Toby Barnard, MD for Government at digital training provider QA, explores the importance of training in cyber security skills for businesses, looking at how individual employees are often the target of such crime.

In the rapidly evolving landscape of the modern business world, with technology playing an ever more pivotal role in every aspect of operations, cyber security has become one of the most important aspects of any business or government organisation. Whilst the digital revolution has brought about unprecedented opportunities to innovate and streamline processes, the challenges that come alongside this must not be ignored. As the world becomes increasingly digital, more and more sensitive information is kept on devices or in the cloud.

Businesses need to protect that data, and that’s where good cyber security comes in. Cybersecurity should no longer be seen as a niche concern confined to IT departments; it has become a fundamental aspect of business resilience and continuity, with breaches resulting in potentially devastating consequences. In this era of digital transformation, the need to cultivate a workforce that is equipped with cyber skills, and can help to defend the business against cyber threats, has therefore become increasingly imperative.

While technological solutions play a crucial role in preventing and mitigating cyber threats, the human element remains a vulnerable point in any organisation. The UK Government’s Cyber Security Breaches Survey 2023 found that there were “approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months” across all UK businesses.

Although this figure may not be news to many people, what often goes unrecognised is the fact that most of these attacks are aimed at individual employees. Employees, often the first line of defence, need to possess cyber skills to identify and thwart phishing attempts, and businesses need to be prepared to invest in cyber education, training individuals within the organisation to be vigilant, discerning, and proactive in recognizing potential threats.

What All Businesses Should Know

Despite reports that companies in the United Kingdom invested a total of over one billion British pounds in their cyber security sector in 2021, with medium-sized businesses investing the most, the reality remains that the greatest vulnerability remains the employees themselves, with a 2022 government survey revealing that 83% of all attacks are classed as ‘phishing’. Phishing, according to NIST, is a technique where employees are targeted with a form of social engineering that attempts to get the individual to carry out an action, such as releasing sensitive information, clicking a link, or accessing a fake website. It is one of the most popular attack types, where illegitimate emails or texts aim to create a sense of urgency, curiosity or fear. Recipients are coerced into tasks, like revealing sensitive information, opening malware-infected attachments, or clicking links to malicious websites.

Phishing attacks have evolved significantly over the years, becoming more sophisticated and harder to detect. Traditional methods of identifying phishing emails, such as looking for poorly written content or generic greetings, are no longer foolproof. Cybercriminals now employ advanced tactics, including social engineering, leveraging AI-generated content to craft convincing messages, and personalised spear-phishing. Spear-phishing is a more targeted version of phishing that focuses on specific individuals or organisations, requiring significantly more work by the attacker, but yielding greater successes and returns. As a result, businesses must adapt by equipping their workforce with the necessary cyber skills to recognize and mitigate these evolving threats.

According to the Cabinet Office report, analysis suggests that the total cost to Government and businesses in the UK is £27bn per annum but amazingly, a government study claimed that only 19% of businesses and 15% of charities carried out testing activities (such as mock phishing) within the last 12-18 months, and that 83% of companies have failed to provide their staff with basic training on dealing with social engineering.

So why do companies shy away from properly protecting themselves, despite spending millions on IT security? The answer is that many organisations rely on the assumption that everything behind the corporate firewall is safe and secure. We know that this isn’t the case and even with quarantine software and mock phishing attacks, it is still possible to gain access to employees via email and other messaging systems.

Research shows that phishing has become more prevalent since the pandemic, with the number of employees working remotely having significantly increased. As of May 2023, 39% of workers in Great Britain advised that they had worked from home at some point in the previous seven days with other research from the Chartered Management Institute showing that “more than 80% of organisations have adopted some form of hybrid working since the pandemic struck – and plan to keep doing so.”

This provides attackers with an easier route to success as remote workers have reported that they perform work activities across many environments. This includes home and travel networks, as well as ‘third spaces’, such as cafes and restaurants, with 4 out of 10 people revealing that they’ve had their information compromised whilst on public Wi-Fi.

How to Protect Against Attacks

To reduce the risk of these types of attacks, simple measures can be put in place. These range from making sure remote workers use a VPN to delivery trainings so that staff have the understanding and awareness of the vulnerability they are responsible for.

The average investment in training per employee in 2022 was £1,780 compared to the “mean annual cost of cyber crime for businesses…estimated at approximately £15,300 per victim” so it shouldn’t be a difficult decision for companies, big or small, to bring in a training course that could save both financial and reputational costs. Courses online can start from as little as £99 and ROI can be, on average for a smaller business (under 1,000 employees) 69%, while larger companies (1,000+ employees) can achieve 562%.

As businesses continue to digitise their operations, the importance of cyber skills in defending against phishing attacks cannot be overstated. The human element remains a crucial aspect of cybersecurity, and empowering employees with the knowledge and skills to recognise and respond to phishing threats is essential. By investing in cyber education, fostering a culture of awareness, and staying abreast of evolving cyber threats, businesses can build a resilient defence against the ever-present menace of phishing. In doing so, they not only protect their sensitive data and assets but also strengthen the trust that customers and stakeholders place in them.

MD for Government at QA | + posts

Toby Barnard is MD for UK Public Sector at leading digital training provider QA, where he manages the delivery of end-to-end learning products and services for public sector customers.