ICAEW.com works better with JavaScript enabled.
Exclusive

The importance of cyber awareness training

Author:

Published: 25 Feb 2021

Exclusive content
Access to our exclusive resources is for specific groups of students and members.
Log in Find out more
Chris Hannett, Director of Cymplify, explains the real-world impact where such awareness is lacking, and why employees must maintain constant vigilance to prevent cyber attacks.

In the modern world of connected business – especially in the current reality of remote working and distributed services – each and every employee of a business needs to be aware of cyber risks. When the simple act of clicking a link can bring a business to its knees, it is no longer a question of whether or not cyber awareness is useful. It’s a necessity. Good training can help employees to be aware of the risks, understand the potential impacts, recognise the common tactics of attackers and maintain constant vigilance.

Anatomy of an attack

“The human element in cyber security is the most important element but is often forgotten,” says the Head of IT at BHP LLP Accountants. “Ensuring our staff have robust training, together with relevant testing and support, gives us the strongest chance of defending ourselves against cyber attacks.”

While cyber awareness training has been a staple of good security practices for a long time, it is often something that gets sidelined or forgotten when employees are busy or budgets are tight. This is a false economy, though, as the sobering truth is that 96% of successful cyber incidents now involve some form of human intervention, according to Verizon’s 2020 Data Breach Investigations Report.

Consider the following steps from a real-life UK business example in the past 12 months.

  1. An employee had (quite legitimately) signed up for an industry newsletter to keep up to date with their sector.
  2. The service that owned and operated the database of subscribers to that newsletter was breached during a cyber attack.
  3. All credentials (including passwords) from the database were offered for sale on the dark web.
  4. Those breached credentials files were bought by an attacker to carry out phishing attacks.
  5. A phishing email went out to every contact in that list, including the employee, who clicked on the link.
  6. The link was to a fake webpage that seemed legitimate but actually downloaded malware to the employee’s machine. The attacker had gained access to that machine.
  7. The attacker monitored emails for several weeks – identifying a significant upcoming purchase.
  8. After monitoring emails continuously, the attacker inserted themself into the email chain after the quote is signed off, posing as the Managing Director (MD) of the employee’s business.
  9. The MD instructed the employee to pay an attached invoice for the purchase.
  10. As far as the employee is concerned, this was a legitimate instruction from their MD and they make payment.
  11. Weeks later, when the supplier followed up to determine if they wished to proceed with the real purchase, the attack was uncovered.
  12. The resulting loss of funds, the need to spend the money again on the real purchase and the increase in premiums due to claims on insurance ran close to a million pounds.

This example highlights two points in time (five and 10) when an employee has been duped by an attacker, and greater cyber awareness would have made a difference.

Keeping up with good practice

Cyber awareness training educates team members to spot the ‘red flags’ that signify malicious activity, and provides that vital level of awareness and vigilance.

Traditionally, approaches to cyber awareness have been classroom-based or presentation style. But these training methods are often no longer good enough because the threat is constantly evolving and increasing. Relying on employees taking an annual course, for example, means that employees will quickly be out of date in terms of the latest threats. As a result, good practice increasingly uses dynamic and continuous training to keep pace.

This has been enabled by new technology. For example, there are now software-as-a-service platforms that automate the delivery, monitoring and improvement of cyber awareness training. These can be an effective and affordable way to reduce risk. Such programmes can deliver varied and engaging training content, stepping each employee through a personalised programme they complete online at their own pace and at a convenient time. The goal is to provide continuous training for all employees, and the analytics to evidence the reduction in risk across the business.

In conclusion, improving cyber awareness training should be a key priority of all organisations, especially in the light of continuing homeworking. In order to maximise the benefits, this should be considered in a continuous way so that employees keep up to date with the latest threats and tactics from attackers.

About the author

Chris Hannett, Director, Cymplify

Open AddCPD icon