How to raise employees’ awareness of cybersecurity issues and why

In 93% of cases, an attacker can penetrate an organisation’s networks and access information about network administration and sensitive functions, as was revealed by an intrusion test study among companies in a variety of sectors by Positive Technologies in December 2021.

The study also revealed that one of the most common weaknesses was the tendency to compromise login details by using passwords that are easy to guess or are left in the open (71% of businesses).

The human factor: key but unpredictable

Today, (almost) no employee works offline. Even those that travel most, such as salespeople, delivery people and businessmen and women, need to have access to their company’s IT resources. This is precisely where the problem lies in cybersecurity, a fact confirmed by a 2017 study by Kaspersky Lab and B2B International, which demonstrated that employees’ improper use of IT resources was the reason behind 39% of the attacks against organisations worldwide over a 12-month period.

The human factor is the key risk for organisations’ IT networks and systems, as the 2022 IBM « X-Force Threat Intelligence » index shows. Human error is the cause of security incidents in more than 90% of cases, and workstations are the leading source of security flaws.

Other than stolen or decrypted login details, which are among the most common methods used by hackers, phishing has also emerged and rapidly increased in recent years. IBM’s index shows that this intrusion method accounted for 4 out of 10 attacks in 2021, and this figure continues to grow. IBM’s report also shows that June 2021 was a record month for computer attacks. 222,127 attacks were linked to phishing.

Greater connectivity, greater sensitivity

This growth is partially related to the working methods that were imposed by the Covid-19 pandemic. The spread of and increase in remote work within companies led to the development of new ways to allow employees to log into their organisations’ IT infrastructures, but these were all new weak spots through which hackers could potentially breach a company’s IT security system.

This observation also applies to the cloud computing systems frequently used for technical, financial and security reasons. But these generate additional computing exchanges in which the human factor may constitute a weakness.

This is why it is essential for companies of all sizes – small, medium, large, global – to make their employees aware of cybersecurity issues. The British firm IPA published a study in 2016 in which it analysed 874 data breaches. It was found that 22% were due to malicious activity by employees, but 65% were due to employee or partner negligence.

Addressing potential employee resistance

Raising awareness about these issues internally is a challenge. First, we must consider a few potential obstacles to cyber risks being taken seriously. Generation Y (18–34-year-olds) are a paradox in this area. Several studies show that this digital-native age group is significantly less receptive to IT security instructions.

Already in 2015, an online survey by Software Advice among 529 company employees showed a certain tendency towards carelessness. 40% of these same employees use personal devices to access work files.

A study by the National Cyber Security Alliance and Raytheon showed that 52% of the 1,000 people surveyed (from 18 to 26 years old) had plugged a USB device that someone else had given them into their work computer.

Keep it simple, concrete and fun

Raising awareness of cybersecurity first requires getting everyone to understand just what is at stake without trying to make them experts. This means giving simple descriptions of the various categories of digital attacks that may be used to target an organisation, such as viruses, malware, DDoS attacks, ransomware, and phishing.

Today, there are a variety of tools for IT and communications staff to make fun, easy-to-understand content to make each employee aware of how crucial cybersecurity is for the company and to get them on board in terms of security policy.

Once this awareness-raising step has been completed, e-learning campaigns and in-person courses can be held with practical exercises, serious games or real-time simulations. At the same time, it is important to discuss the consequences that a cyberattack may have on the life of a company, including disruptions to business, stoppages, lost customer trust, financial repercussions, damage to the brand and threats to jobs.

Cybersecurity must become part of an organisation’s DNA

Cybersecurity must become part of an organisation’s culture. This is essential for reducing the risk of malicious intrusions. A good example is the in-house communication campaign on cybersecurity carried out by Elior Group, a leading group in contract catering, in October 2019. The company used a fictional film and dedicated training website that initially focussed on its operations in France. The effort quickly paid off and security alerts from employees were multiplied by a factor of 5. The project was subsequently rolled out internationally to the group’s 132,000 employees.