Man holding cyber icons.

Employee Awareness is Key to Cyber Security

By Professor Alexeis Garcia-Perez, Centre for Business in Society
As seen in Business Insider

Professor Alexeis Garcia-Perez, Professor of Management Information Systems at Coventry University’s Centre for Business in Society considers the role that the people within a business can play to protect them from cyber-attacks.

In its annual review, the National Cyber Security Centre (NCSC) reveals that cyberattacks in the UK are at record levels.

The statistics in the NCSC’s report are backed up by both the Department of Culture, Media and Sports whose Cyber Security Breaches Survey, showed that 39 per cent of all UK businesses — that’s 2.3million — reported a cyber breach or attack in 2020/21.

In addition to that, the Crime Survey of England and Wales reports that in the year to June there were 6.8m incidents of fraud and computer misuse — 43 per cent more than two years earlier and 40 per cent more than every other crime.

Computer keyboard with a key on top.

Are businesses doing enough to combat cybercrime?

While this rise is most likely being driven by the emergence of more cyber criminals, the pandemic is also having an effect. More businesses have shifted their operations online while others have ramped up their digital activities without a clear understanding of the risks associated to the digital environment or the resources to address such risks.

Employees accessing systems remotely while working from home and the use of mobile devices exposes businesses vulnerabilities and opens up threats.

But cyber security is not just about investing in technology and is no longer only an issue for the IT department. There are simple steps that all employees can take that can offer a valuable layer of protection from threats — from those on the frontline through to members of a management board.

Coventry University’s Centre for Business in Society (CBiS) recently worked with a local authority to assess and test its cyber security.

Over a two-month period, 650 members of council staff released their login credentials to the team without realising by responding to the centre’s ‘scam’ emails, which in some cases offered a chance to win an iPad. These employees accidentally opened the door to of the council’s information infrastructure to potential cybercriminals.

Researchers in CBiS did not need any hacking skills or specialist software or hardware, they used social engineering techniques such as ‘phishing’ emails, leaving memory sticks with potentially malicious software in public spaces, and impersonating people over the phone using details available online.

Awareness is key to cyber security

This experimental research confirms that phishing is one of the easiest ways for cyber criminals to gain a foothold in corporate networks. While infected emails could often be prevented from reaching the employees’ inboxes through the use of automatic solutions, spam filters do not guarantee cyber security.

Employee awareness is key to the cyber security of a business. In other words, cyber security is a team sport and every employee should be member of the team. To that aim, training programmes, including regular cyber security simulations, can help the workforce understand their vulnerabilities and prepare them to deal with a cyber security breach.

Bringing awareness of cyber security to senior management

It is essential that senior management understand their role in the governance of cyber security, from the risk of a cyber incident to its potential impact on the business. For example, a good understanding of their digital assets and services can help prioritise investment in their security, or for Human Resources departments to develop workforce cyber training and awareness strategies.

Making cyber security part of business operations

Whether an organisation is implementing new technology or software for efficiency purposes, or creating a new product or service, it is important that cyber security is considered an essential part of the planning process. This may mean that due diligence is carried out consistently and effectively when selecting a service provider, that only essential data is collected from customers, or simply that digital assets (both data and services) are regularly backed up and kept secure.

For more help and advice on cyber security contact Professor Alexeis Garcia-Perez at Coventry University’s Centre for Business in Society.