UK companies aren't educating staff on cyber security

A recent survey has revealed what many of us in the IT sector feared: UK companies are not sufficiently educating staff on cyber security risks and risk facing subsequent disaster if hit by a cyber-attack.

The research revealed a huge 68% of British companies don’t have a cyber security awareness programme of any shape or form in place. This is even more worrying when you consider the fact that almost half of businesses also don’t have a cyber security strategy, according to the Institute of Directors (IoD).

The Ultima survey revealed that over two-thirds (76%) of businesses aren’t prepared for zero-day attacks that exploit yet-unknown vulnerabilities, and a further 74% don’t have a plan in place to recover from cyber-attacks should they fall victim. Given that more than half of UK businesses have experienced a Ransomware attack – one of many varieties of cyber-attacks – and evidence that shows enterprises download a variant of malware every 4 seconds, these statistics should shock business owners into action.

The WannaCry Ransomware attack that hit household names including Telefonica, Nissan and the NHS finally brought cyber-attacks, specifically Ransomware, into the public discourse. 24 NHS trusts and around 40 hospitals were shut down or similarly impacted by this attack. Operations were cancelled, A&Es closed and GP appointments came to a screeching halt. While no official statistics have been released, it’s very possible that patients died as a result of this attack. This cyber-attack impacted thousands across the country and the world in a way that a physical disaster like a flood, which is isolated in one location, could never have.

Over a month later, many businesses are still vulnerable to a wide range of cyber-attacks. Many business leaders feel detached from the attack because they weren’t a victim. The high-profile victims might further distance small business owners from the issue. However, it’s wrong to thing that only big businesses are targeted with cyber-attacks; WannaCry wasn’t targeted at all. If hackers can bring down FTSE 100 companies, they can definitely bring down your small local business. These hackers don’t discriminate; they’ll go after small businesses that they perceive to have weak defences, and larger businesses for profit.

A multi-layered cyber security strategy is essential to the continuation of a business. To truly protect your organisation from the widening cyber threat landscape, it comes down to more than a basic anti-virus; the tool is essential, but business leaders and IT directors need to look beyond that. A robust strategy includes running a patched, supported operating system, anti-virus, a backup and disaster recovery solution, and importantly, an educated workforce. You can read more about our recommendations for a cyber security strategy in our recent blog.

Time and time again, studies have shown that your people are the first line of defence against cyber-attacks, and yet they’re also the weakest link. IBM’s Cyber Security Intelligence Index indicates that 95% of all cyber security incidents are the result of human error. The government’s Department for Culture, Media and Sport carried out a study into cyber security breaches that was released in 2017, which revealed that only a fifth of businesses have had staff take part in cyber security training. Furthermore, non-specialist staff, including those in back office functions, were the least likely to be trained on cyber security.

It’s well known that email is a primary vehicle for the distribution of malware and other malicious payloads. There’s an attitude of complacency that comes with email threats, but increasingly sophisticated email spoofing tactics mean these emails are incredibly convincing and therefore harder to spot than ever. While your IT staff might be shrewd enough to spot even the most convincing malicious emails, it’s important to remember that you need a company-wide security-savvy culture. What looks like an obvious threat to one person can look like a genuine colleague email, invoice or exclusive offer to another.

At TSG we’ve both implemented Sophos’ new tool, Phish Threat, and added it to our portfolio. The product simulates a targeted, calculated phishing attack against your members of staff. You can determine what the email looks like, fire it off to your workforce and see exactly who clicks. This isn’t a sneaky trick, but a business-critical practice given the cyber security risks out there. Those colleagues who click on the link are informed about Phish Threat and given extensive training on spotting malicious threats. It allows your business to gauge the risks posed by your frontline staff and to train staff on the risks quickly and effectively. Read more about how Sophos Phish Threat can help your business.

Business data is now in the crosshairs of hackers. High profile data breaches seem to hit the headlines every other day with DocuSign, Xbox, PlayStation and Tesco just some of the household names whose data was compromised. With GDPR coming into effect in May 2018, protecting your precious business data has never been more important. With fines of £17.5m or 4% of your company’s turnover – whichever is higher – for non-compliance, this could spell the end of your business. We’re hosting a GDPR roadshow around the country to help you understand the implications to your business and prepare as soon as possible.

It doesn’t matter what sector you’re in, what services you offer, or the size of your business. Cyber threats are more sophisticated than ever, and humans are almost always the weakest link in your defence against cyber-attacks. By not educating your staff on cyber security, you’re allowing hackers to exploit the vulnerability of your first line of defence.