Skip to main content

How to reduce human error to build a resilient cyberculture

(Image credit: Pixabay)

Cyberattacks constantly hit the headlines - but often they focus on big brands we are all likely to recognise.

This can give the impression to smaller organisations that they are rarely attacked - but that’s not the case.

Small businesses are targeted by 43 per cent of all cyberattacks according to a recent report and they collectively face nearly 10,000 cyberattacks every day. The Federation of Small Businesses estimates that each attack costs an average of £1,300.

Despite this, many small businesses are not doing enough to protect themselves and they often fail to recognise how critical educating employees on cybersecurity is. According to cybersecurity specialists Karspersky, human error is responsible for 90 per cent of data breaches on the cloud.

Learn the tell-tale signs

Hackers use phishing when they mimic a legitimate communication so people are duped into disclosing valuable information like bank details.

Alternatively, they may trick people into opening an attachment, or clicking a link that allows them to take control of someone’s device or install malware like a virus.

Staff should learn to treat any unsolicited communications with suspicion, especially if they come from sources they don’t recognise. Some communications may have clear tell-tale signs that signal they are not legitimate.

Signals include:

  • The email comes from a different domain to their usual one or is in a different format. E.g. your boss is emailing from @gmail instead of the usual business domain. There are email security solutions that can alert you to these discrepancies by checking the links and domain, such as gateway security technology.
  • The domain name is misspelt - a clear sign something is wrong
  • There’s random spelling mistakes and grammar errors
  • It includes suspicious attachments or encourages you to click on links
  • It’s already found its way into your spam folder
  • The message sounds urgent - e.g. someone tells you to click on this link and send her an attachment immediately

If any security breaches do occur, employees need to feel free to report them so as to limit the damage caused.

A no-excuses training culture

On-boarding of new employees rarely covers thorough security measures and how they can be proactive in protecting themselves and company data. Having a clear written policy is important so people know their responsibilities and legal obligation, but it’s not good enough to just rely on this. And measures like anti-virus software, filtering and monitoring is only part of the solution.

The 2019 State of IT Security Survey found that email security and employee training are the top problems faced by IT security professionals.  If an employee doesn’t know how to recognise spam and clicks on a link he thinks is from his boss but is full of inconsistencies - it could be disastrous. Uneducated employees are one of the top vulnerabilities for a company - but that’s easily rectified.

Training should be mandatory for the induction process, and refreshers should be a part of company culture to avoid people getting complacent and to update them on any new changes to the law.  Any training given should inform people about online phishing because it is one of the top techniques criminals use to exploit their victims.

A clear written policy should be given to every employee so they know what their responsibilities are. They should understand their legal obligation to protect people’s data and the consequences of failing to do so.

Embrace fake phishing

You shouldn’t just rely on training to know that employees are confident in identifying threats. In almost every other setting, when we’re taught something we’re given a test to make sure we ingested the information. So why not do that? You can get specific cybersecurity training which involves a simulated email phishing exercise.

This uses a fake phishing email which is sent to employees, so you can test the outcome. This way, if you get 5 people who do click the link on the email, you know who needs further training.

You shouldn’t do this too often as employees can spend longer pondering emails that being productive. It should be seen as positive development for them and the company, not add risk of them being disciplined.

Google also offers a phishing quiz which you can ask employees and employers to take. 

Gateway to protection

You can also take advantage of software that puts security into the front line and identifies potential attacks before they happen. Cloud solutions like Cisco Umbrella use intelligence to uncover threats, have an omniscient view of all devices and ports, and can use this visibility to stop and block attacks before they happen.

Other solutions like email gateway security technology can check the validity of the sender and the contents of emails in real-time before it gets to the user, minimising the risk of human error. Enhanced firewall protection can also intelligently identify threats within traffic and stop them before they enter the network.

Protect your passwords

We all know having a secure password is imperative to being safe online but many of us still use weak passwords. It is best practice to use a unique password every time but expecting people to remember numerous ones isn’t realistic. That’s why it’s worth using password managers to store your passwords.

Password generators can also suggest strong passwords but if you’d rather come up with your own then there are a few rules to follow. For starters, don’t pick a word as your password. These can be decoded by hackers in seconds. It is best to use a random combination of lower and uppercase letters, along with numbers and symbols. A good tip is to use the first letter of each word in a phrase you’ll easily remember.

Other options to look at include two-step or multi-factor authentication and biometrics like face or fingerprint recognition.

Make remote working secure

These days remote working is incredibly common but companies don’t always have the right measures in place to stay safe online.

Virtual Private Networks (VPN) can help keep devices safe when they are being used in public spaces.

If staff use their own devices to access work-related information then make sure these are secure too. Staff should be taught not to ignore software updates because they often include important security updates. They should also be informed about trusted vendors to use when downloading apps.

Training staff doesn’t have to be time consuming or expensive.

The National Cyber Security Centre (NCSC) has recently put together a free training package for small and medium-sized organisations which is quick and easy to use.

Spending a little time on cybersecurity training now could save your business from significant financial and reputational damage later on.

Will Evans, Director, Performance Networks

Will Evans, Director at Performance Networks.