Companies that haven't been investing in cybersecurity upskilling and training over the past few years are already on the back foot, as attacks are becoming more sophisticated and numerous. "New versions of malicious software appear almost daily and are always one step ahead of our anti-virus systems," cautions Phil Chapman, head of Cyber Security Curriculum at Firebrand Training.

"The growth of the botnets alone is currently being calculated to have risen to over 80% in Q3 of 2021, according to Internet-based monitoring agencies. Policy therefore needs to be the first thing that a company considers before tackling the technology to defend it. Ongoing investment in cyber training and upskilling across the whole business is essential to keeping everyone secure and prevent a major data breach."

The weakest part of our defences are the biggest assets - people. "Often, the weakest link in the chain is the user who doesn't understand the risk. Therefore, it's crucial that those outside of the cyber security and information security teams are educated about the dangers of a cyber-attack and what to look out for. A 'User Training & Awareness Policy' needs to be a company priority. Explaining these threats to all employees enables them to better protect themselves from potential harmful emails and attachments, as well as identify phishing or fraud.

"In the age of hybrid working, companies should also be setting out processes for working outside of the office, in order to protect sensitive information and maintain security protocols, such as ensuring that people are working on a secure wifi network and explaining the details of what this should look like [ie, not a public shared wifi] and making it standard for workers to set up two-factor authentication on work devices."

Training programmes need to be robust and adaptable to meet the changing needs of security, cybercrime and technological advances, so that organisations can layer in the necessary forms of technical, physical and procedural protection to keep the business safe. "Without continued development, businesses are putting a target on their backs, and putting their company and reputation at risk. Cybersecurity apprenticeships are also an effective way to introduce a wealth of talent into a business who can hit the ground running, while addressing the ever-growing digital skills gap."

WHO IS RESPONSIBLE?
The cliché that the workforce is the frontline of defence for cybersecurity is an easy one - but who is actually responsible? asks Neil Langridge, marketing director, e92plus. "Recent research by Trend Micro found a lack of consensus amongst business leaders over who is responsible, with nearly half of all survey respondents believing that the risks around cyber-attacks are still treated as an IT problem, rather than a bigger business challenge."

Most people would agree it's something that impacts the whole company - and everyone can play their part, he adds. "So, what's the best approach for those not sitting in the IT teams? Different departments face different risks - the marketing team will likely have access to customer data, so could be at risk of credential theft, while finance will be the target of phishing, or spear phishing in particular - using BEC [Business Email Compromise] to attempt to extort money via money transfer or spoofing suppliers."

Neil Langridge, e92plus: cybersecurity training needs to be built from the start and then continually refreshed.

Cybersecurity training needs to be built from the start and then continually refreshed - and part of the fabric of employee training and enablement, no different from HR or quarterly reviews. "As part of the e92plus Cybersecurity 101 programme, we poll our workshop participants on whether the organisations they work with have refreshed their training since the pandemic started," states Langridge. "Sadly, that number is often under 50%, despite the fundamental shift in potential risk. Our homes, our personal devices, our own Wi-Fi network is now the network perimeter, as once a company laptop opens the VPN, then all devices connected on that Wi-Fi network could pose a risk. While your iPhone or Chromebook may be fairly secure, what about the cheap IP doorbell purchased from eBay?"

So, as with charity, cybersecurity best practice starts at home. "Workplace training can provide tips and advice to help employees protect themselves and their family better, and so a culture of responsibility is built, and that's taken back into their business - and that's something now available from cybersecurity training and education providers like Cofense," he says. "And, without doubt, building that positive cybersecurity culture is so much harder with the distributed workforce when you can't simply lean over to a colleague at the next door for a gentle query about a dodgy-looking email."

MORE THAN JUST A JOB
Training and experience are two different things, states Steve Usher, senior security analyst, Brookcourt Solutions. "The issues currently are not so much the lack of training, as there are an increasing number of people moving into the cyber security industry, but more the lack of experience. Yes, there is still a lack of staff in general, but I believe it is incorrect to assume the entire issue lies with the actual number of people in the cyber security industry. How do we create cyber security experts? The real experts in this industry are those with a passion for it and a thirst for knowledge; people that see cyber security as more than simply a job."

Phil Chapman, Firebrand Training: companies failing to invest in cybersecurity upskilling and training are already on the back foot.

Usher believes the solution comes in two parts. "The first being that companies start looking at the potential of people, and not simply the experience and certifications that they offer. Having more in-depth conversations, during the interview stage, will allow more businesses to pick up a person's passions and experience, as well as knowledge of the field.

"The second part of the solution is to have a solid focus on skills and knowledge transfer in the workplace. A program that will support people's skills growth and enhances their current set of capabilities, exposing them to people and situations that are outside of their day-to-day responsibilities to help promote experience and enhance people's interests in areas that they are passionate about, can go a long way. An upskilling program of this nature will not only benefit the business operationally, but also contribute towards a stronger staff retention for the business.

"There are, of course, alternatives to the above, with numerous courses, certifications, diplomas and degrees available to assist in qualifying people to work in the cyber security field, but qualifications and real-world experience are not the same thing. Experience cannot be materialised out of nowhere; the opportunity to gain that experience must be provided."