A report by Keeper Security found 41% of breaches not reported to internal leadership and nearly half (48%) kept incidents a secret from authorities. We understand there are several reasons why people keep cyber incidents quiet but the consequences can be grave and financially punitive to any organisation as well as opening the door to more breaches.
So, what is best practice for staff training and creating an open and blame-free culture in the business? Mark Lomas, technical architect, Probrand, gives us his view.
Regular training is one of the most effective techniques to help staff adopt a ‘zero trust’ mindset. But it’s important that this training evolves to become relevant to the increasingly sophisticated type of attacks we’re now seeing. For example, a cyber training session five years ago might have focused on identifying the telltale signs of a ‘spoof and spam’ email. Of course, this is still a threat, but staff also need to be trained on some of the more modern methods such as the use of AI-generated content to deceive individuals into unwittingly downloading disguised malware.
While effective training is important, organisations must acknowledge that you can’t ‘train out’ every mistake that might be made. To think otherwise is a dangerous strategy that serves no-one. In addition to training, organisations need to focus on creating a culture where staff aren’t afraid to speak up should the worst happen. This could include making the process of communicating a breach less daunting. Consider using a dedicated portal where staff can share any issues and where anything immediately dangerous can be escalated. The worst scenario is where staff are too afraid to say anything and so the problem only gets worse. The best scenario is one where staff have an environment to speak up without fear or repercussion.
Finally, if people do trip and fall, is there a safety net there to catch them? It’s important to look at the processes and solutions you have in place should the worst happen. A lot of this comes down to planning. For example, how will each part of the business keep on functioning until a clean-up can be carried out? What are your legal obligations in terms of informing customers? Depending on the nature of the breach, you may also need to inform authorities like the Information Commissioner's Office (ICO). Staff will automatically feel better if they know there is a playbook and a plan for each scenario.