and learning.
We provide uSecure courses to all our support customers and it’s amazing how many people casually drop their cyber evil-doer mascot Cyberto into conversation. It really does work!
Cyber security terminology can be confusing. It uses acronyms and technical phrases, but most people don’t need to worry about these to understand how to stay safe.
Ensuring that all cyber awareness messaging uses simple language means that people will understand what they’re being taught and as a result, they’ll be more willing to stay engaged. Complex abstract concepts and technical language are surefire ways to turn people off. Focus on practical advice employees can use in their everyday work.
Don't overload people with lengthy training sessions. We have all sat in training rooms for hours on end during training days and it simply doesn’t work. After a while we all switch off and the training becomes far less impactful.
Opt for regular bite-sized training modules that are easy to digest and remember. Use brief videos and games delivered on a regular cadence, ideally weekly or monthly. These are a great way to keep employees engaged and reinforce key security concepts.
Repeating the message is key as people forget their training after 6 months.
We send regular phishing simulations to all of our supported customers. These help raise awareness and ‘keep people on their toes’. Simulated phishing emails track who clicks the links in them. The various platforms mentioned above then use this information to target those who click the links with more phishing training to help them get used to spotting phishing emails.
As phishing scams get more harder to spot based purely on spelling mistakes and language (thanks to services like chatGPT writing in perfect English) it becomes even more important for people to know what else to look for. Learning to spot slightly off sender domains, or the general tone and urgency being instilled, are red flags that people get used to spotting.
It’s really important that the culture you create in your business actively encourages employees to report suspicious activity without fear of blame. It’s always better to report something that might be suspicious.
If someone does click a link when they’re busy and flustered, they need to feel comfortable in raising their hand and seeking assistance. If staff are fearful to admit a mistake, then the damage from a clicked link can escalate very quickly.
Create a safe reporting system and acknowledge reports promptly. You can do this through:
Recognise staff achievements in cyber awareness. Praise people if they report a suspicious email. Reward a team if they achieve a low click-through rate on a phishing drill.
Publicly acknowledging contributions helps keep motivation high. Recognition can be a powerful tool. It helps reinforce positive behaviour and encourages continued vigilance.
A security champion in your staff can help drive engagement with their peers. Someone in your staff who is evangelical about security can deliver your message for you, spreading the word in a manner that differs from an instruction from above.
Identify enthusiastic employees who would like to receive additional training on the subject. Ideally you want someone who is excellent at communication and relationship building. They don’t need to be the most technically minded person, so long as they can grasp the fundamentals. They can then answer questions from peers as well as promote best practices through internal communication channels. This keeps security awareness top of mind.
Cyber security isn't just something that applies in work. Good cyber awareness training helps staff consider their own personal security and helps to protect them at home. Staff learn the importance of changing default passwords, not re-using passwords and all sorts of other useful tips to help them in their private lives.
Staff who practice good security habits at home are more likely to do so in the workplace.
Creating a culture of cyber awareness is an ongoing process and a shared responsibility. If you equip everyone in your business with the knowledge and tools to stay safe online then you convert your staff into your strongest defence against cyber threats.
Repetition is key! Keep the conversation going and make security awareness a natural part of your organisation's culture.
We’re cyber security experts based in Edinburgh, but helping customers all across Scotland. If you’d like to discuss how our IT support can help you secure your business then get in touch.