Why cyber-security starts with your staff

E-mail us

Your login

Use the link below to access your online portal.


GRENKE partner portal

GRENKE customer portal

We're here for you.

Would you like to know more about our services? 

Call us on: +44 (0) 1483 4017 00

Why cyber-security starts with your staff

Cyber-security is a pressing issue for businesses of all sizes. After all, both SMEs and large multi-nationals alike routinely handle digitised documents containing sensitive information every day of the week.

But while many are doing all the right things to shore up their defences against third party attack, there is one asset they are failing to make the most of - their staff.

Your employees are the ones at the sharp end of your business and the people who will be tasked with routinely handling and moving sensitive data on a regular basis.

It's therefore vital that you do all you can to ensure your staff are aware of the importance of cyber-security and how they can help stave off potential threats.

Set resources aside for training

According to research by CFC Underwriting, more than one in four SMEs in the UK do not educate and train their staff on cyber-security.

A similar proportion admitted they have failed to train employees because they do not know "where to start".

However, this could be a direct consequence of 20 per cent failing to understand their own risk profile.

SMEs therefore need to assess their exposure to cyber risk, perhaps by asking their tech specialist to try hacking their systems and data.

This would provide a vivid demonstration of precisely where any flaws in a firm's security processes can be found.

Of course, many SMEs will be concerned that they do not have the time or resources to train their staff on this issue.

But ignoring the issue could prove to be a false economy. Indeed, CFC Underwriting pointed out that more than a third of claims it received last year could have been avoided had better education and training processes been in place. 

The organisation's study also found that phishing scams were particularly common among claimants, which suggests this is a specific issue that SMEs could benefit from talking to their staff about.

Chris Wallis, from cyber-security firm Intruder, is among those to hold the view that educating staff doesn't have to be costly or time-consuming.

Speaking to the Telegraph, he said: "The most important threat for the majority of staff to be aware of is 'phishing', but a quick Google for 'examples of phishing attacks' and a quarterly warning email sent round the office would be a good start for most smaller companies".

SMEs falling victim to simple attacks

In 2015-16, CFC saw the number of cyber-related insurance claims go up by 78 per cent.

But perhaps most concerningly, 90 per cent of claims came from companies with revenues of less than £50 million.

This clearly indicates how vulnerable smaller firms are in the face of threat, and offers a case for why they should be taking the issue of security more seriously.

Daniel Rowles, chief executive of Target Internet, believes firms should be carrying out organisation-wide cyber-security briefings on a semi-regular basis in order to educate staff.

"Over the course of a half-hour or hour-long session, get a senior team member to deliver a presentation on emerging cyber-security threats and how to deal with them," he said.

"Try to come up with creative ways of illustrating the threat posed by cyber-security breaches. Do what you can to make the subject matter colourful."

One way of making training engaging is by making sure they aren't overly technical and filled with jargon.

When it comes to cyber-security, this is easy to achieve, as many of the best preventative measures do not require significant technical knowledge, simply some common sense.

For instance, reminding staff to change their passwords and not to make them too obvious is a method they are probably already using for personal accounts on social media and with banks and retailers.

It all helps to make sure the issue of cyber-security is on people's minds day after day, so they aren't tempted to be lax when they're handling sensitive information.

Aim to win hearts and minds

Employees could react negatively to some security policies, particularly if they slow them down while they're trying to do their job.

This creates a risk of certain rules not being adhered to, so it's very important to get staff on board early on.

Andrew Mills, director of cyber-security firm Datamills UK, believes that employers otherwise risk creating "an enemy within".

"Work with staff to create a secure environment, tell them you need their help," he commented.

"Help them with personal cyber-security at home and, as a byproduct, the business will gain an extra level of protection. It’s important to make staff feel they are part of the solution, and not part of the problem."

There's also a strong chance that some members of staff might be more security-savvy than you realise, in which case it certainly pays to get them involved in devising practical and effective security measures.

If they feel they have a stake in the matter, rather than burdened by extra rules and regulations, they are more likely to follow them on a day-to-day basis and make sure your firm has strong defences against cyber-attackers.