Why you need to train your staff to be cyber safe
One of the challenges facing businesses in the post-pandemic era is how to ensure remote workers can safely access the corporate network without creating a cybersecurity risk. Allowing employees to use personal devices or insecure home wi-fi connections to access sensitive company data creates potential weak spots for unscrupulous cyber criminals to target. In fact, according to Europol, cyberattacks have been trending upward since the beginning of the pandemic, as criminals exploited Covid-19 to target vulnerable businesses.
Given the significant costs and reputational damage that can result from a successful cyber theft or ransomware attack, cybersecurity must become a top business priority.
Thankfully, cybersecurity is a bright spot in the UK economy. A recent government report found that the sector is worth £8.9bn, employs nearly 50,000 people, and attracted record investment of £800m in 2020 despite the pandemic. Globally, the global cybersecurity market is valued at $167bn and is predicted to grow by 10% a year.
Today, cybersecurity is not only crucial to protecting UK businesses, but it is also a source of economic growth at a time when the economy is struggling to recover from the pandemic. Given this important role, ensuring the sector has access to a sufficient supply of skilled labour is essential to maintain this growth. But what skills are needed to enter the UK cybersecurity industry? As well as technical skills, professionals need to understand the human element of security, explains Craig Hill, head of business technology at Avado.
“Cybersecurity is so much more than it used to be. Gone are the days of being able to identify someone from the way they look or the fact they have exceptional computer skills,” he tells City A.M. “In the modern world, we no longer have a single attack point, system or threat we can defend. I think it is invaluable to have someone open to the full-picture; someone who can recognise that a threat is not just about whizzy technology, but that humans are both the strength and the weakness in many systems.”
Unfortunately, there have been a few mis-steps in attracting people to the sector. For instance, the UK government scrapped a campaign encouraging people to retrain last year after one of the adverts – which suggested a ballet dancer’s next career could be “in cyber” – was heavily criticised.
So what is being done to ensure there is a sufficient talent pipeline to create the skilled cybersecurity professionals the industry needs?
The next generation
One organisation that recognises the importance of addressing this challenge is the National Cyber Security Centre (NCSC).
“The UK cybersecurity sector is a strong and growing industry, and the sector plays a key role in developing the capabilities that keep UK individuals and organisations safe online,” says Chris Ensor, Deputy Director for Cyber Skills and Growth, NCSC. “More broadly, maintaining and improving the UK’s cyber resilience is key to limiting the harm cyber attacks inflict on the UK economy.”
As well as giving cybersecurity support and guidance to the private and public sector, the NCSC is attempting to inspire the next generation of cyber professionals to ensure the industry is served by a large talent pool. It offers bursaries to students and organises training courses and boot camps across the country to teach cybersecurity skills and encourage young people to join the industry — and it is seeing positive results. For instance, the NCSC saw record numbers of teenagers attending its summer boot camp this year, with over 1,850 teenagers joining in its popular CyberFirst courses. This is the second year in a row that saw record participation, with courses moving online for the first time in 2020.
The NCSC’s CyberFirst programme aims to identify and nurture talented young people for jobs in cybersecurity. It also wants to tackle the lack of gender diversity within the sector and in technology in general, so many of CyberFirst activities are focused on encouraging girls to consider a cybersecurity career: so far, more than 55,000 teenagers have participated in its CyberFirst Girls Competition.
As well as these training courses, the NCSC has created a school certification programme: the CyberFirst Schools initiative recognises schools whose approach to cybersecurity education is excellent with Gold, Silver and Bronze awards. In September, the NCSC announced that a further 16 schools and colleges had achieved recognition for excellence in cyber education.
“These awards signal to businesses and our industry partners that these are good schools for cyber education, and that if you’re looking for cyber talent or you want to work with schools, these are great places to get involved with” explains Ensor.
These interventions into the school system are essential to ensure that enough people are coming out of education and are ready to join the industry, without businesses having to do additional training on top.
“This is our immediate solution to fixing the talent pipeline,” Ensor adds. “It’s getting those students through and out into industry, and of those who have graduated over the last four years, about 82% had jobs lined up before leaving, thanks to a lot of industry partners who are taking them on.”
Human error
However, while creating trained cybersecurity professionals is a priority, there is also the need to train everyday workers in digital literacy skills so they can recognise cyber threats. In fact, the government has set an objective to raise the standards of cybersecurity awareness and skills across the population. Making sure ordinary people have the digital skills necessary to keep themselves safe while online is important not just for their own wellbeing, but also so that workers do not expose their employer’s sensitive data to cybercriminals.
“This should be a priority, because the great majority of cyber breaches are down not to a failure of technology but to human error,” says Simon Hepburn, CEO of the UK Cyber Security Council.
“For instance, ordinary people doing something very avoidable, often as basic as not checking an external email address, opening a link in an email that they shouldn’t have, writing their password down, using the same password for multiple logins, not locking their screen when they’re away from their desk, or by being rushed by someone to do something without thinking it through.”
It is important therefore for businesses to invest in training their staff to be safe online and aware of potential threats, as the range of potential vectors for attack in today’s modern digital world is staggering.
“A common mistake is separating work from life,” says Avado’s Craig Hill. “When it comes to living in a digital world we have to understand the two are linked. A password used for both home and work is a disaster waiting to happen: you break one and you get access to the other. It is essential to understand the principle that all computing devices exist in a hostile environment. We should absolutely not be afraid – the digital world offers so much – but we do need to understand that we are a part of that world, even if you think you aren’t.
“We also need to remove the idea that security and digital literacy is only for professionals and digital experts. Unintuitively, being digitally literate is about being human.”
According to Hepburn, the key skills that employees should be taught are to follow the company’s security policies and procedures, and to take a few seconds to stop and think before clicking on a suspicious link.
“The bare minimum training and upskilling that businesses need to do is to invest in educating all staff of the most common pitfalls, and to do regular checks and refreshers, because the nature of threats changes,” he adds.
“You’d hope that such investment was happening uniformly – but the evidence is that investment in cyber skills can still be very patchy, perhaps because it’s still wrongly seen as a cost and not an investment.”
Another reason to invest in equipping staff with cyber awareness skills and improving digital literacy is because the potential costs of not doing so are steep. For instance, the consequences of failing to stick to the UK General Data Protection Regulation include a maximum fine of £17.5 million or 4% of annual global turnover (whichever is greater). Meanwhile, the costs related to a successful ransomware attack, including downtime, lost opportunity and damage to devices and networks, amount to more than $700,000 on average, according to the security provider Sophos.
Given these risks, how should companies train their staff to be safer online?
“The first is to do it little and often in digestible chunks, and preferably via a variety of means such as online training, in-person training, email reminders, and so on,” advises Hepburn.
“The second element is to make training materials relevant: use stories of attacks that have happened to your own organisation, or thefts of laptops from your company vans. It tends to really clarify the threat. And don’t forget to run simulated attacks, to measure how much has sunk in.”
While governments around the world are acting to counter cyber threats, businesses will need help from the cybersecurity industry to plug the gaps in their defences. As well as investing in the right technology, a crucial element of that defence will be to train their workers to act safely online and avoid the common human errors that can cause a cyber breach. After a year spent dealing with the novel coronavirus, no one wants to deal with its digital equivalent.