Any organisation, irrespective of size, is made up of three elements – technology, processes and people. It is said that an organisation is only ever as strong as its weakest link. Of the three elements, it is mostly the case that the ‘people’ element proves to be the weakest link when it comes to protecting the organisation against cyber risks with the root cause generally being a lack of both an appropriate company culture and an effective awareness program.
With cyber criminals increasingly looking to exploit human vulnerabilities in order to by-pass internal controls, organisations must proactively defend and raise staff awareness levels to inculcate a security culture and consequently decrease cyber risks.
Embedding a security culture begins at the very top of the organisation, the board of directors. Not only must the board consist of members that have an appreciation of IT and cyber risks, but it must also take specific steps to ensure the importance of security is understood across the organisation.
If your answer to any of the following questions is ‘no’, then you are at risk:
Is security at the heart of everything you do?
Is the board and other senior management actively involved in cyber security?
Is the board and senior management regularly briefed on cyber risks?
Does a security culture exist?
Does a user security policy exist?
Are new joiners presented with mandatory security training at induction?
Are appropriate controls in place to counter a social engineering attack?
Are staff made aware of the risks of bringing your own device (BYOD)?
Are staff aware of how to handle information?
Do staff know how to create a strong password, keep it safe and do they change it regularly?
Our team have extensive experience assisting clients with:
1. Influencing Change
embedding a risk-aware environment and driving cultural change;
running awareness sessions for the board and other senior management;
2. Conducting Needs Assessments
assessing knowledge and skills gaps;
review of training vendors and material in line with client requirements;
3. Implementing Awareness programs
design and manage security awareness programmes;
deploy awareness campaigns through various media for maximum impact;
4. Developing and Delivering Training
design and develop bespoke training and communication related material;
delivering training at all levels;