Businesses’ potentially most effective line of defense against cyber-attacks is their own educated and mobilised employees.
However, Fujitsu cyber security experts warn that many corporate workers are unaware of their vital role in protecting their businesses against cyber crime, believing that security is the IT department’s sole responsibility.
Fujitsu says the primary reason for this disconnect is the approach taken by most IT security teams to raise awareness of cyber security issues. Most rely on one-size-fits-all, annual security training.
By failing to effectively empower colleagues to take collective ownership – or share the knowledge they need to form the first line of defense – they leave their organisations open to attack.
Ultimately, the most common security breaches occur when employees click on email links or open attachments that deploy malware or collect sensitive information in phishing attacks.
Addressing this weakness with the right corporate culture and knowledge sharing is the most effective cyber security measure that a company can take.
The need to build an effective ‘human firewall’ is more critical now than ever. Today, most business communication currently occurs outside of the corporate network, thanks to mostly home-based workforces.
Cyber criminals are also taking full advantage of the ongoing pandemic to launch an onslaught of attacks – from misinformation campaigns to sophisticated attacks that take advantage of unsecured home networks.
To better understand the scale of the challenge faced by IT teams, Fujitsu sponsored an international survey of 331 senior executives from various organisations in 14 countries, with respondents from five broad industry groups: financial services, retail, manufacturing (including automotive), energy (including utilities), and central/federal government.
Results revealed that a worrying 45% of respondents believe cyber security has nothing to do with them. And 60% said all employees in their company receive the same cyber security training, despite significant differences in roles and security issues they face. Of the businesses that provide role-based training, 61% currently find it ineffective.
The survey also revealed why employees consider cyber security training to be such a turn-off: Just 26% of non-technical workers find the training engaging, 32% say it is too long, 35% are bored, and the same percentage say it is too technical. However, gamification is an easy way for companies to make it less of a box-ticking exercise – most non-technical respondents (69%) think training is most effective when it involves games, rewards, or quizzes to improve security awareness or behaviour.
Tim White, executive vice-president and head of the global services business group at Fujitsu, comments: “We have all experienced generic training modules – which only serve to tick a compliance box.
“Organisations should be trying to empower and engage groups on an individual basis to ensure they are aware of potential security risks – rather than boring them to distraction with untargeted webinars. Through building a sense of collective and engaging employees on an individual basis, it’s possible to introduce a culture where everyone’s job contributes to the company’s overall security posture. To borrow the old phrase, ‘it takes a village to raise a child’. Investment in creating the right culture, educating employees, and building trust is the most effective approach, which in turn makes organizations genuinely resilient to modern cyber threats”
White says an easy way to tell immediately whether a company’s security culture is on point is by looking at who attends its high-level security meetings.
“If the CEO and heads of departments attend security meetings, that’s a good sign that the company is establishing a great security culture from the top down. If, on the other hand, attendees just comprise IT and security people, that’s a warning sign.”
A healthy dialogue between IT departments and individual employees also puts an end to well-meaning blanket bans on technologies that interfere with day-to-day work. For example, countless businesses banned employee access to cloud-based file-sharing services only to find that they were necessary to share contracts or designs. To effectively address security concerns, the discussion must find solutions to make these services work for the company.