The construction industry has faced a number of major challenges over the last few years, from site closures in lockdown to material supply shortages, increased materials costs and even labour shortages due to Brexit immigration changes.

While the construction industry is getting back to business, there is another battle to overcome.

Specifically, cyberattacks are a constant concern for businesses across all industries and with the construction industry becoming more digitalised, the risks are increasing.

Digital technologies are driving many efficiencies and benefits to the construction industry, from software to collaborate on projects online to using smart equipment, even digital contract approval and payment services. These benefits are helping construction companies to reduce costs and increase productivity, but the cybersecurity risks cannot be ignored.

A Forrester survey revealed that over 75% of respondents in the construction, engineering and infrastructure industries were victims of a cyber incident in the last year. It’s a staggering statistic, and the consequences of such an attack can be significant also. Cyber incidents can vary from minor inconvenience to significant financial, not to mention reputational damage.

Construction companies can be fined and sued if they are found to be non-compliant with data security regulations, as well as risking a PR disaster if the incident is publicised.

Therefore, it is crucial for construction companies to prioritise their cybersecurity strategy to keep their company, clients and suppliers protected from the growing list of cyber risks.

But what are the main vulnerabilities that the construction industry face? How can they reduce their risk? Join us as we share everything you need to know.

What vulnerabilities exist in the construction sector?

Ransomware

Companies have become reliant on the data they collect and store, and where there’s data there’s value for cybercriminals. As such, ransomware attacks are becoming increasingly frequent in the sector, and pose a real threat to continuity for construction companies.

Put simply, ransomware attacks lock data and systems behind strong encryption and demand payment in turn for returning control of the data. Often, these attacks begin with a simple phishing email and a compromised file download.

Social engineering

Social engineering attacks are another high-risk form of a cyberattack; this usually involves hackers impersonating a person, such as a company executive, in order to trick the targeted person into sharing data. These types of attacks prey on well-meaning employees, exposing the vulnerabilities inherent in organisations.

The hacker might send a very realistic looking email with an email address that looks legitimate. In the employee’s eagerness to provide the executive with the requested information, the employee may not follow the data security policies that they would usually follow.

Malware and viruses

Viruses and malware attacks are an all-too-common risk to construction companies, despite the adoption of antivirus software.

Viruses and malware come in many different forms. Check out our complete guide to malware and viruses here.

Reducing cyber risks in the construction industry

Reducing risk requires a multifaceted and holistic approach. A comprehensive cybersecurity strategy must be developed to give your company as much protection as possible. Of course, this should include hardware and software protection solutions.

However, these alone won’t protect you from attack, especially with 90% of breaches occurring as a result of human error.

That’s why employee cybersecurity training is so crucial, and why developing a culture of awareness and accountability is required for organisations of all sizes, and in all sectors.

At Bob’s Business, we build brilliantly effective training programmes for all employees, reducing your risk of breach. Your employees will develop the tools they need to protect themselves and your business.

Click here to learn more about our products, or click here for a demo with a member of our team.

There’s no denying that, in virtually every sector, digital technologies and transformation have enabled companies to be more connected, reliable and sustainable.

Technology provides efficiency-driving benefits such as artificial intelligence and big data, helping companies improve processes, reduce costs and boost the quality of services provided to customers. Indeed, digital technologies have provided automation opportunities alongside significant performance improvements across the industry.

However, due to the digitalisation of energy systems, the risk of cyberattacks has increased significantly; as a result, the energy sector today is a prime target for cybercriminals. Research from Hornet Security revealed that 16% of all worldwide cyberattacks in 2019 targeted the energy sector, making it the top targeted industry.

Recent examples of cybersecurity incidents aren’t hard to find. Take the 2021 attack on the Colonial Pipeline fuel supply network, for example.

The Colonial Pipeline attack saw critical data held to ransom, causing a state of emergency to be called across numerous states. Hackers gathered a single password purchased from the dark web. The vulnerability was attributed to employees being able to remotely access the company’s computer network, and ultimately cost the company millions of dollars.

Energy is one of the most vital systems that households and businesses rely on; this means any risk to energy companies is a risk to human health & safety, in addition to the economy. The disruption caused by past cyberattacks has been severe; however, the frequency and scale of incidents are increasing, with hackers exploiting not only system vulnerabilities but human errors too.

Therefore, it is highly important that energy companies have adequate cybersecurity measures in place, which protect their company and continue to provide essential services to the customers who rely on the energy they provide.

How can energy companies mitigate their risk of cyberattacks

There are several solutions that can reduce the risk of cyberattacks, including:

• Strengthen cybersecurity systems by investing in improved technology solutions.
• Establish a strong cyber incident response policy with collaboration across the industry.
• Restrict remote access to critical company systems.
• Employ cybersecurity experts to develop a highly effective cybersecurity strategy.
• Provide high-quality cybersecurity training to all employees.
• Make a dedicated Information Security Officer a member of the board.

Training your team to reduce your risk

There are many different types of cybersecurity awareness training solutions available for companies who are looking to reduce the risk of successful cyberattacks.

While there’s an increasing acknowledgement towards the importance of cybersecurity awareness training in the energy sector, the quality of that training can vary significantly.

Specifically, the many tick-box compliance training solutions offer broad course catalogues, but do little to positively change behaviours. The problem is twofold: dry, dull content and training that doesn’t address the weaknesses within your organisation.

At Bob’s Business, we provide online training solutions that develop cultures of cybersecurity aware employees who demonstrate behaviours to keep their company protected. From award-winning phishing simulations to NCSC-certified courses that utilise relatable characters and narratives, cybersecurity training courses from Bob’s Business are more effective than the alternative options.

Find out more about how cybersecurity awareness training from Bob’s Business can protect your energy company from cyberattacks.

It might not be stealing the headlines in the evening news, but the truth is that the UK’s public sector is at high risk of data breaches and cyberattacks.

The reason is simple, the public sector stores extensive amounts of sensitive information that cybercriminals can use for financial and political gains. Research shows that around 11% of cybersecurity incidents involve the public sector, and a fifth of UK public sector organisations reported over 1,000 cyberattacks in 2019.

While other sectors generally invest more heavily in new technology and updating systems, this is an area where the public sector has lagged traditionally.

Put bluntly, IT infrastructure in the public sector is renowned for being outdated, with organisations facing significant challenges in digital transformation due to the large cost and potential disruption. However, there are far greater threats facing the public sector. Join us as we share five key threats 👇

Five key cybersecurity threats faced by the public sector

1. Lack of investment in new technology leaves outdated systems more vulnerable to cyber threats. Older technology usually has more weaknesses that bad actors can take advantage of.
2. The increasing risk of ransomware is a big problem for public sector organisations. The WannaCry ransomware attack in 2017 cost the NHS £92 million, with over 19,000 appointments getting cancelled. Hackers target critical systems such as healthcare, as they know they are more likely to receive a payment.
3. More sophisticated phishing attacks are another major issue affecting the public sector. Typically arriving in the form of an email, text or phone call, these scams have increased since the pandemic, with many attacks utilising urgency and fear to encourage thoughtless clicks. Just one click can give access to the entire network, from there, stealing crucial data is a simple task.
4. Homeworking has also presented cyber criminals with opportunities to penetrate organisations’ systems due to inadequate cybersecurity. Using home internet connections is less secure than office systems, and there are other security weaknesses using home equipment.
5. Human error is one of the top reasons for organisations experiencing a data breach. Criminals exploit employees’ human nature in several ways from phishing, as mentioned earlier, to attacks which rely on your team trusting an individual entering your premises is meant to be there.

How to protect your public sector organisation from cyberattacks

One of the obvious solutions is investing more money in updating legacy systems and installing improved cybersecurity technology. However, this is not always a possible option with limited budgets to work to.

Ensuring that there is an adequate security framework for homeworking should be a top priority, if employees are working from their home office and other remote locations.

Access management should be restricted to ensure that only the necessary employees are given access to the systems they need and have the appropriate access levels.

Perhaps most importantly, to protect your public sector organisation you must have adequate training programmes to empower employees to protect your organisation. Not all compliance training will help prevent cyber attacks successfully, however, because generic tick-box training does little to actually alter behaviours.

Bob’s Business provides a unique and effective approach to cybersecurity training by making truly engaging training content. With our storytelling-first approach, we help to develop a culture of employees who demonstrate high levels of cybersecurity awareness.

Click here to learn more about our training solutions.

Digital banking has seen meteoric growth since its introduction in 2007, growing year on year to reach its current peak – where 80% of bank account holders access their accounts at least partially online.

Indeed, it’s predicted that living with the COVID-19 pandemic will have further accelerated online banking adoption for many consumers.

The reasons for its widespread adoption are clear – digital banking has always offered convenience when it comes to checking balances, making transfers and managing accounts whilst on the go.

However, a large proportion of consumers have previously been reluctant to use digital banking, for reasons such as lacking the appropriate technology, skills, or simply preferring to stick with what they know and trust.

The pandemic not only increased the urgency to use digital banking on the consumer end, but also forced banks to look closely at their investment levels in those digital solutions in order to provide consumers with amazing experiences.

Where there are financial transactions, however, there are criminals looking to profit, and that’s certainly true when it comes to digital banking.

What are the cybersecurity risks in digital banking?

Although there are so many benefits to digital banking, for both the bank and the consumer, there is one major negative: the increased cybersecurity risks. The finance industry is a top target for cyberattacks due to the information they process, not to mention financial systems that can be illegitimately accessed to steal money.

As account holders are using mobile devices, websites, apps and public internet connections to access their online bank account, these entrypoints provide weaknesses for hackers to exploit.

Which? recently analysed 15 banks and building societies’ online banking and mobile app banking platforms, and found “worrying security flaws”. These included insufficient password policies and the lack of two-factor authentication for critical actions. Some of the banks also lacked adequate software that was able to block dangerous emails.

The financial sector has been investing heavily in cybersecurity, with developments for enhanced cybersecurity tools being introduced on a regular basis to protect systems from hackers.

As well as making changes to improve their online security processes and tools, another important aspect of protecting the digital banking sector from cyberattacks is to implement a stronger cybersecurity training programme.

Many companies in the financial sector roll out “off-the-shelf” compliance training courses. Unfortunately, these courses fail to deliver the key outcomes that are required to develop a culture of cyber awareness among employees

Traditional compliance training is typically dull and disengaging, with employees not developing the required behaviours that will help protect the bank from attacks such as phishing emails in the future.

Bob’s Business provides a unique approach to online training by providing engaging courses and interactive phishing simulations. Our training helps to change employee behaviour, rather than simply providing generic information and tick-box questions. Our courses can also be tailored to suit the specific organisation, in order to target any weaknesses that the organisation has.

Find out more about Bob’s Business cybersecurity awareness training and boost your digital banking cybersecurity today.

It isn’t news to CISOs, but the frequency at which cyberattacks are happening is alarming, to say the least. It’s a situation that has led to an arms race of sorts, with both sides continually ramping up their capabilities in a bid to either breach or protect an organisation.

Despite a growing understanding in businesses towards the importance of educating and informing employees about cybersecurity, the solutions businesses often implement are rarely the most effective options.

Rather than forcing employees to complete formal, often monotonous training courses, it is far more effective for businesses to focus on developing a culture of cybersecurity. As a CISO, the responsibility for developing the strategies required to develop and sustain a culture of cybersecurity starts with you.

These are some of the key considerations and steps required when developing the framework:

Ensure that strategic objectives are clear

Before you start planning your culture change strategy, the first step is to ensure that the strategic objectives are clear. You need to define precisely what your company wants to achieve by developing a cybersecurity culture, and what value you expect to gain from the work involved.

Creating a mission statement will help to communicate the objective across your company, while at the same time building a greater understanding of what you are looking to achieve.

Analyse the existing culture

Once you have defined your strategic objectives, the next step is to analyse the existing state of culture to see which areas need to be addressed.

This process should identify the biggest cybersecurity risks using human risk analysis. You will probably have 5 or 6 risks that you will need to improve upon through methods such as training, workshops, and focus groups.

At Bob’s Business, we analyse your existing culture through our Human Vulnerability Assessment, which uses a Phishing Baseline and Awareness Questionnaire to determine your organisation’s blind spots; from here, we create your tailored course and optimal implementation strategy.

Design a culture change strategy

Using the data you have collated, you can now design a strategy that targets the areas of weakness and drive improvements in each area.

The action plans should include defining key stakeholders to provide support, in addition to outlining the training solutions necessary to deliver the required outcomes. You also need to incorporate ways of measuring the progress and success of each action.

Implement the culture change strategy

Implementing the culture change strategy will involve rolling out the strategy across the full organisation, using stakeholders and focus groups for support and developing communications to update the rest of the business.

Delivery of the required training programme is a vital element of implementing the culture change strategy, alongside implementing the other actions that target the areas of weakness.

Continually review and improve the culture

Once the culture change strategy has been implemented, regular reviews should take place. New vulnerabilities are always emerging, these must be identified in order to ensure that progress continues to be made towards improving the cybersecurity culture.

Where necessary, new actions should be planned to ensure that the right areas are being addressed, in order to keep the business as well protected as possible from cyberattacks.

If you are a CISO looking for the right cybersecurity training solutions to enable you to execute your culture change strategy, learn more about Bob’s Culture and the unique approach that delivers incredible training outcomes for organisations just like yours.

Hands up if you’ve ever suffered through workplace training that feels like it was designed for somebody else. I’m willing to bet there’s more than a few of you out there.

Traditional training approaches for topics such as cybersecurity tend to be of a ‘one-size-fits-all’ variety, with little to no consideration towards the requirements of the organisation they’re deployed within. While one set of courses might be required for employees at one company, that same training may be totally unnecessary at another company.

It’s a situation made worse by the importance of cybersecurity training for organisations of all sizes. Weaknesses in their training programme can cause significant problems for businesses. With cyberattacks happening on an increasingly regular basis (up 50% in 2021!), having the most effective cybersecurity training approach can be the deciding factor in whether a major cyberattack is successful or not.

Your organisation is unique, it has different weak spots and vulnerabilities depending on industry and infrastructure. You may have legacy systems that are more likely to have security weaknesses or a high turnover of employees – and newer employees lack experience and training in cybersecurity. In fact, many organisations simply have overly complacent staff, placing them at higher risk of breach.

Other weaknesses include the types of technology solutions that an organisation uses, which can increase the likelihood of being targeted by a cyberattack. For example, companies with e-commerce websites offering online card payments have a higher risk of being targeted as they handle financial data.

As you would imagine, these organisations benefit greatly from our comprehensive PCI-DSS compliance training while people working for the government need more training in areas such as email etiquette.

How Bob’s Business tailors training to your organisation

At Bob’s Business, we believe that training is more than just a box to tick. We believe that a good training programme should build a positive cybersecurity culture that actively protects your organisation from the 90% of breaches that occur as a result of human error.

WIth Bob’s Culture, we deploy our proprietary Human Vulnerability Assessment to make our training as tailored and relevant to your organisation as possible. It’s why Bob’s Culture revolutionises cybersecurity training and, along with our uniquely engaging and entertaining content, why we have industry-high engagement rates.

The Human Vulnerability Assessment uses a Phishing Baseline and Awareness Questionnaire to determine where the weaknesses are within your organisation; your training programme is then tailored around these insights. An organisational analysis call is also arranged, with the relevant personnel, to ensure an in-depth understanding of your organisation and its unique requirements.

This information is then used to develop a more effective training approach that is bespoke to your organisation and will boost cybersecurity protection, through empowered employees who have learnt how they can become the tip of the spear in your organisation’s defence against cyberattacks.

Find out more about how Bob’s Culture can help your organisation to strengthen the specific areas of weakness that cyberattackers will be looking to expose, and turn your employees into the first line of defence.

While it’s true that businesses are more aware than ever that they need to train their teams on cybersecurity awareness, getting teams on board with the idea is often where the challenges begin.

Quite simply, many employees are not motivated to do mandatory compliance training. Completing standard training courses on topics that are traditionally considered to be boring, such as data protection and security, can feel like a chore. As a result, employees will often try to avoid doing the training as long as possible.

When they do finally complete the training, usually after getting reminders and warnings, they complete it as quickly as possible; this means the information is not fully retained because the employee is so disengaged.

In these training scenarios, the business is merely ticking a box to say that the employee has completed the necessary training, which will satisfy the regulators, but the benefits to the business are lost.

For example, this approach to training does not help to develop a culture of employees who are security-aware and behave in ways that protect the business. With cyberattacks being a continued threat to many organisations, no matter the size or industry, an effective cybersecurity training strategy is essential.

But how do you boost employee engagement in your security awareness programme? Read on to find out.

How to boost engagement in security awareness

To make cybersecurity training more engaging, there are a number of best practices you should implement:

Use interactive training

At the core of most training programme failures, is the content you serve up to your team. Put bluntly, the world of cybersecurity training is littered with dull, dry and dreary training courses.

If you want your teams to actively engage in their training, then you should choose a provider who places their emphasis on creating entertaining content that your teams actually want to take. Storytelling, animations and interactive elements all boost engagement in security awareness training, which help embed lessons and positive behaviours in your team.

Keep your training short and actionable

There’s no requirement for cybersecurity training to last an hour at a time, and yet, much of the available training does. Your teams are busy and will typically prioritise their workloads overtraining, especially if the latter is going to take up too much of their time.

So, when delivering your training, prioritise finding a training partner that utilises short-form content with a focus on simple, actionable advice. Using a mix of content, such as a short bit of video and some interactive slides, is far more engaging than a long set of slides without any animation.

Use humour

Cybersecurity can often feel like an overly dry and serious topic, this means traditional training content often contains formal language and a serious tone. However, using humour within training content helps to boost engagement and keep employees coming back for more.

Use incentives and gamification

Incorporating games and puzzles into training courses, known as gamification, is a highly successful way of creating more engaging training content. Employees have more fun and enjoy working towards incentives, such as collecting points, in the same way, video games are enjoyed due to the accomplishment of getting to a new level or high score.

Bob’s Compliance and Bob’s Culture training packages incorporate fully gamified learning experiences that are built around the principles of experiential learning. Our new ‘Hook, Line and Sinker: The Game’ course helps employees to develop behaviours that will prevent phishing, smishing and vishing attacks, through engaging games and activities.

If you are looking for a way to increase employee engagement with your security awareness programme, get to know our products now.

It goes without saying but, if your business is targeted with a cyberattack, it could cause catastrophic damage. A glance at the morning news will tell you as much.

There are severe consequences for those who fall victim, from financial losses, disruption in productivity, and reputational damage to investigations from regulators. Unfortunately, cyberattacks have become a common occurrence for businesses of all sizes – with two in five UK firms experiencing cybersecurity breaches in the last 12 months.

Some sectors, however, are at greater risk than others. Today, we’re going to share with you the critical statistics around retail’s cybersecurity threat.

Why is retail at risk?

The eCommerce sector has experienced significant growth in recent years, with global eCommerce growth reaching 25.7% in 2020, mainly attributed to the pandemic. Due to the increase in people using eCommerce websites to make online purchases, there is more data, more businesses, and more people for hackers to target than ever before.

Retail is one of the most vulnerable industries due to the high volume of private financial information transferred when customers purchase products. Even retailers’ customers are at risk because of the card payment details and other sensitive information saved to their accounts. It makes it quicker and easier to pay when you shop online, but don’t be surprised if those details end up in the wrong hands.

In many cases, hackers have been able to access this data and sell it on the dark web or use it for credential stuffing, which involves using the same login details across numerous different sites at once.

What are the most common retail cyberattack methods?

As with any sector, cybercriminals use various attack methods to prise data from retail organisations. However, there are some which are particularly common for retail sector institutions, including:

POS (Point-of-Sale) attacks

These attacks involve using malicious malware that steals card payment details when a customer enters them onto a website or uses a till in a store. Typically occurring due to human error or weak security systems, these attacks can scrape the card data of millions of individuals.

Ransomware attacks

Ransomware attacks have become an all-too-common occurrence for retail sector organisations, with just this week seeing KP Snacks fall victim to an attack that has crippled their manufacturing.

These attacks usually begin with social engineering techniques or phishing emails, which encourage unsuspecting members of your team to install malware. From there, hackers can lock down data and systems until a ransom has been paid to remove the block. This often happens to retailers at times of the year when they are particularly busy, to cause as much damage and pressure to pay as possible.

Phishing attacks

Did you know that 90% of breaches start with a phishing email? With 3.4 billion phishing emails sent per day globally, it’s little wonder that it’s such an effective method of attack.

Phishing attacks work by sending seemingly realistic emails, SMS messages or phone calls which are designed to expose private information, like passwords or banking details.

Oftentimes, it only takes one member of a team to fall victim to such an attack to compromise an entire system, highlighting the need for phishing awareness training within every organisation.

Website application attacks

Retail has changed, and so have the methods by which scammers and criminals attempt to steal from you. Website application attacks are where hackers exploit security vulnerabilities on a retailer’s website. Typically, these occur when access is granted by unsecure passwords or your website is running on outdated software.

What should retailers do to prevent cyberattacks?

As high-value targets for cybercriminals, it’s crucial that retailers approach their cybersecurity protections in a holistic manner.

Both hardware and software solutions have a role to play, from investing in high-quality security software like remote back-up and restoration tools, encryption software, alongside firewalls and other automated malware prevention tools.

However, with 90% of breaches occurring due to human error, the most effective way to protect a business from cyberattacks is to provide high-quality cybersecurity training to employees to help develop an internal culture of security-focused people.

How Bob’s Business helps retail sector organisations

Bob’s Business is a leading cybersecurity awareness training provider that uses innovative e-learning strategies, engaging animations and storytelling to industry-leading engagement rates of over 95%.

Our training solutions help retailers, and a wide range of businesses from other industries, to protect their business by empowering employees with the skills and knowledge to prevent cyberattacks. Find out more about our cybersecurity courses today, and you will receive 50% off your first year with Bob’s Culture.

When it comes to data breaches, the fact of the matter is that it’s a matter of ‘when’, not ‘if’ it happens to your organisation. According to Hiscox, every 19 seconds a business in the UK is hacked, highlighting the seriousness of the threat posed by breaches.

Whilst there are steps you can take to reduce your risk of a breach, like cybersecurity awareness training for your team, the fact remains that no business is immune to human error.

That’s why, when this type of breach occurs, it’s vital that you understand not only how to react, but the steps you can take to further reduce your risk and maintain a positive culture around cybersecurity.

Oftentimes, businesses will react to breaches by investigating and tracing the faults their employees have made that compromised security. It is not uncommon for employees to receive punishment for their actions, even though they may be completely unaware that they have put the business at risk. Punishments can vary from a meeting with a manager to discuss the incident, to receiving a formal warning or even dismissal.

However, this type of reaction is not only ineffective at preventing future incidents, it can be actively harmful to the cyber health of your organisation.

The most effective way to combat future cyberattacks? Utilise positive reinforcement to educate every employee in your team. Don’t believe us? Join us as we share everything you need to know about positive reinforcement.

What is the positive reinforcement theory?

The positive reinforcement theory was introduced by psychologist B.F. Skinner in 1938, involving the use of a reinforcing stimulus following a behaviour, in order to increase the likelihood of that behaviour happening again.

It’s an inherently intuitive theory, one that suggests praising positive behaviours helps to lock them in as standard behaviours in the future.

However, the theory also suggests that taking a non-punitive approach to mistakes is the most effective way of reducing them – especially in cases when correcting a simple mistake, rather than intentionally harmful actions.

How can the positive reinforcement theory be used to prevent cyberattacks?

At the core of your cybersecurity protections should always be your staff. They’re the most important defence your organisation has, and so it’s imperative that you create a culture where making mistakes isn’t the end of the world.

Fear of repercussions is the leading reason why teams don’t report breaches or suspicious activity. When breaches don’t get reported, they don’t get spotted until it’s too late and the opportunity to correct mistakes passes by.

A positive reinforcement culture within a business means that when a mistake inevitably does occur, that person feels empowered to come forward and discuss it. The case can be shared with the team and even turned into a positive learning experience for everyone. After all, the best lessons are the ones we learn from real life.

How does Bob’s Business incorporate positive reinforcement?

Positive reinforcement is key to Bob’s Business’ training methods. Don’t believe us? Look no further than Bob’s Phishing.

As part of our phishing simulations (included in Bob’s Culture and Bob’s Phishing) employees are sent simulated phishing emails. For those that click the link, they are redirected to one of our Think Before You Click courses. With the only repercussion for their mistake being positive, engaging training, this helps remove the fear and stigma associated with phishing attacks and effectively reduces their risk of clicking in the future.

Our award-winning phishing simulations are a highly effective way to introduce all of the different types of phishing scams that are being used, in order to educate employees on what to look out for. By regularly completing these phishing simulations, your employees think about the legitimacy of the emails they receive and understand what actions they need to take to protect your business.

Ready to learn more? Find out more about how our phishing simulations can reduce your risk of breaches.

It goes without saying, but there are many reasons why companies should try to avoid a high turnover of staff.

From the costs of recruiting and training new staff, to replacing leavers and the disruption caused by loss of expertise: the issues caused by high staff turnover are numerous.

Nevertheless, some industries and job types have a naturally high turnover of staff, and other businesses have internal issues that may cause a higher turnover – such as a disengaged culture or lower pay than competitors.

A high turnover of staff is predominantly seen as an issue for the HR department to deal with. Still, the impact that it has on the overall business is often underestimated. One such area is the loss of knowledge around business processes and cybersecurity.

How high turnover impacts cybersecurity

Every business should be aware of the risk that cybersecurity breaches and, in turn, so should every member of your team.

Cybersecurity awareness training is increasingly commonplace in businesses as they look to limit their vulnerability to security breaches. This training, however, is a defence that is critically weakened by high staff turnover.

More experienced staff will usually have undertaken regular cybersecurity and data protection training. As such, when they go, they take that knowledge with them while new staff entering the business often do so without any cybersecurity awareness training in place.

Without the experience of dealing with attacks like phishing scams, and no chance to read internal communications related to cybersecurity, new starters are a serious gap in your cybersecurity defences, albeit through no fault of their own.

How to mitigate the cyber risk of high staff turnover

Your first goal should always be to, where possible, try to keep your experienced team members from leaving your organisation. In this case, your starting point should be to understand why so many employees want to leave. You can find out this information through staff surveys or interviews when people leave the business.

Should your efforts to reduce staff turnover fail, or you’re in an industry where high turnover of staff is unavoidable, then it’s important that you ensure that staff receive comprehensive, high-quality training from their first day on the job.

Ideally, their training should begin before they join as part of their induction training programme, and they should continue to receive regular security training.

Bob’s Business provides comprehensive cyber awareness training that helps to protect businesses from cyberattacks. We ensure all of your staff, including you, have the required knowledge and skills to handle cyberattacks in a safe, controlled manner.