It’s a normal morning at work and your accounts department is following up on overdue invoices. You get feedback that some clients are saying they’ve already paid your invoices but you haven’t received any payments. After a little investigation, you find out they’ve received an invoice from your accounts department but with different bank details.
Earlier that week, Linda from administration received an email from a client containing a link to a confidential document. When she clicked on the link, a page came up asking her to log in to view the file. After entering her login details she was still unable to access the file. Frustrated, Linda sends the email to her colleagues asking if they are able to open the file. Multiple staff members then try to sign in and view the document. Linda has now unknowingly compromised half of the company.
Unfortunately, the scenario above is not uncommon. According to the latest Notifiable Data Breach statistics, phishing continues to be the leading source of malicious attacks, up 7% in the last 6 months.
And it’s easy to understand why. Businesses invest thousands of dollars in firewalls, anti-virus products and all sorts of technology controls in the hopes it will protect them, but they rarely invest in their staff or their processes.
Cyber Security Awareness Training aims to plug this gap by educating your staff on common cyber security concepts such as phishing, malware and social engineering. Armed with this knowledge your staff are better equipped to protect themselves and the business against future attacks. However, it’s not just your employees’ responsibility. Cyber Security needs to come from the top down.
Creating a culture focused around cyber security will empower staff members to stop and think before mindlessly clicking on links in emails. Rewarding employees who find threats is just one-way businesses can promote a positive cyber security culture.
Business processes and policies should be regularly reviewed to ensure that they are still relevant. Depending on the nature of your business, the principle of least privilege is the safest approach for most. An example of an outdated policy may be a personal mobile phone policy for employees which is preventing the business from properly implementing Multi-Factor Authentication for all staff.
Most importantly, cyber security is never ‘set and forget’. It requires continual alignment and refocusing to ensure you have the most effective solution in place for your business as you grow.