- Now Hiring: Enquire today to join our fast growing and dynamic team.
Why Creating a Cybersecurity Culture Is Vital to Protecting Small Businesses from Cyberattacks, and How Organisations Can Create One on a Small Budget.
One of the best ways for an organisation to reduce the risk of cyber-crime is to build a culture of cyber-security. Ninety per cent of all security breaches are caused by human error, and attacks very often start with a simple phishing email that expensive firewalls and virus protection software cannot detect. According to the Verizon 2022 Data Breach Investigations Report, 82% of all security incidents involve a human element and an organisation is more likely to be compromised from an employee inserting a corrupted flash drive into their computer or opening a phishing email than being hacked into through their servers. Most employees believe that they would know how to recognise a phishing email and would not act to the request in the email. However, according to Verizon Data Breach Report 30% of all phishing emails are opened and 12% of the links in these emails are clicked.
With cyber-attacks now at an all time high and small businesses more likely than ever before to be the victim, it has never been more important for SME’s to evaluate their approach to cyber-security. In this blog we will assess why creating a cyber-security culture is the best way to protect a business from falling victim to cybercrime; and how an organisation can create an effective culture on a modest budget without sacrificing staff productivity.
Why Small Businesses Must Invest in Cybersecurity
The Covid-19 pandemic has permanently changed the way people work and organisations have had to resort to alternative business continuity measures as a way of staying in business which has included the adoption of cloud services, introducing new forms of digital payment and enabling staff to work remotely. These changes have had to be done at pace which has opened up critical security gaps. To make matters worse the introduction of ransomware-as-a-service has allowed even novice attackers to execute ransomware attacks quickly. Estimates vary but all sources state a vast increase in the spike in the number of cyberattacks. According to BlackBerry “there was a 600% increase in cybercrimes due to the pandemic and a whopping 667 million new malware detections discovered worldwide in 2020”.
SME’s with their limited budgets, and lack of cyber security expertise have suffered the most, and the attacks on SME’s have vastly increased with 43% of all cyberattacks having targeted small businesses in the last year. The consequences of a breach can be extremely costly from lost productivity to company reputation, and the average cost of a data breach has increased 10% in 2021 and now stands at £4.24 million. It is not a surprise to hear therefore that 60% of small businesses close their doors permanently within 6 months of a breach. However, despite these statistics the facts show that small businesses do not take cybersecurity seriously, with many SME’s believing that they are either too small to be targeted, or they have do have an adequate budget to protect themselves online. The IBM Cost of a Data Breach Report 2021 discovered 47% of organisations with fewer than 50 employees do not have a dedicated cybersecurity budget; and only 18% of companies with more than 250 employees have one.
How Small Businesses Can Protect Themselves from A Breach
To combat this rise in cybercrime businesses are increasingly turning to insurance as a way of protecting their business, and predictions show that the global cyber insurance market is expected to grow from a worth of $7bn in gross written premiums in 2020 to $20.6bn by 2025. Cyber insurance companies can assist businesses with protecting themselves from extreme costs that arise from cyberattacks and can guide victims through the stressful process of mitigating losses in the event of an attack. However, premiums are beginning to spiral as the number of claims increase. Many insurers are raising rates significantly with insurance premiums set to rise by over 50% in the next 12 months. Furthermore, providers are insisting that certain requirements are met as a minimum which include multi-factor authentication (MFA) and endpoint monitoring or refusing to pay out in the event of an attack. Some insurance companies such as AXA have already removed coverage for ransomware payments from their policies altogether and other insurance companies might also soon follow suit.
As well as insurance there are now a host of products to help businesses protect themselves online which include endpoint protection, email security, firewalls, anti-virus, and password protection managers. Where budgets do not allow for the cost of hiring a dedicated cybersecurity expert it is highly recommended that organisations work with a channel partner to manage their security tools, regularly update them, and keep them free from vulnerabilities. Steel City Consulting can advise on which ones are right for your business and can help to manage these for you. We use a multi-layered approach to our security and our comprehensive portfolio of best-of-breed technologies help to eliminate business risk. However, even with the best defences in place it is hard to mitigate from social engineering if individuals do not have the adequate training to spot phishing and do not have the awareness to report a breach when it does inevitably happen.
With 9 out of 10 ransomware infections coming from some form of phishing email, teaching employees to recognising the threats and follow the correct security procedures is the best way to decrease cybersecurity risk and fight social engineering. However, according to the Department of Digital, Culture, Media and Sports recent Cyber Security Skills report only 10% of businesses provide cyber security training or awareness programmes to non-cyber employees in 2022. Where training is being carried out it often takes too long which leads to employees tuning out of the training and going through the motions as a tick box exercise.
How to Create an Effective Cyber Security Programme
No matter whose data you rely on, it is clear that there is nothing any organization can do to fight cybercrime faster than build a cybersecurity culture. It is vital that leaders within organisations make employees aware that the risk of cybercrime is real and that their daily actions directly impact on the risk to the business. Cybersecurity training should be conducted on a regular basis to educate staff on recognising and avoiding compromising emails, creating strong passwords and being able to spot insider threats. For training to be effective it needs to be persistent, delivered regularly in small doses to fit employees’ busy schedules with positive reinforcement. Humour performs better than fear-based or boring messages, and training should be provided with multiple flavours, versions and varieties that appeal to all different learning styles.
In the past businesses have had little choice but to conduct internal training or partner with a vendor that provided training annually, twice annually or quarterly in a one sized fits all approach that failed to shape the audience’s long-term security related thoughts and actions. However, for appropriate conditioning to take place and help to build the right level of security muscle memory it is recommended to provide training monthly (or twice monthly for high-risk targets) with simulated phishing campaigns. For most companies creating a cyber security programme with engaging content produced fortnightly would be an impossible task which is why Steel City Consulting have made KnowBe4 one of our key partners for security. Knowbe4 provide new-school integrated security awareness training to over 50,000 businesses through a user-friendly, intuitive, and immersive simulated phishing platform and provide a library content of 900+ items available to users depending on their subscription level.
Why KnowBe4 Can Be an Extremely Effective Tool for Cyber-Security Training
To help companies deliver effective cybersecurity training, KnowBe4 uses baseline testing to assess the phish-prone percentage of its users through a simulated phishing attack. The phish-prone percentage translates phishing risk into measurable terms which allows leaders to qualify their likelihood of a breach and adopt training that reduces their attack surface. Organisations can compare their score against a benchmark study analysed over a data set of 9.5 million users, 30,173 organisations, and 19 different industries. Users get on-demand, interactive, and engaging computer-based training with awareness modules and videos which educates users on how a phishing or social engineering attempt could happen to them. To be effective in changing behaviour it is recommend that companies conduct phishing tests once a month and encourage frequent and relevant messaging in the form of ancillary supporting materials (posters, digital signage, newsletters, etc.). Companies are encouraged to find opportunities during cross-business meetings and presentations to reinforce the big takeaways; and hold “lunch and learns” for employees.
For users of KnowBe4 a Phish Alert Button is provided which can be installed into Microsoft Outlook and Google Gmail email client and this can then be clicked by a potential victim when they suspect a potential phishing email. The Phish Alert Button can be configured to forward all selected potential phishing emails to an inbox where they can be analyzed, confirmed, researched, and trended. This is particularly powerful when combined with KnowBe4’s PhishER to notify end users of whether the reported, suspected phishing email was truly a malicious email, test, or something less innocuous like a spam. Replying to the end user with a confirmed analysis provides a feedback loop, which further encourages them to report future suspected phishing emails.
Through regular end-user training, phish tests and continual feedback any organisation can strengthen security in as little as three months. Steel City Consulting can talk you through getting the best out of your KnowBe4 subscription and we can configure your Phish Alert Button and PhishER.
How Secure Is Your Business?
After reading our blog and assessing ways in which organisations can improve their risk to cyber crime we would be interested in hearing how your company stacks up. Are you currently using KnowBe4 and if not would you be interested in finding out more about it and potentially seeing a live demonstration or having a free trial? If you have further questions regarding the best practices to protecting your business from security threats or are looking to implement a cybersecurity culture within your business our team can talk you through your options. Our friendly and knowledgeable staff would be happy to take a call on 0114 400 0038; or alternatively, we can be emailed at sales@steelcityconsulting.co.uk for any questions that you might have.
