How to help employees close their cybersecurity skills gaps

By Indeed Editorial Team

What is cybersecurity, and how (and why) do organisations explain why cybersecurity is important? These are two questions that require very different answers – one being a simple definition, the other being complex in its company culture implications. Let’s tackle the first one, before using the rest of this article to explore cybersecurity best practice.

The simplest way to describe cybersecurity is to say it’s the wall between business systems and online criminals. These cybercriminals are experts at instigating digital attacks on organisations, which often result in data breaches, ransomware attacks, long-term malware infestation and potential business irrelevance.

If there’s one thing organisations should be doing in the 2020s, it’s building a wall strong enough to repel as many cybercriminals as possible, and showing employees how to do the same.

Drive more candidates to jobs on your career site with Sponsored Jobs

Learn more

And so, to the second question

The digital sector contributed £149bn to the UK in 2018, accounting for 7.7% of the UK economy, according to 2020 government figures. Yet, in becoming accustomed to technology, we have perhaps become carefree too. We covet our computers and mobile devices, using them to shop, engage with social media channels, and share photos with friends, family and the rest of the world.

At work, we share documents, use comms tools and email without a second thought. For many of us, it’s a part of our daily working lives. Some of us are digital natives, so technology is second nature, having grown up surrounded by and immersed in digital information. And since the pandemic began, many businesses have adopted productivity enhancing technologies (75%, according to the CBI), including remote working technologies such as cloud computing.

While business owners may be aware of the threat of being anything but completely and utterly watertight when it comes to security, are their employees? Statista research says the average cost of a data breach in the UK is £1,200, which may sound small, but doesn’t factor in the time spent recovering from the breach, nor the costs of mitigating a repeat attack.

With much at stake, what wisdom should business leaders impart around the topic of cybersecurity?

Methods to boost cybersecurity awareness

Cybersecurity isn’t just a technology problem. It’s often a human behaviour issue. More than a quarter of all digital attacks are the result of negligent employee or contractor behaviour, says the Ponemon Institute. Cyber criminals know this and target individuals, which enables them to gain access to places they shouldn’t be. The way to prevent this happening is to educate employees about cybersecurity and ensure best practice is followed.

Let’s consider some of the ways organisations can reduce the likelihood of falling victim to a cyberattack or data breach.

Social media training

Organisations can educate employees in the correct use of social media. Only authorised employees should have access to company social media accounts, and account logging should be turned on. This will ensure an audit trail to track unauthorised posts, or to discover anomalous account access.

Use strong passwords

Password managers can be useful for securely storing important credentials. Passwords should never be stored in unencrypted documents, where they could be seen by unauthorised personnel. Furthermore, underline to employees why sharing passwords is poor practice. If a password has to be shared, use a password manager to do so.

Turn on two-factor authentication

Two-factor authentication, sometimes called multifactor authentication or 2FA, is an extra layer of protection on top of a password. All essential business accounts should ideally use 2FA, so that even if passwords are compromised, all is not lost. Yes, it can be annoying to implement because it slows down the process of logging in to accounts, but it’s worth the hassle. Cygenta research concludes that 62% of people in the UK do not know what two-factor authentication is, so as well as implementing it, employers would be wise to add the concept to training sessions.

Understand terminology

There are many acronyms and technical terms around cybersecurity. Yet, it’s essential that employees understand at least how and why security breaches occur, if not the mechanism itself.

Explain what common phrases such as phishing (social engineering), DDoS attacks, man-in-the-middle attacks, advanced persistent threats (APTs), ransomware and malware mean. The UK’s National Cyber Security Centre has compiled a resource that explains each of these concepts (and more) that employers could use in cybersecurity training sessions.

Create a culture of security

To help nurture a culture of security, cybersecurity training sessions should be regular. The idea is to stimulate employees to view cybersecurity best practice as good for business, and as common sense. Frequent sessions, as well as the adoption of a zero-trust security strategy, may reinforce behaviours and encourage vigilance.

Sessions should revolve around those decisions we make that lead to bad outcomes, such as opening emails from people we don’t know, or clicking links when we shouldn’t. By emphasising cybersecurity as a company goal, employers can begin to develop a culture of security-first thinking.

Furthermore, insist that external contractors abide by company security hygiene rules, but also learn from them if they know more, or use better security.

Monitor security health

Frequent reviews of in-house cybersecurity practices are useful for spotting potential risks. The more frequent these reviews, the more likely it will be to spot patterns, and changes in those patterns that may indicate security risks.

Is it easy to recruit cybersecurity staff?

An Ipsos report in partnership with the UK Department for Digital, Culture, Media and Sport by reveals that 51% of businesses have a cybersecurity basic skills gap. In other words, employees in charge of cybersecurity ‘lack the confidence’ to carry out basic security tasks. This highlights the role of training, so that existing teams get the knowledge and support they need to close skills gaps.

An interesting statistic from the same report says just 11% of businesses outside the ‘cyber sector’ provide security training for employees. Additionally, convincing workers that cybersecurity training is needed is cited as ‘an ongoing challenge’.

So, while cybersecurity itself is an increasing problem, getting people to take it seriously is quite another. This represents a challenge for employers to recruit skilled staff and train existing workers in good security hygiene.

We recommend developing a competitive recruitment strategy for attracting cybersecurity engineers, and focusing on closing in-house skills gaps. The demand for cybersecurity professionals increased by 58% from 2020 to 2021, says the Ipsos study, but there is a shortfall of more than 14,000 cybersecurity personnel. It’s competitive out there, so a considered approach to hiring in a shortage industry, as well as preaching why cybersecurity is important, is imperative.

Drive more candidates to jobs on your career site with Sponsored Jobs

Learn more

Ready to get started?

Post a Job

Get insights and inspiration for the modern world of work

We’ll be in touch soon with the insights and inspiration you need to lead a thriving workforce.

In the meantime, check out our new Future of compensation report for cutting-edge insights on shifting expectations in employee pay, workplace benefits and compensation initatives.

Submit