6 Ways to Promote Effective IT Security in the Workplace

One of the biggest challenges facing Chief Information Security Officers and IT Directors can be getting their workforce behind the idea of working in a cyber secure culture. This quick guide will help you hit the hardpoints home and protect your organisation from cyber threats.

IT security is often thought of as a boring subject. This can cause your staff to switch off when it comes to essential cyber security practices, and leaves your organisation vulnerable to security risks that are easily preventable.

The majority of your workforce may fall into the trap of thinking that cyber security doesn’t affect them – when in reality, they couldn’t be more wrong. Cyber criminals see staff as the weakest part of an organisation’s defence because of their tendency to make mistakes. The “Take Five To Stop Fraud” campaign revealed that only 9% of Britons can spot something fraudulent.

Why should I be promoting a secure work culture?

The answer to this question may seem obvious to anyone working in IT or cyber security – it’s one that we hear a lot when speaking to organisations. There are a variety of organisations and individuals that believe they will not fall victim to a cyber security attack.

People with this mindset should ask themselves “What would the consequences be if our organisation was subject to a major security breach?”

At surface level, the breach could result in money or sensitive data being stolen from the organisation. You can attribute a value to stolen money, but any sensitive or client information can be priceless. Cyber criminals will target sensitive data such as financial information, client contracts and employee usernames and passwords in order to either ransom back to the organisation or to leak the information to competitors.

Those are just the financial implications of being unprepared for a cyber attack. Other repercussions can include severe reputational damage to an organisation, which can have an effect on customer trust and buying confidence, resulting in an impact on profits.

In mid-June 2018 Dixons-Carphone, one of Europe’s largest consumer electronics retailers who operate the likes of Currys, PC World and KNOWHOW, admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.

Although no fraudulent activity has been reported, this breach massively undermined the reputation of Dixons-Carphone and the company reported that profits plunged 24%.

Organisations, no matter how big or small, are not immune to outside threats and the consequences of not being prepared for them.

What’s the best way to engage employees with cyber security?

So the next question you need to ask is, what steps can you take to start promoting IT security in the workplace. Here are 6 things that you can do to create a cyber secure workplace:

  1. Implement staff training that covers the whole spectrum of cyber security focussing on engaging end-users
  2. Encourage a culture change by getting employees to talk about cyber security regularly by using bitesized training courses
  3. Establish a clear process for your employees to follow when reporting security breaches, and reinforce it by integrating your policies into your staff training
  4. Apply your training initiative over an extended period of time to ensure that information security is at the forefront of your workforce’s minds and make them feel comfortable about reporting breaches rather than distancing themselves from them.
  5. Use additional materials around the office to support your cyber security training campaign. For example, displaying posters or desk calendars that feature security tips from the information security campaign that you’re running
  6. Include your workforce when discussion of cyber security, they might know somebody who has been affected by cyber crime and this could help hammer home the message of employees applying the same vigilance in the workplace

If you are looking for cyber security training that integrates with your internal policies, find out more about our Cyber Security Awareness Training eLearning course.

Why Employees Should Have Cyber Security Awareness Training

Times are changing. Gone are the days where our only security concern was making sure that our doors and windows were locked. Through the rise in technology and the growth of online activity, the manner in which we now work has redefined, putting not only our personal data at risk, but business data in jeopardy too.

We often scrutinise the belief that a cyber attack would never happen to us, perceiving that we won’t be targeted, and if so, we would be too tech-savvy to be caught out by it. 20 years ago we would agree that the likelihood of being victimised from a cyber attack would have been highly unlikely, yet in today’s cyber society, barely a day goes by without a cyber related incident hitting the news headlines.

Cyber security is now going mainstream, but the problem that we face is keeping it in the mindset of our workforce on a daily basis. Make sure your organisation isn’t featured on the next double page spread of a newspaper – for the wrong reasons!

Let’s look at some Cyber Security trends:

  • Cyber crime damage costs to hit £4.35 trillion annually by 2021.
  • The majority of businesses (67%) have spent money on their cyber security, which is higher among medium firms (87%) and large firms (91%).
  • £4,590 is the average annual investment spent on cybersecurity.
  • More than 4,000 ransomware attacks have occurred every day since the beginning of 2016
  • 7 out of 10 organisations admit their security risk increased significantly in 2017.

What is the purpose and goals of Cyber Security Training?

There is often a misconception when it comes to cybersecurity, claiming that if the right technology is in place, then the people using it shouldn’t be an issue. It’s all well and good having the latest antivirus protection software installed, but one wrong click from an employee and before you know it your organisation can come crashing down. The importance of providing information security awareness training cannot be emphasised enough.

With 46% of businesses experiencing a cyber breach in the last 12 months, it is of no surprise that cyber security training is not only becoming ever more demandable for organisations, but increasingly necessary.

It is estimated that almost 90% of data breaches are caused through human error, with social engineering exploits only set to magnify. With more and more employees now connected to the internet, and relying on IT to go about their jobs, this has provided cybercriminals with limitless opportunities to exploit the vulnerable, especially targeting those who have very little understanding and awareness on the issue.

The goal of a training program should not simply be to ensure your employees are aware of security threats. Training goals should focus on the bigger picture, working towards creating an information security working culture within your organisation, and ensuring employees can be trusted as the frontline defense mechanism to counter any incoming cyber attacks.

Training helps break down the ever growing communication barrier that now exists between IT/compliance and end users, protecting business critical information, as well as reducing the down time caused by the effects of a cyber attack.

Moreover, when organisations are seeking to gain ISO27001 certification from Accredited Registrars, staff training is often one of the requirements that the Information Security Management standard will require as part of its regulation.

What are the most common cyber security myths?

“Training is a costly procedure that will deter the time of my employees.” This is often the case for traditional classroom type training days, but eLearning is a cost-effective and flexible solution that minimises staff downtime and enables users to complete their training at their leisure.

“I won’t be targeted.” This is simply not true. Anybody can be a target; from an individual, to a large organisation, to a charity! An attacker can have a number of motives, some less obvious than others. For example, a cyber criminal who isn’t interested in money won’t necessarily target a large corporation with plenty of cash. Other motives for a breach can include theft of data, reputational damage, or simply to cause general malice.

“Technology’s got it covered.” As we have noted already, having the latest protection software installed on your devices, in no way offers as a guarantee from becoming victimised from a cyber attack. One wrong click from an end user is all it takes to leave your information security hanging in the lurch, putting both you and your organisation at risk.

Who’s responsible for cybersecurity?

By reading this blog, you have shown a sign of interest in cybersecurity and maybe feeling that the responsibility is on your shoulders. But who is responsible for it all?

In a recent study, only a mere 29% of businesses have board members with responsibility for cyber security. This simply isn’t good enough.  Essentially by not educating or training your workforce on cybersecurity and the issues it prevails, you are simply pushing your employees under the bus, with it being only a matter of time before they fall victim to a vicious cyber attack, consequently coming back to bite YOU.

It’s easy to play the blame game. It was employee X from the sales department who opened the dodgy email that lost all of our data, therefore he’s the one in the firing line. But this shouldn’t be the case!

There’s a difference when it comes to responsibility and accountability, in that you can share responsibility however being accountable for something, you must be answerable to your actions. This applies to cybersecurity. It is each and everyone’s responsibility to ensure that they are dealing with information security in a safe and controlled manner, however not everybody is accountable. Whether it’s the CEO, Managing Director or Data Officer, it is critical that somebody within your organisation can take accountability for information security.

eLearning is engaged learning

We get it. Cybersecurity is a dry and dull topic that we all wish could be swept under the carpet! So just how do we engage our workforce on a topic that they have no interest in?

The way we learn and absorb information has evolved. The persistent development in technology now means learning in front of a screen is becoming more and more popular, as it provides learners with increased interactivity, accessibility and convenience.

Why is eLearning effective?

  • Engaging animations

Delivering training through animated modules helps make key behaviours and learning points memorable. Scenarios that users can relate too improves information retention, through jargon free, easy to understand content and bite sized modules.

  • Accessible and flexible

eLearning is available 24/7. This allows users to complete modules whenever and wherever it is convenient, and ensures that they are learning in a comfortable environment. If an employee is ill, in a meeting, or is simply busy, eLearning ensures no employee will miss out on the training.

  • Consistency

Using eLearning ensures that each and every user is provided with exactly the same training, delivered through consistent communications. This ensures the entire organisation are aligned with a corresponding understanding and awareness of information security, within their working environment.

  • Cost and time efficient

According to a recent study, eLearning requires 40-60% less time, compared to classroom training. Being able to deliver training internally at the user’s desktop restrains them from having to travel halfway around the country to receive their training. This saves not only employee work time, but can save on expenses such as accommodation and travel.

  • Improves engagement

We would all agree that there are times when you’ve been sat in a classroom and found yourself daydreaming, staring at a blank canvas wall. eLearning is a breath of fresh air from mundane traditional learning, with our modules in particular achieving engagement figures upwards of 80%.

  • Visible results, instant compliance

Through eLearning, users can instantly be tested on their understanding upon completing their training. Likewise, feedback is available immediately, meaning users aren’t having to wait weeks or even months to find out if they need to redo or undergo further training.

How we can help

At Bob’s Business, we are focused around providing organisations with the solution to creating secure workplace cultures. Through our eLearning modules we aim to provide users with a fun and engaging learning path, taking away the stress and apathy that typical traditional learning can present.

With all this in mind, get in touch today to find out more about how our services and solutions can help your organisation.

Why You Should Be Phishing Your Own Employees

By understanding the way users behave and approaching training exercises from an employee perspective, rather than an organisational one, you will revolutionise your security strategies.

Today, email is the number one delivery method for ransomware and other malware. A study in 2015 by Intel Security shockingly revealed that 97% of people around the world are unable to identify a sophisticated phishing email.

What is Phishing?

Phishing is the act of sending emails pretending to be from reputable companies in order to coax individuals into giving out sensitive information, such as passwords and bank details. The criminal practice of phishing dates back to 1996, stemming from hackers who broke into America On-Line (AOL) accounts by scamming passwords from unsuspecting users.

Cyber criminals view people as the weakest link in an organisations defence as they’re prone to making simple mistakes that compromise security. To prevent breaches, it is essential that you employ effective techniques to strengthen the human element of your cyber security defences to nullify these internal and external threats.

Internal threats can be either accidental; unintentionally sending confidential information to the wrong colleague, or deliberate; a disgruntled employee intent on stealing confidential data.

External threats can include the delivery of malware, such as trojans, viruses, ransomware through phishing emails to an organisation, as well as accidents caused by events beyond an organisation’s control.

At Bob’s Business, we deliver a comprehensive phishing simulation service to help you combat the ever-increasing threat of phishing emails. Aimed at providing employees with a well-rounded knowledge on the topic and introducing simple, yet practical changes to your daily routines both in and outside of work, education is at the heart of a phishing simulation.

What’s the best way to train employees against phishing threats?

It’s important to understand what makes employees tick when it comes to training and how you can avoid the common pitfalls when rolling out training.

These can include complications such as tedious course content, organisations considering learning to be too time-consuming, or employees simply having no desire to learn.

This can make it difficult for you to implement training strategies to develop employee capabilities and understanding. Likewise, it is important that you set out clear objectives for training campaigns and ensure that all involved are aware of the process and its benefits.

Some training providers simply send out mock phishing emails to the workforce without letting them know of the training campaign, employees can perceive this in the wrong way, creating an “us vs them” attitude, meaning that employees misconceive the motivations for the training believing that they are been tested and scrutinised behind their backs.

This misconception can create a long-term division between employees and the organisation, resulting in trust and communication issues.

Our CEO, Melanie Oldham, advises that simulated phishing campaigns should be applied in a transparent manner so management and employees are on the same wavelength. Prior to the training, employees should be walked through the process, highlighting how the approach will benefit all involved. Communication creates trust, therefore by pointing out to employees that the campaign is designed to educate them on the dangers of phishing, rather than punishing them, this builds the trust relationship amongst each and every employee.

As well as clear communication, Melanie encourages using gamification techniques in a simulated phishing campaign so that employees have the chance to earn rewards, this will provide them with a greater incentive to apply themselves to the training.

Initial simulated phishing emails enable you to identify any weak points within your human firewall, by which those who fall victim to the original phishing emails are redirected to a phishing eLearning module. The training allows for users to understand how phishing emails are sent, the objective and goals of phishing emails, and how best to avoid being caught out by them.

Our OSPA award-winning phishing simulation service, referred to as ‘Think Before You Click’ uses the same process. After using the service, some organisations experienced a reduction of click rates for phishing emails by over 75%, considerably reducing the vulnerability of sensitive data within the organisations.

‘Think Before You Click’ has received positive feedback from both the organisations and its end users. For one client, 22,370 staff completed the animated learning module, which received an approval rate of 80% (with 52% of staff giving an approval score of 100%) despite it not being mandatory. This demonstrates that this approach is beneficial, educational and positive for both the organisation and the employee.

Phishing employees in a controlled environment carry a multitude of benefits. The campaigns reveal vulnerabilities, where training resources should be dedicated and ensures that employees are equipped with the information for dealing with internal and external threats.

Your workforce is the human firewall protecting your organisation and testing it for weaknesses and helping to build strong and secure foundations is an essential part of ensuring that security is airtight.

You must ask yourself: would they rather an employee be caught out by a controlled training exercise, or fall hook, line, and sinker for a real phishing scam?

Click here to find out more about our award-winning phishing simulation service and how it can help you improve the human firewall in your organisation.

The Bob’s Business Infosecurity Europe Review

Infosecurity Europe is one of the biggest global cyber security conferences and every year the event comes to London for its annual celebration of the best that the cyber security and technology sector has to offer. Bob’s Business made its 7th appearance at the prestigious cyber security event which is hosted at Olympia London over the course of 3 days.

The event brought many established industry leaders and decision-makers to the nation’s capital and we were privileged to meet both old and new friends during our time hosting our stand, conducting live demonstrations and providing in-depth advice about our cyber security and GDPR training modules.

Bobs Business at Infosec 2018

Ross Black, Business Development Manager at Bob’s Business, said: “This was my first time attending Infosecurity Europe and I was extremely impressed with what the show had to offer”.

“Having started in January this was my first experience of Infosec. It was great to meet lots of cyber security and IT professionals  and discuss how we can help them build a more secure conscious workforce through our engaging and vibrant cyber security and GDPR eLearning courses.”

This year, Bob’s Business decided to provide the opportunity for visitors to win a fantastic range of prizes using their intellect and skill. The Bob’s Business booth ran a ‘Crack the Safe’ competition providing visitors the chance to crack the combination for the safe in an attempt to win a selection of amazing prizes worth over £1000, including the latest technology such as Amazon Echo Dots, Virtoba virtual reality headsets and Lego London sets. Across the 3 days we had over 30 winners who were successful in cracking the safe and winning a stack of prizes.

The Bob’s Business Rebrand

We also launched the Bob’s Business rebrand at Infosecurity 2018 to reveal our new look to the cyber security industry. The new look received fantastic praise with many commenting about the brand new modern look that appeals to clients old and new. This rebrand is being done to help the business achieve its aim of being both professional and quirky, a trait it values as helping it stand out in today’s market.

Infosecurity Strategy Workshops

On day 2 of the exhibition Bob’s Business took centre stage, as our CEO, Melanie Oldham hosted a presentation in the Strategy Talks Section, providing an insightful and impactful presentation on positive ways for Chief Security Officers and Senior Technical Officers to train their employees to become more aware of phishing emails and attacks utilising the Bob’s Business ‘Think Before You Click’ phishing simulations.

Melanie took the audience through examples of successful phishing simulations and training that Bob’s Business have provided and the positive impacts it has had on organisations, with some campaigns seeing up to a 75% reduction click rate in phishing emails.

This can minimise an organisations chances of being targeted for malicious means through high-risk individuals substantially as individuals learn from their own mistakes very quickly and begin to understand the consequences of engaging with phishing emails. If you’re interested in finding out more about our phishing simulations and training – you can find out more about Bob’s Business ‘Think Before You Click’ program here.

How to Run Successful Phishing Awareness Training

After the presentation, Melanie commented: “It’s great to have had the opportunity to speak at such a great event. Being able to share my knowledge, experience and passion for cyber security with so many people is a real pleasure.”

“This year’s Infosecurity Europe has been a massive success for Bob’s Business. We had lots of people visit our stand who were very interested in our cyber security and GDPR courses.”

“It was also really exciting to unveil our new look to visitors, many of who really liked our refreshed modern branding.”

Melanie’s presentation provided 5 key takeaway points on how to run a successful phishing awareness campaign in a way that will help your organisation learn and conduct themselves appropriately when engaging with suspected phishing campaigns.

  • Keep the training simple
  • Human issues need to be addressed with humanity
  • Don’t underestimate the significance of compassion
  • Encourage open, honest and transparent Communications
  • Breakdown barriers to build trust

After the success of this years Infosecurity Europe Conference we’re already looking forward to next year’s event and we hope to see you there too!