Employee Education is a Critical Defence Against Cyber Attacks
This featured blog was provided by the Insurance Bureau of Canada.
New research shows small and mid-sized businesses need to start with their staff to improve their cyber risk
As many companies continue to operate remotely and put greater reliance on the internet, cyber criminals are looking to take advantage of this to attack more vulnerable systems, such as mobile devices or less secure networks.
Small and medium-sized organizations are often more susceptible to cyber attacks, as they typically have fewer resources to devote to cyber security, have fewer controls in place and, often, offer their employees less training on cyber hygiene. Larger organizations are also at risk: while they are often less susceptible to cyber attacks, thanks largely to more sophisticated controls and general awareness of the cyber threats they face, they are more likely to be the target of cyber criminals because of the large amount of data they hold or the bigger impact of a successful attack. While cyber insurance may help an organization recover losses from a cyber attack, it should be thought of as just one component within a complete cyber risk mitigation strategy aimed at reducing an organization’s vulnerability to online threats.
According to new research by Insurance Bureau of Canada (IBC), some organizations may be overlooking one relatively affordable cyber defence mechanism: staff training.
A survey of 1,525 Canadians that work at small and medium-sized businesses (defined as businesses with fewer than 500 employees) revealed a number of startling findings:
- Two-in-five employees surveyed (42%) say they have seen an increase in cyber scam attempts over the last year.
- Only a third of surveyed employees (34%) report that their company provides mandatory cyber security awareness training.
- Only half (50%) of employees surveyed report that their organization has introduced multi-factor authentication, a critical cyber security defence mechanism that requires a user to provide two or more verification factors to access a corporate network or application.
- Only a quarter of employees surveyed (24%) report that their employer conducts phishing email simulations to help promote cyber vigilance.
Employees’ actions increase their company’s cyber security risk
IBC’s survey also revealed that 7 in 10 employees of small and medium-sized businesses (72%) reported at least one behaviour that could allow a cyber criminal to gain access to their company’s computer systems. This further demonstrates the urgency for more employers to educate their employees on how to reduce cyber threats.
According to survey respondents:
- 27% use one password to access multiple websites they use for work
- 23% access public Wi-Fi while using their work computer
- 19% download software/apps on their work devices that were not provided by their employer
- 7% allow family members or friends to use their work computer
- 5% share their work login or password by email or text.
Hybrid/remote employees are even more likely (77% of respondents) to take actions that may compromise their employer’s cyber security or data.
Attitudes toward cyber security raise concerns
Employees may also underestimate the role they play in their organization’s cyber defences, with 30% of respondents saying they don’t believe cyber criminals would target them at work, and 28% of respondents saying their employer is solely responsible for protecting their workplace from cyber threats.
The survey also found that 21% of respondents believe that most cyber breaches are minor and easy to resolve, while the reality is that they can have a devastating financial impact. In 2021, the average total cost of a data breach to Canadian organizations was an estimated $7.3 million.
As cyber criminals get savvier, business owners and staff have a collective responsibility to stay one step ahead. That’s why IBC has launched cybersavvycanada.ca, a new cyber education initiative to help Canadians better understand the threat of cyber attacks and what they can do to reduce their risk.