Posted on June 11, 2019 by Louise Howland
Under GDPR it’s mandated that every employee has cyber education, in this episode of cyber chat Rob May discusses what to consider when starting cybersecurity education and what types of education are available.
Managing the ongoing cybersecurity of your IT infrastructure should be a primary concern – whatever the shape or size of your organisation. Cybersecurity breaches are the number one threat in today’s business landscape. Incidents come in many forms: cyber attacks; laptops left on trains; malicious staff; or, even more simply, accidental data loss caused by human error. The human firewall is vital as a line of defence for any organisation and in this video Rob, author of The Human Firewall (available on Amazon) explains what the Human Firewall is.
Hi, I’m Rob May, I’m MD of ramsac and welcome to Cyber Chat. Today, I want to talk to you about cyber education. How do you educate? Firstly, do you educate? Under GDPR it’s mandated that every employee has cyber education. If you have a data breach, the law now says that you need to report it to the ICO within 72 hours. When you do that reporting, the fourth question that you get asked is When did the employee, who was involved with the breach, last receive cyber education? So, it’s expected, it’s mandated but how do you do it?
Far too often, well, actually far too often people aren’t doing it, according to official stats, a third of UK business are currently doing cyber education, but that’s clearly got to increase. But far too often people say to me, well we’ve got a policy and it’s in our employee handbook and we can take staff through it when we induct them. The thing is that doesn’t work. People don’t remember policy. Harvard University did a study and it showed a number of things. But the things that jumped out at me was, firstly, an intelligent person needs to hear something 6 times before they get it. The other thing is that as business people. We put 86, if we’ve got an important message to convey we put 86% of our effort into written word. Now, this is true of whatever we’re doing whether this is training or selling or whatever. But when it comes to policies, businesses put 86% of their effort into written word. What the study showed was, cognitively that message is only received by 3% of the recipients. So, if you’ve got something really important to say and you email it to 100 people, only 3 people get that message. So, you have to keep sharing that message and on average, they need to hear it 6 times, So, if you are reliant on policy in order to educate your staff, or you’ve taken somebody through that policy, and you’ve got them to sign a piece of paper to say that they get it that it just doesn’t work.
And it’s not good enough so you need to be educating staff. We all have different learning styles, so, some people work really well with online based training. Some people work well with a video approach or in person training. And ramsac can help you with all the different types of cyber training, but it’s absolutely vital that you’re doing that. Now, if you haven’t yet started, just a tip. You can sit your staff down, show them my Cybersecurity Ted talk, that won’t cost you a penny to do. All you need to ensure is that you keep a record, so, if you’re doing this in your boardroom, get people sat down, show them the talk, but get them to sign a piece of paper to say that they were there, and they saw it. Because if you have an investigation, from the ICO, one of the things that they want to see is that you’re taking cybersecurity seriously and you need to prove that staff have been trained. so train your staff. Stay safe and I look forward to talking to you again soon.