According to a recent report over 50% of UK companies have a severe shortage of IT security professionals, and it looks like this shortfall is set to continue. Cyber-attacks are constantly evolving and they often target individuals who are inexperienced and inattentive. And of course, it’s not only external threats that are a concern, but also insider threats. It is often the case where careless, or even malicious employees act in a way that exposes sensitive company information.
As mentioned, hackers often prey on naive employees. Should an employee disclose their login credentials in response to a phishing email, there could be far-reaching consequences. Companies – both big and small – fall victim to such attacks. However, attacks on smaller companies are reported less in the media. So, while it may seem wise to recruit a team of IT security experts to help mitigate these problems, there’s only so much they can do to prevent staff members from making mistakes. After all, if a hacker could gain access to legitimate user credentials, even the best security experts would struggle to stop them from stealing sensitive information. Not only that, but most smaller companies simply can’t afford to employ dedicated security specialists.
Since cyber-security is clearly very important, it would make more sense to ensure that all staff members are well trained, as opposed to placing the responsibility on a select few individuals. Of course, using the right technology is important too. Let’s face it, humans make a lot of mistakes. Technology can be used to identify and report suspicious behaviour by monitoring who, what, where and when, important system events take place. User access rights can be defined to ensure that only authorised personnel have access to sensitive information. Having such automated systems in place will free-up time and allow administrators to focus on other important tasks.
Organisations must pay a lot more attention to ensuring that their staff members are sufficiently trained and vigilant to ensure that their sensitive information doesn’t end up in the wrong hands.
What sort of training would be involved?
- Employees will need to be familiarized with some basic cyber-security terminology and concepts to help them keep up-to-date with related issues.
- Employees will need to be aware of the importance of authentication, authorisation and password security.
- Employees will need to be able to identify different types of malware including the various propagation methods. They will also need to be aware of the methods used for preventing malware infections.
- It is very important that employees are aware of the current data protection laws and regulations.
- Employees should be aware of basic risk analysis and management techniques.
- It may also help if employees have a basic understanding of cryptography.
- Knowledge of other related technologies such as firewalls, VPN and intrusion detection/prevention may be useful, but not necessary.