Technology / The experts’ view: Businesses need to continually train staff about cyber security

The experts’ view: Businesses need to continually train staff about cyber security

“The pace of change in technology has accelerated to the point where even the experts are constantly playing catch-up,” said Dimitrios Petropoulos, of Hewlett Packard Enterprise, opening the Business Reporter Breakfast Briefing at the Savoy Hotel in London.

Mr Petropoulos said: “The emergence of new threat vectors that can evade traditional business security controls calls for an interconnected technological infrastructure but that can work only if businesses get the right processes in place and train people to apply them correctly.”

It can be difficult to find the right people, however, and to keep them. David Carvalho, of OCS, said: “That the best security people will quickly go elsewhere if they believe they are not developing their skills.”

Carvalho offers regular training to his staff so that they can continually improve.

Security experts are not the only relevant part of the people question, of course. Attendees agreed that they try to make clear that data security is the responsibility of everyone in the company and not just a handful of experts in IT. However, it can be hard to instill that culture and ensure that it is maintained.

Strategies suggested by those at the briefing included creating a culture of “slight paranoia”, so that staff are permanently on the lookout for security breaches and possible attacks. Another suggestion was to require anyone who wants a new device – an upgraded smartphone, say, or a tablet – to undergo security training first.

“It’s important to tackle this issue,” said Mary Hensher, from the University of Surrey, because according to recent research 93 per cent of data breaches are caused by human error. Although much attention is focused on malicious actors, in fact there would be enormous benefits to simply cutting down on mistakes.

One way to do that is by putting in place the right processes. Azad Hajiyev, of BP, said: “That reporting an incident should be as simple as possible. If the process is complex or long winded then employees won’t bother to use it. In most cases they will be too busy to make the time.”

“The tendency for people to ignore time consuming security practices,” said Mr Carvalho, “is so great that research shows that hackers are just as easy to compromise as everyone else because they make the same mistakes.”

Equally important is that employees do not feel that they will be punished for reporting a data breach or other incident. The more quickly a breach is identified, the more likely it is that it can be rectified without any damage being done. At worst, it is possible to minimise the damage. However, attendees said that it is easy to create a culture where people fear being punished if they admit to a mistake that has caused a data breach.

Matthew Kay, of the London Borough of Hounslow, said: “That it can be useful to treat near misses as breaches too because that makes it possible to learn from them.”