The companies have more and more financial resources to increase the level of security; however, it is still not enough, and it is not properly invested.
Even the best security tools fail if their implementation is not accompanied by investment in raising personnel’s competencies related to cybersecurity.
Companies underestimate the human factor in designing security systems for three main reasons: lack of awareness of the issue, delusory savings, and organisational problems.
Every year, we can see that expenses related to IT security get higher. There is no denying that the GDPR regulation has significantly influenced this trend. Unfortunately, although IT departments have more and more funds to raise the level of security, these are still insufficient or not invested in an optimal way. The improperly selected, implemented and configured software or hardware will not solve all the problems and will not mitigate the potential threats. However, today we will not focus on the technical issues and we will talk about the basics – the knowledge and awareness of employees.
People fail more often than the systems
IT experts and people involved in cybersecurity say that a man is the weakest link in the chain. Perhaps this statement is brutal, but it is hard to disagree with it: most of the incidents would not have happened if the employees knew what to pay attention to and how to react in extraordinary situations. According to the 19th Global Information Security Survey from 2017 conducted by EY, an advisory company, phishing is the most serious cyber threat, next to the malware. Moreover, 86% of survey participants claim that the cybersecurity competencies do not quite meet the needs of the organisation they work in.
Recent experiences of our security department are very similar: companies forget about their employees. When we carry out audits, workshops and training projects for our clients, we can see how low the personnel’s awareness of possible incidents is. It is interesting that the participants of these meetings are very engaged, as the information gained will be useful to them not only in their professional lives but also in their private lives, where we are all exposed to attacks of hackers and scammers.
Is investing in people the hardest part?
What stops companies from organising training courses for their employees? Firstly, they are not aware of how important training courses are on the cybersecurity map of every enterprise. However, we should remember that the software and systems will not be useful if an employee sends an e-mail with confidential data or makes a transfer to a fraudulent account.
Secondly, it is an extra cost, so if the company decides to raise awareness, it usually applies to the management personnel. Unfortunately, such an approach would not be optimal in each organisational structure. Besides, the funds spent on the training of employees always brings profit and such an expense is most often insignificant compared to the costs of the implementation of security systems.
What is more, it is simply a serious logistical challenge in big companies. A great number of employees scattered across the country in various locations may be a hindrance, but this is not as serious obstacle as it may seem. You can create different groups of participants, spread the project out or simply make use of the technology and carry out online workshops. There are many possibilities, but everything depends on the budget and the organisational structure.
To sum up: while planning expenses on cybersecurity, do not forget about raising and maintaining the level of knowledge of your personnel. Regardless of whether we have advanced security measures or we are a small company without significant funds for security, it will not substitute an aware employee. Training will be always the basis for building an optimal security system, regardless of the level of its complexity.
About the Author: Konrad Ziółkowski
Connected with Cybercom Poland for nearly two years, operating for 1.5 years in the Security area. He co-created and developed a comprehensive solution that is auditing companies in the area of GDPR. He controls the professional implementation of audits and coordinates cooperation with business partners. Combining business and technical knowledge, he is training clients with the impact of new legal regulations on their organization and helps prepare for the implementation of the changes. He gained the “Moderate Design Thinking” and “Value Based Selling” certifications. He has over 20 audits sold. An excellent speaker, privately enthusiast of modern technologies, electronics and motorization.