Cyber security awareness: the first and most important line of protection
When we talk about cyber security, we almost always focus on the newest technology available to combat cyber security risks and threats. Companies focus so much on protecting hardware and software against cyber threats that they forget about securing processes and most importantly, providing adequate training for people involved in cyber security.
While a good cyber security awareness training programme and campaign alone will not ensure adequate protection against cyber security threats, it is possibly the most important part of any cyber security prevention approach. Research from the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers has shown that companies with an awareness training strategy have significantly lower losses when a cyber-related event happens than those who do not train their staff.
Cyber security is not just an IT problem, but a business problem, awareness training is not just for IT personnel but for all employees who has access to a computer and the Internet. The focus and specialty of awareness training need to be tailored to each employees function and their role within an organisation. Cyber security needs to be part of an organisations culture to be effective, if it is just a checkbox approach, which employees don't understand, what it is about and why it will surely be ineffective.
Both the recent Equifax breach (145 million US consumers records) and the SA Master Deeds Leak (30 million South Africans ID numbers at the time of writing) were caused by human error, with Equifax not patching a vulnerability relating to their Apache Servers for two months, while in the case of the SA Master Deeds Leak, the back-up was published on a public facing server( See here the whole process). Cyber Awareness might not have stopped both these incidents, but they do show that the biggest vulnerability is the human aspect.
The combined cost of hardware, software, and policies for cyber security can easily be over a million rand per annum for a medium-sized company, but this can be meaningless expenditure if the end users in your organisation are not properly trained to enforce and apply cyber security principles and good practices. Awareness training will provide your organisation the best value for money solution in the fight against cyber threats.
The benefits of cyber security awareness training is immense, the following list highlights some of the more important ones:
* Less exposure to cyber security related risks;
* Lower costs due to both the lower frequency of cyber-related loss-incidents and the severity of those incidents;
* Lower costs associated with cyber security Insurance premiums;
* Saving time, as a lot of time, is wasted post Cybersecurity incidents in both finding out what happened, as well as possibly having to redo do the affected work;
* Market edge over your business competition, as public knowledge of Cyber Incidents, will negatively affect your business reputation; and
* Positive staff culture regarding the Cyber and Information security.
Not all cyber security awareness training is equal, you should ensure that the training you select for your organisation is suited to your specific needs, your business environment and your level of cyber security maturity.
An effective cyber security awareness programme should have the following attributes:
* Should be focussed on real-life examples, both with the most common causes and the effects these examples might have;
* The training programme should be based on your own organisation's culture, policies, procedures and perceived threats;
* Each individual needs to understand their role in securing the business information, the importance of their roles and the consequences of their actions;
* The training should cover the Prevention and the responses to Cyber incidents;
* The programme should be easy to understand, not too technical, and should be measurable; and
* The training needs to be updated as new threats emerge and as the business culture and operations change.
Cyber security awareness should be an important part of any organisations cyber security management strategy. Not only does it address the human weakness factor in your strategy, it also provides immediate protection at an affordable price. Cyber security awareness training needs to be designed around your organisation, not in isolation to be effective. If you or your organisation would like to know more about cyber security awareness training and programmes, you can do so at https://cybersecurityinstitute.co.za/.The Cyber Security Institute delivers South African focused cyber security training, services and solutions.