First established in 2016, Cyber Risk Aware opened its doors to organisations across the UK to better the knowledge employees have around cyber security.
Cyber Risk Aware operates a training programme tailored specifically for individuals and departments at various organisations. The aim of the training is to ensure that each individual is equipped with security knowledge and knowing how to look out for potential cyber threats. Stephen Burke, CEO and Founder at Cyber Risk Aware, spoke to CBR about the implications a lack of training can have on an organisation and why his company’s initiative is vital to security success. He outlined that it is all about protecting people ahead of time and that it is simple and quick methods that have the largest impact.
In total 90% of attacks come from phishing emails in today’s digital age, which is what spurred Cyber Risk Aware to deploy the initiative to businesses. The number of new technology methods available today is not enough, according to Burke, but instead, cyber criminals know the best targets – the people. Cyber criminals target people because they know it is the weak link in the business, by making an email look legitimate and tricking employees into opening phishing content.
Burke said: “It all comes back to basics and everyone is just so focused on the new shiny technology defence and it’s not about that. The user is the vehicle that the cyber criminals are targeting in all these incidents to get to the unpatched items. It’s about setting strong passwords; it’s about being aware and understanding suspecting emails. If you don’t have the right foundation it’s all creaky and is going to fall down.”
Cyber Risk Aware offers tailored training courses to individuals and departments within organisations, aiming to target the root of the problem and create what Burke referred to as ‘a network of human sensors’. The aim of the training is to re-identify where the lack of awareness rests within an organisation and target training departments to create a human firewall.
Individually targeting weak points of each employee and department will ensure all parts of the company are protecting the network. Furthermore, it encourages organisations to not just rely on the ‘shiny’ technical defence. Training is carried out over short periods of times, up to eight minutes for sessions and 1 minute for videos, with interaction as well.
“We want to send a particular topic to a staff member so that they fully understand what the risks are and how they can protect themselves and what the company’s obligations are also. That they are then able to come out of the course and understand what has been said,” Burke said.
“It seems to be starting from scratch with a lot of people and the reason for that is that any company that may have previously given IT security training, they have tried to do it with a 40-minute course or longer which is a pain to do and people become disinterested.”
One of the most influential areas to target for training is board members. They are the first port of call for cyber criminals to target as they can look the most legitimate to ask for a monetary task to be carried out, making it easier to target employees in the business.
Burke makes it clear that the lack of security does not lie within the technology deployed, but the people that are employed. A people issue must start at the top and it’s a board-level issue, according to the CEO.
“Cyber criminals are targeting people because they know that is the weak link in a business and can then get past the technical defences,” Burke said. “Through our training that people are seeing that getting back to basics is important, to help understand how hackers trick them. It’s no longer just an IT issue. It’s a board-level issue, it’s a companywide issue. That is a fundamental game changer.
“The user is the vehicle that the cyber criminals are targeting in all these incidents to get to the unpatched items. I think people are still naïve to the basics because of reliance on technical defences. The training must start at the top to rid this mentality within a company.”
Hackers know every path to get into systems, a reason why Cyber Risk Aware encourages the training throughout the organisation to ensure workers know how to spot the phishing emails and scams.
“Cyber criminals have everything. Malware as a service, phishing as a service, they are testing their malicious programmes every hour on the latest feeds of anti-virus and anti-firewalls. They know they are not being spotted and therefore they then put that in the crime packs they use to send emails and know they will get past the individual. Then it’s down to the user, which is why we do what we do.”
Cyber security is one of, if not, the most important technical element to an organisation. The public sector is not exempt from this rule and Cyber Risk’s training brings many benefits to the organisations in the sector. Rather than having a costly infrastructure that the employees don’t all understand, Cyber Risk Aware has created the training scheme that will cost a fraction in comparison.
“It will make a huge difference to organisations with minimum spend but also bring that realisation that it is a simple and quick method, having a huge impact. Organisations will realise that their employees are the target and how susceptible they are to phishing. The training will demonstrate how easy the fix is by getting training on how to spot and protect networks.”
As the countdown begins until GDPR implementation, it comes with the question as to whether businesses are only seeking more security and legislation due to the regulation. However, Burke argues that this is not the only reason and that it’s a change of culture and landscape within organisations as well. Banks, as an example, will not trade with an organisation if mandatory security training is done because it causes a third party risk.
“What is happening now is the legislative world that we live in is that GDPR mandates that you have to be doing security awareness training. Clients will ask what is being done around cybersecurity training and it could impact whether an organisation gets a contract or not. The landscape has all changed. It is no longer optional, it is mandatory.”
As cyber awareness becomes more of a need than a want, Cyber Risk Aware is providing more options for organisations to train up their staff. As GDPR looms there is no better time to take on the challenge and ensure that staff are compliant, educated and ready for what lies ahead.