Every year, we can see that expenses related to IT security get higher. There is no denying that the GDPR regulation has significantly influenced this trend. Unfortunately, although IT departments have more and more funds to raise the level of security, these are still insufficient or not invested in an optimal way. The improperly selected, implemented and configured software or hardware will not solve all the problems and will not mitigate the potential threats. However, today we will not focus on the technical issues and we will talk about the basics – the knowledge and awareness of employees.
IT experts and people involved in cybersecurity say that a man is the weakest link in the chain. Perhaps this statement is brutal, but it is hard to disagree with it: most of the incidents would not have happened if the employees knew what to pay attention to and how to react in extraordinary situations. According to the 19th Global Information Security Survey from 2017 conducted by EY, an advisory company, phishing is the most serious cyber threat, next to the malware. Moreover, 86% of survey participants claim that the cybersecurity competencies do not quite meet the needs of the organisation they work in.
Recent experiences of our security department are very similar: companies forget about their employees. When we carry out audits, workshops and training projects for our clients, we can see how low the personnel’s awareness of possible incidents is. It is interesting that the participants of these meetings are very engaged, as the information gained will be useful to them not only in their professional lives but also in their private lives, where we are all exposed to attacks of hackers and scammers.
What stops companies from organising training courses for their employees? Firstly, they are not aware of how important training courses are on the cybersecurity map of every enterprise. However, we should remember that the software and systems will not be useful if an employee sends an e-mail with confidential data or makes a transfer to a fraudulent account.
Secondly, it is an extra cost, so if the company decides to raise awareness, it usually applies to the management personnel. Unfortunately, such an approach would not be optimal in each organisational structure. Besides, the funds spent on the training of employees always brings profit and such an expense is most often insignificant compared to the costs of the implementation of security systems.
What is more, it is simply a serious logistical challenge in big companies. A great number of employees scattered across the country in various locations may be a hindrance, but this is not as serious obstacle as it may seem. You can create different groups of participants, spread the project out or simply make use of the technology and carry out online workshops. There are many possibilities, but everything depends on the budget and the organisational structure.
To sum up: while planning expenses on cybersecurity, do not forget about raising and maintaining the level of knowledge of your personnel. Regardless of whether we have advanced security measures or we are a small company without significant funds for security, it will not substitute an aware employee. Training will be always the basis for building an optimal security system, regardless of the level of its complexity.