Almost a third (31%) of organisations have been affected by cybercrime in the past 12 months, according to new research from Databarracks. In light of this, the business continuity expert suggests that organisations must look to invest in ongoing cyber awareness training, especially following the government’s proposed fines for firms who fall victim to cyber attacks.
As part of the Network and Information Systems (NIS) directive, which becomes law across the EU next May and is separate from the EU General Data Protection Regulation (GDPR), the government has warned that organisations could face fines of up to £17 million or 4% of global turnover if they fail to protect against hackers.
>See also: Counting down to GDPR: Will your business make it?
The crackdown is aimed at making sure essential services such as water, energy, transport and health firms are safeguarded against hacking attempts.
According to the government, the fines will be a last resort and they will not apply to organisations who have put the appropriate safeguards in place but have still suffered a breach.
However, findings from Databarracks’ seventh Data Health Check report, which surveyed over 400 IT decision makers in the UK about their IT security and continuity practices, shows:
• 41% of organisations have not invested in any safeguards over the last 12 months;
• Only 34% of organisations have invested in cyber awareness training;
• Only 11% of organisations have certified to a cyber security framework.
>See also: Business leaders severely lack cyber attack training
Peter Groucutt, managing director at Databarracks, outlines the importance of ongoing cyber awareness training for staff, as well as the need to ensure that firms are continuously communicating risks throughout the business:
“Ongoing cyber awareness training is an integral element in an organisation’s defence against cyber attacks. However, our research indicates that this has not been a focal point for many organisations over the past 12 months. This is concerning, especially in light of the NIS directive and therefore immediate action is needed to address it.”
“Firstly, for organisations who only carry out awareness training once a year – typically as part of an initial employee induction – we’d recommend increasing this to at least twice annually as well as providing employees with frequent security refreshers. The rate of change in cyber-threats means that we all need to constantly adapt our methods of protection. It’s no longer acceptable for cyber awareness training to be a five-minute warning given to new starters, the entire workforce needs to be informed and up to date on new threats.”
>See also: Businesses need to talk about the cloud
“Additionally, this approach needs to be supported by the IT department who, when an incident occurs, needs to communicate this to the entire business, providing insight as to why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.”
“Protecting your organisation from threats in not just about preventative technology, it’s also about building a culture of information security. An employee’s understanding of security is one of the most important and effective security measures that organisations should be investing in, not least because unwitting employees are often the unknowing accomplice within an attack. While good security habits take time, effort and repetition, it’s better to invest in good practices now than pay the price later.”