How to Improve Cyber Security Awareness In Your Organisation

As the threat landscape continues to develop, and major data breaches appear to occur on a weekly basis, cybersecurity remains a critical issue for CIOs and businesses today.

Clarksons, Uber and CEX are just some of the organisations who hit the headlines after suffering from data breaches in 2017. Last year, Barclays Group Security CIO, Elena Kvochko wrote in CIO UK that businesses need to implement strong measures at every level of the organisation to remain resilient to the attacks.

An increasing number of Chief Information Security Officers, CIOs, are exploring new ways to protect customers and employees from online threats. And by highlighting security issues and raising overall awareness, CIOs can help combat the ever-evolving threats occurring in the workplace.

According to Harvey Nash, only 20% of organisations feel that they are prepared when it comes to a cyber-attack, with the problem continuing to grow.

A CISO is alert to the evolving cyber threats and the growing number of attacks. They share their advice and knowledge with executives and employees on the requirements for setting an effective security plan.

CISOs are arguably best suited for larger organisations with more complex security needs with Reckitt Benckiser, Hargreaves Lansdown, Unilever and Centre Parcs all having a CISO in place. They are responsible for laying the foundations of a plan and communicating the value of security within the organisation.

NATS CISO Andrew Rose told CIO UK: “The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication.

“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realise the benefit in it.”

Training

In some organisations where there is no CISO, it is the responsibility of the CIO to ensure employees are trained and aware of security procedures and implications.

Training can highlight issues such as browser safety, network security and general cyber threats, which can help employees understand the risks of security, overall.

As cyber threats evolve, employees should be kept up to date so that they are prepared and know what malicious content to look out for.

According to the 2018 Global State of Information Security Survey, only 44% of executives are participating in the company’s overall security strategy.
 
In order to maintain an effective security strategy, new hires should receive training sessions before joining the work environment. Exploring creative ways to deliver training through the use of animation, infographics and interactive content can help keep staff engaged and aware of security issues.

CTO Mark Holt agrees security remains an ongoing challenge for organisations today and wants to ensure that it is a key element of Trainline’s culture.

“All of our developers are trained in secure coding practices, we have ‘MacGyvers’ in all clusters individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills,” he said.

Retain talent

According to a 2017 Spiceworks survey, 62% of IT professionals see cybersecurity as a key skill to develop. CIOs need to develop new ways in order to retain cybersecurity talent to ensure data is protected.

BMJ’s CDO Sharon Cooper says: “Security is a skill that everyone should have at varying levels, bringing diverse teams together and sharing knowledge. The hack day would bring suggestions that would fix business problems, develop new products or improve existing policies.”

Cultural change

One of the most effective ways to improve awareness of security threats is to encourage a cultural change. A security best practice should be available throughout the workplace, as this offers employees a useful resource to drive forward the shift in attitudes towards security.

CIOs can deliver a security strategy which underlines the importance of the risks, any personal concerns and how it will directly affect the business.

Today, employees are exposed to password theft, ransomware and malware, so businesses should be promoting a security culture that can help staff members to stay safe online and recognise telltale warnings surrounding cyber-attacks.

A cultural change should result in the staff’s behaviour adapting to the strategy and becoming more responsive to security protocol. This can help increase employees’ skills, attitudes and own safety when it comes to security.

TalkTalk Business COO Duncan Gooding sees security as much as a cultural thing as an IT solution.

“We have a whole cultural initiative from having training, workshops and group projects making staff aware of the types of security and risks in which we would expect in terms of best behaviour approach.”

The COO has helped change TalkTalk’s security strategy since the 2015 cyber-attack, which cost the telecom company £400,000 in fines.

“TalkTalk is very much going through a cultural expectance of what security means across the business post the cyber-attack,” he said. “The strategy is being discussed at every meeting and the fact that security is embedded in everything we do, from the process and the new products that we launch, to now being part of the day to day discussion.”

Employees need to understand the part they play in achieving a security strategy. Team collaboration is a great way to establish security in the workplace through planning ideas and setting budgets to help motivate the team to deliver a cultural change.

Collaborate with Security Teams

CIOs should collaborate with security teams and get to grips with existing security policies.

Security is a complex subject and ongoing issue for CIOs today. In-house teams cannot be expected to know everything from malware, data and information security.

Regular meetings with security departments can build a relationship while also outlining clear cybersecurity risks and legislation to ensure end-to-end security. 

Taking notes, asking questions and peer observations can help raise awareness within the organisation.

Create a strategy roadmap

A common result of cyber-attacks has seen personal details including email addresses, bank accounts and user passwords been accessed and stolen by hackers.

According to a 2017 Harvey Nash survey, under a third of organisations have been subject to a major security incident in the past 24 months.

Wonga, Pizza Hut and Equifax are just some of the organisations who were fell victim to a security breach in 2017. These infamous breaches have shown a loss of public confidence and cost companies millions of pounds. Raising security awareness can obviously help ensure the company is protected from cyber-attacks.

See the most infamous data breaches on Techworld

A security roadmap detailing the risk of employee’s actions when online will help protect them against common malicious content associated with document sharing, link clicking and file downloading. A roadmap will also ensure a set path is created with CIOs and employees can call upon, when needed.

Collecting information from previous reports and carrying out regularly penetration tests will help illustrate the areas CIOs need to address in order to prevent any security vulnerabilities. This can help ensure the business and its data is protected while, of course, raising awareness of security in the workplace.

Upgrade equipment

When it comes to security CIOs should look to see if there are possible upgrades to be made before purchasing equipment.

Although organisations shouldn’t be cutting costs when it comes to security and protecting customer data, security tools should be updated regularly to reduce the risk of cyber-attacks which inevitably will cost less money.

A good security suite can help protect your devices from a range of threats and prevent your organisation from a serious security risk.

Provide Secure Devices

CIOs should be prepared to provide employees with safe and secure IT equipment.

Security concerns surrounding mobile apps, file-sharing and downloads have become an issue for organisations today, with employees connecting to open and vulnerable networks more often.

Device management tools such as Miradore, Spiceworks and SOTI offer an extra layer of security and remote access, meaning that if any vulnerability is detected, the systems administrator can effectively shut down the device and limit the amount of potential damage that might be caused.

As organisations are exploring new ways to protect their customers, IT Director Jonathan Monk has turned his attention to information security to help protect his pupils at The University of Dundee.

“We have just deployed Microsoft Enterprise Ability Suite and key wins for that has been assuring personal and mobile devices are secure and encrypted wherever they are,” he said. “If they are accessing data from the university they can then be confident that is safe and secure," he explained.

You should also consider setting out a mobile or device best practice for security to ensure you are meeting the organisation's security needs and protocol. This approach will assess employee devices to ensure they are connected to the business network safely.
 
The applications and devices you want to permit can help ensure company data is protected while also educating staff on the overall risks of security. By regularly monitoring devices it can help limit organisations risks, reduce IT costs and help manage IT use.

CIO

You Might Also Read: 

The 3 Biggest Mistakes in Cybersecurity:

 

« UK Police Cybercrime Training
Cyber Criminals Have Ingenious Money Laundering Methods »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

Morphisec

Morphisec

Morphisec's world leading prevention-first software stops ransomware and other advanced attacks from endpoint to the cloud.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

DirectDefense

DirectDefense

DirectDefense is an information security services and managed services provider.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

Wotan Monitoring

Wotan Monitoring

Wotan Monitoring is the software solution for fully automatic process monitoring, infrastructure monitoring and end-to-end monitoring.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

National Forensic Sciences University (NFSU) - India

National Forensic Sciences University (NFSU) - India

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

CYE

CYE

Utilizing data, numbers, and facts, CYE helps security leaders know what business assets are at risk and execute cost-effective remediation projects for optimal risk prevention.

Rhino Security Labs

Rhino Security Labs

Rhino Security Labs is a top penetration testing and security assessment firm, with a focus on cloud pentesting, network pentesting, web application pentesting, and phishing.

Flix11

Flix11

Flix11 is a Cyber Security & ICT Solutions focused company. We provide a range of products and services in Cyber Security, Internet of Things (IoT) and infrastructure solutions.

StrikeReady

StrikeReady

StrikeReady have developed CARA, an advanced technology solution that offers personalized and proactive assessment and remediation of future and current risk in real-time.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

ANY.RUN

ANY.RUN

ANY.RUN is an interactive online malware analysis service created for dynamic as well as static research of multiple types of cyber threats.

Liquid C2

Liquid C2

Liquid C2 offers leading solutions to streamline workplace operations, secure cloud storage, rapid data recovery, and scale growth.