In most companies, cybersecurity has an established place on the agenda. Three quarters of businesses (75%) and 63% of charities report that cyber security is a high priority for senior management, according to 2024 data from the Office for National Statistics.
Unfortunately, this has not been enough to negate the threat. Cyber attacks are a huge risk for companies. The same study found that half of businesses (50%) and around a third of charities (32%) have experienced some form of cyber security breach or attack in the 12 months to April 2024.
More frightening still, attacks are becoming increasingly complex and sophisticated as scammers leverage AI. It is now possible for cyber criminals to clone a person’s voice from a short audio clip. This can be used to ask for money or personal information from employees. AI ‘deep fakes’ also mean that scammers can fake photos and videos that may look very real.
Read more: Is the AI bubble about to burst?
AI has made phishing exercises – which make up 90% of the cyber attacks that businesses experience – far more convincing, according to Lorna Ferrie, legal and compliance director of employment services provider Mauve Group.
She says: “We’ve had scammers use our logo and put together a fake contract of employment, with all of the relevant information. They also put together online profiles for people claiming they are employees. They can use AI to extract information from companies’ websites to cobble this stuff together and make it look really quite authentic.”
Social media is also an added risk for employers, according to Matt Eustace, data protection officer at software company Aiimi: “Most cyber attacks have a social element to them now. The traditional approach was through a hardware-based system, but the easiest thing now is to use people instead.
“One example we’ve seen is that when we had new starters at the company we used to put a note out on LinkedIn to welcome them. But we noticed that those new employees would immediately be targeted by phishing scams, as it would be assumed they’re an easy target who doesn’t know the people and processes in the company very well yet.”
Front line of defence
This is why it is so vital that employees are trained. In the words of Claire Williams, chief operating officer at HR software company Ciphr, employees are both “the first line of defence against cyber threats” and “the biggest risks.”
She says: “Training employees to recognise and respond to threats like phishing, social engineering, and data breaches reduces the likelihood of security incidents, helping organisations avoid significant financial and reputational damage.”
Ensuring that the HR department is well-trained is particularly important, she adds: “Firstly, HR departments handle large amounts of sensitive employee data, making them a prime target for cyber attacks.
“And secondly, HR normally leads on the deployment of mandatory training to employees. A well-trained HR team can better protect personal information, ensure compliance with data protection laws, and set a standard for cybersecurity best practices.”
And yet 40% of employees have never received cybersecurity training from the organisation they work for, according to security provider Yubico. The global poll of 20,000 people from around the world also found that just a small fraction (27%) believe the security options that their organisation has in place are very secure.
Even where training is offered, it is not always engaged with by employees, according to Samantha O’Donnavan, chief people officer of insurance company AXA global healthcare, who says: “I think there can commonly be a ‘it won’t happen to me’ attitude, along with a possible lack of understanding of the seriousness. This means there can be a lack of engagement where employees do not pay attention or retain information from training.”
This seems like a huge oversight on a topic that has such high risk levels and board attention. The consequences of untrained staff can be devastating, as the NHS learned in 2022, after more than 130 email accounts were compromised in a prolonged phishing campaign. The emails contained a link that directed to a bogus Microsoft 365 login page, asking them to provide their login details.
Read more: Armed forces payroll hacked
A continuous process
It is clear that building a bulletproof cybersecurity training offering that fully engages employees is essential. However, Williams says, training is often too generic, infrequent, or fails to keep up with the constant evolution of cyber threats: “Common pitfalls include making the training overly technical, not aligning it with specific job roles, and failing to update the content regularly. Training that doesn’t engage employees by using relatable examples or hands-on activities can also fail to make an impact.
“Additionally, treating cybersecurity as a one-time requirement rather than a continuous process can lead to gaps in knowledge, leaving organisations vulnerable to evolving threats.”
Ferrie’s approach to this ‘continuous’ process at Mauve Group is to implement a certified mandatory training course once a year, but also send out further training videos and information every few months.
“Every couple of months we’ll send over videos or notifications, or maybe a case study that’s happened in the US, to say ‘make yourself aware’ or ‘these are the new types of attacks we are seeing’. So that always keeps it fresh and prevalent in people’s minds.”
“Repeat, repeat, repeat.” adds Eustace, who advocates for a training programme that runs over the course of a year, to help employees maximise their retention of cybersecurity training.
Phishing testing tools can be useful as a method of reinforcement, says Eustace. “These are test emails that are set up as if they are phishing for employees’ information. If they click on them, we can give them feedback on what they should have spotted to know it was phishing. There’s a certain gamification in that which makes it fun. We even set a leaderboard for this to show which teams are doing well.”
However, it is important to avoid losing trust via this method. Eustace says: “We steer away from any ‘name and shame’ exercises. Initially when we used these tests, the content was so hard to spot that people felt they were being tricked, or they felt aggrieved that it was so challenging.
“Now, we run training and then test on something similar to make sure people are armed with the information they need. We also make sure we’re not saying: ‘You’re wrong’; we are saying: ‘Here’s what to look out for.’”
Help training hit home
Adapting training around employees’ feedback is a key method of ensuring that cyber security training is engaging, Eustace continues. “When we started out, we had an American training provider and the tone and content was a bit flippant and lightweight, in a way that didn’t really gel for our UK audience. It’s important to ask if the way the training is presented is marrying up with your company’s culture and your specific workforce.”
Read more: Employee data breaches hit five-year high
Ferrie further emphasises the importance of tailoring your approach and avoiding a one-size-fits-all mentality. “This is why mixed-media training is so important. Personally, I’m quite happy to sit and read a policy and procedure, but it’s not everybody’s preferred method of learning.
“There’s a wealth of information on LinkedIn and YouTube, as far as training videos are concerned. But you could also do interactive training, where you focus on real-life scenarios, things that have happened to other companies.
“You could have round table discussions with your staff, asking questions like: ‘How do you think this managed to get to the stage that it did? What could we have done to prevent it?’ That tends to get everyone really engaged.”
But the most effective tool to embed cybersecurity training, according to Eustace, is communicating the consequences that breaches can have. “You really have to work at telling people why they are being trained, what the relevance of cybersecurity is to their personal lives as well as the bottom line with potential fines and the value of intellectual property. If it’s too abstract, employees won’t take in its relevance.”
Cybersecurity terms to be aware of
Phishing: the practice of trying to trick people into giving secret information using fake emails or websites.
Deep fake: a video or sound recording that replaces someone’s face or voice with that of someone else, in a way that appears real.
Ransomware: malicious software designed to block access to a computer system until a sum of money is paid.
Spyware: malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent.
Social engineering: a tactic of manipulating, influencing or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information.
Mandatory means mandatory!
As any learning and development department knows, ensuring that employees complete training can be a challenge, particularly as other duties compete for their time.
The key to this is involving line managers, Eustace says. “If you don’t have a big cyber team then the temptation would be to let that training slide. But if you raise awareness among line managers, and really say people can’t have a pay rise or progress through reviews if they haven’t done their mandatory training, that devolves the responsibility and helps create a culture of security.”
When staff don’t respect training
In October 2024, accounting firm EY fired dozens of US staffers after they watched several training sessions at once. But employers should also consider why employees would not take the time to complete training, and if it is due to time constraints, said Sean D’Arcy, chief solutions officer at workplace engagement platform, Kahoot!.
Kahoot!’s September 2024 research found that nearly half of employees (47%) rank time constraints as the primary barrier to upskilling. D’Arcy says: “It should come as no surprise that employees often then find themselves in a race to complete workplace training, as they try to stay afloat juggling multiple tasks.
“This means that businesses and HR departments not only need to deliver engaging training, but it should also be dynamic and flexible, both at the office, when working from remote, or on the go. By offering bite-sized learning and adding elements of rewards and interactive competition, employers grant the worker a sense of enjoyment as they work through their tasks. That’s when real impact can be achieved.”
This article was published in the November/December 2024 edition of HR magazine.
Subscribe today to have our latest articles delivered to your desk.