As high-profile data breaches continue to make the headlines, should employers be more consistent in their handling of cyber-awareness training? Recent figures from the Chartered Management Institute (CMI) strongly suggest that they should.

In a spring survey of 1,000 managers, CMI found that more than three-quarters of respondents (79%) had taken part in a cyber-security training or awareness programme in the previous 12 months. However, just 59% claimed that their organisation offers such training on a regular basis for all employees.

Just weeks after CMI carried out its survey, a government poll of businesses showed that 70% of medium-sized companies and 74% of corporates had experienced a cyber breach or attack in the previous year, at an average annual cost to each business of £10,830. The figures indicate that no employer can afford to leave any member of staff inadequately trained on cyber matters.

Even so, awareness programmes must be carefully planned in case employees find the volume of information overwhelming, or the approach too intense. Over the summer, a prime example of the latter emerged from the University of California, Santa Cruz (UCSC). In August, the institution was forced to issue an apology and a disclaimer from its Student Health Centre, after officials blanketed staff and students alike with a test phishing email, stating that a confirmed case of Ebola had been found on campus.

In the apology, UCSC Chief Information Security Officer Brian Hall described the nature of the email as “inappropriate” because it had caused “unnecessary panic”.

Natural reflexes

Alex Bomberg, Group Chairman of cyber risk specialists International Intelligence, acknowledges that information overload can be counterproductive. However, he says: “Cyber security should be an integral part of what we do. It shouldn’t be an add-on – it should be woven into our work as an everyday function.”

Maintaining an awareness and healthy suspicion of potentially dangerous links and knowing when to check or question an email sender’s details should all be natural reflexes for spotting fraud and scams, he notes. And without resorting to sounding the alarm over a false-flag virus outbreak, employers must also ensure that staff have a firm grounding in different types of email attacks, backed up by examples of how they are typically deployed.

Overarching that, Bomberg explains, it is increasingly important for employees to develop a strong understanding of the risks posed by social engineering.

“One issue I always try to emphasise is that people want to help,” he says. “And that makes us naturally vulnerable to fraudulent approaches.”

He gives an example: if you phone up the corporate side of Lloyds Bank and speak to an executive’s PA, if they happen to mention that the executive is in the Caribbean and won’t be back until the 14th, it instantly provides enough information to use social engineering for a spear-phishing attack. “I could phone a colleague and say in a particularly stressed-out voice that I know he’s away for a couple of weeks, but I really need to get a fund transfer signed off right away and he’ll be annoyed if he finds out it hasn’t been done when he gets back.”

For Bomberg, the scope for such incidents raises questions around the interplay between purely technical, cyber-related issues and how companies manage their internal processes. In his view, companies should set up hard-to-defeat authentication procedures, involving multiple members of staff, around sensitive transactions. They should then thoroughly school their employees in how those systems work and keep them informed on any updates.

Engaging tone

“Complex, successful frauds typically cross over from physical to cyber,” Bomberg says. “You need human interaction to effect social engineering. That’s how you get people to click on a link they may otherwise have queried. So, the training I recommend needs to be very focused and relevant to the department you’re addressing, and the specific activities that the department’s staff are likely to perform in their work. If you’re speaking to the finance team, the priorities are going to be very different to what you’d look at with HR or PR.”

Bomberg says that any training sessions should be in-person events and should feature case studies of real-life cyber breaches, with relevance to the department in question. That will help to bring the messaging to life and provide staff with hooks for any takeaways they may ponder as they get back to work. 

In Bomberg’s assessment, employees tend to think: “This will never happen to us.” But case studies convey the hard truth that companies routinely slip up, sometimes on very obvious points. In addition, each annual session should update staff on cybercrime trends that have changed or become particularly concerning since the last one.

Importantly, Bomberg notes, it is not necessary for the training to strike a serious tone. “It should be fun and engaging,” he says. “It will help it to stick in staff members’ minds and give them something to talk about afterwards. That sort of tone should extend to the interim training, too. 

Online quizzes could be an option, but the process could be gamified through point scoring and rewards to the most vigilant employees. “One large organisation I work with sends staff lively, TikTok-style videos whenever a new type of suspicious email emerges, outlining how it works and what sorts of weakness it aims to exploit, so that staff are clued up and know what to look out for.”