Mo Stevens, CEO of Shearwater Group and Xcina, which provides ‘Digital Resilience’ solutions and services including cyber awareness training to SMEs, explores the chasm between awareness and action when it comes to cyber security training. And, considering recent GDPR legislation, why it’s even more important for companies to build a human firewall.
In the first few weeks of joining an organisation, HR teams are often tasked with laying the foundations for what should be a slick, friendly and thorough onboarding processes for new recruits.
But while they are under pressure to promote company culture and set expectations high, they also need to manage briefings and training with various departments. Their role is to ensure that each person that joins, regardless of their level, understands everything – from the company’s vision to its health and safety policies.
But in amongst these valuable experiences there is often a lack of training given to awareness of cyber security and GDPR, which means new starters can become one of the biggest risks without even realising it.
Incorporating cyber awareness procedures into the induction process helps to establish a culture of digital resilience within the business from day one.
Acknowledging the biggest risk
Business leaders know there is an issue, with nearly 90 per cent of executives worldwide citing untrained staff as the biggest cyber risk to their business. There is a big problem – and a lack of adequate training to solve it – and ultimately HR, IT and the Risk Management functions have a big role to play in being part of the solution.
In the past two years alone, only 12 per cent of cyber attacks have been malicious; 88 per cent are down to human error, according to research from Kroll.
That’s nine out of ten breaches happening because someone clicked a link that looked legitimate, only to unleash malware into the system; or a member of staff misplaced sensitive information. By which time it’s too late, of course.
In 2018, the most common causes of data breaches in businesses were: staff receiving fraudulent emails, others impersonating an organisation online, viruses and malware.
Legislation around GDPR has only amplified the issue. New protection around customer data means companies are no longer able to pass responsibility to the IT team; and senior managers in financial services businesses, for example, now have personal responsibility to prevent regulatory breaches.
Data compliance rules mean this has fast become a boardroom issue and one that impacts the entire backbone of an organisation. Breaches have to be reported, and they are no longer just a cyber risk; breaking GDPR legislation has already led to increased complaints and the potential of significant fines being levied by the regulator.
This all raises important questions for HR teams, and new starters:
- • Is GDPR and cyber security training part of your staff induction process?
- • How confident are you that your staff have had adequate training?
- • Do you feel you have sufficient cyber security training yourself to be able to support new recruits?
- • Who have you assigned to look after cyber security, and how do you track what’s happening?
It’s time for accountability: from the boardroom, to HR, and individuals themselves. If training is compulsory, then it should be introduced to staff as soon as they join.
There are also ways to incentivise everyone to take part, such as linking training to performance objectives, and enabling ‘cyber champions’ to spread the word. Because now it matters that people, not just companies, have taken the necessary steps to prevent breaches.
So, the next time a recruit arrives, just think about what time well spent at the beginning could do to protect the business and how HR can lay the foundations for the human firewall?