Lack of staff training and awareness around IT security is a much bigger risk to organisations since the COVID-19 pandemic, according to SCC’s most recent IT Insights Report, a series commissioned by SCC to gain valuable insight into the UK IT market, in which we surveyed 550 IT decision-makers from 11 different sectors about the impact of COVID-19 on IT security.
12% of respondents now say lack of staff training and awareness around IT security is the biggest security challenge, compared with 8% three months ago, representing a 36% increase. This shift in focus for IT security teams is being felt by organisations across the globe, with widespread homeworking as a result of the COVID-19 crisis creating a more significant vulnerability to its biggest existing risk: the human factor.
In the recent WannaCry ransomware epidemic, the human factor played a major role in making businesses worldwide vulnerable. Two months after these vulnerabilities had been patched, many companies around the world still hadn’t updated their systems. However, COVID-19 could be the most impactful single event on IT security in history, changing the threat landscape permanently. Increased home working, new software being used to collaborate and a greater use of devices being used means there are more points of access which are vulnerable to external threats.
Cybercrime has become more organised and sophisticated than ever before, and cyber criminals are using COVID-19 to increase the frequency and sophistication of attacks at a time when entire workforces are at home and IT teams are battling to cope with increased demand and fewer resources. Now more than ever, it is critical for every organisation to communicate risks such as phishing attacks, DDOS and ransomware effectively across the business.
Here, we’ve compiled some of the most effective ways your organisation can communicate cyber security awareness.
1. C-level sponsorship
COVID-19 has brought cyber security firmly to the boardroom table. With a string of high-level data breaches, stricter regulations in place, and the threat landscape growing, it’s important the conversation starts from the top to help create a culture of enhanced cyber security awareness.
2. Understanding risk
In creating an effective security awareness program, your organisation needs to evaluate the threat landscape and identify your top risks. Doing so gives you a better understanding of the real-world threats that could compromise your organisation’s security. Taking time to properly identify the risks can help shape the messaging, delivery and effective targeting of your cyber security awareness program.
To develop a comprehensive cyber security strategy and effectively identify risks, you need to complete a thorough audit of your organisation’s information assets, including what the most valuable information assets are, where they’re located, and who has access to them. Every asset should be classified and protected based on its value. Doing so is crucial when identifying risks and prioritising the areas that need to be defended.
4. Identify high-risk groups
The key to an effective security awareness program is ensuring the right training is targeted at the right people. All users are susceptible to cyber threats, but certain employees have a higher threat profile than others. For example, your HR and Finance departments will be frequently targeted because of their privileged access to sensitive data. Your senior management team are also popular targets.
5. Update and review your policy
Policies are crucial in establishing boundaries of behaviour for individuals, processes, relationships and transactions within your organisation. They provide a framework of governance, identify risk and help define compliance, which is important in today’s increasingly complex regulatory landscape. An effective policy management system is one that has a consistent method of creating policies, adds structure to company procedures and makes it easier to track attestation and staff responses.
6. Start preparing now
It’s a question of when, not if. You need to start preparing for the inevitable and put a plan in place that ensures appropriate action when security is breached. Establishing an effective response plan helps educate and inform staff, improve organisational structures, enhance customer and stakeholder confidence, and reduce any potential financial or reputational damage following a breach.
SCC’s approach to IT security is designed to protect organisations across all areas and the whole information and cyber security lifecycle, by understanding both specific threat levels and our customer’s current maturity before building solutions to match requirements, suitable now and into the future. Our approach is relevant pre and post-COVID-19, with IT security crucial to all organisations and the COVID-19 situation helping many to see threats that have always existed but have not always been a priority.
Find out more about SCC’s security solutions here.
If you would like to have a chat about your IT security needs, then please complete the form below:
How we might use your information
SCC Security Brochure – Managing the security impact of COVID-19
UK businesses committed to IT security despite COVID-19 challenges
IT security priorities in the aftermath of COVID-19
IT Security: The long-term view post-COVID-19
Categories: Banking and Finance, Central Government, Education, Energy and Utilities, Healthcare, IT Solutions, Local Government, Manufacturing, National Security and Defence, Police, Private Sector, Public Sector, Retail, Security, Travel and Logistics, Verticals