Calls for cyber training to be part of staff inductions

According to the broker, cyber training is as important to new starters – if not more so - as other instructions they might receive on their first day, such as how to set the burglar alarm or lock window grilles.

Ascend Broking believes British businesses have still not grasped the full cost of cyber theft, as opposed to physical theft and that this is due to the intangible nature of cyber crime. For this reason, only around 60% of businesses offer any form of cyber training to staff.

On this basis, Ascend suggests that only a tiny proportion probably offer any form of cyber training within an initial staff induction, yet most would be happy for an employee to take to a networked computer or device, almost immediately, despite the ever-present threat of e-mailed malware links and phishing attempts.  

In the 12 months to March 2021, 65% of medium-sized businesses, and 64% of large ones, suffered cyber attacks, suffering significant financial losses and down-time, or even worse. A report by insurer Hiscox into cyber crime in 2020 showed one-in-six of those targeted felt the attack had threatened their business’s viability. With attacks come associated issues such as operational disruption, damaged reputation, possible GDPR fines, low morale, lost orders and loss of staff confidence.

In addition, Hiscox found that 28% of businesses that suffered attacks were targeted more than five times during the year, so the misery can be repeated again and again.

“Nine out of ten thefts are now cyber related, but still the majority of businesses do not have adequate cyber insurance coverage,” said Ascend’s Managing Director, Matthew Collins (pictured). “A UK Government survey estimated that in 2020, 61% of large corporations and 31% of small businesses suffered a cyber breach. The average cost of a cyber security breach is £22,700 for large businesses and £3,650 for smaller ones, so there is a significant penalty to pay, if you do not have cyber protection in your armoury.” 

With many cyber attacks relying on human error, be that through downloading a virus by clicking on a malware link, believing an instruction to divert funds came from a manager rather than a cyber criminal posing as one, or installing software that is malevolent, staff training is the key to better cyber protection. That training, in Ascend’s view, has to start on day one.  Cyber criminals play games with naïve staff and lay bait for anyone low in cyber awareness.

“There is no time to delay when it comes to cyber training”, added Collins. “Cyber criminals are seeking to breach companies’ systems every single day, round the clock. Many dark web hackers are paid significant sums to do so and cyber criminals like to prey on smaller businesses, as they open up doors, through their systems, to larger ones. It is not fair to expose any employee to what, at best, would be a situation in which they feel very uncomfortable at work, if they were found to have caused a damaging cyber security issue.  

“Training, on day one, makes sense and putting that priority on cyber protection should send a signal to all other staff that being cyber aware is vital.  It shows that complacency has no place in the fight against cyber crime and that it is a top priority within the business, rather than something that never gets discussed or implemented.”

Backing this induction training should be ongoing reminders to employees to be alert, accompanied by regular refresher training for all employees, on the changing nature of cyber risks and tactics. The cyber threat is constantly changing. Staff training needs to mirror that.”

Unfortunately, Government surveys show some businesses fail to see the link between cyber attacks and business continuity. Until they do, Ascend’s suggestions are not likely to be implemented and many businesses will continue to suffer the consequences of cyber inertia.  

Matthew Collins added: “Well-run businesses not only build cyber training into staff inductions, but undertake full cyber risk assessments and cyber security vulnerability audits.  They build cyber security considerations into business continuity planning. They also test their staff’s resilience, by undertaking mock phishing exercises of their own.  These actions all form part of the defence shield against an attack.  

“Whilst we naturally advise clients on the cyber insurance protection they can put in place as a safety net, we always make it clear to them that this can only help after a breach has occurred. Prevention is better than cure and it comes through training, cyber risk assessments, information dissemination and a full stamping out of cyber inertia.”