Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

UK’s SMEs Failing on Cyber Training

Over a quarter (27%) of UK SMEs still don’t train their staff in cyber-awareness, leaving their organization exposed to online threats, according to new data from CFC Underwriting.

The insurer polled over 250 UK small and medium sized businesses this month to find that many are “not sure where to start” with training and awareness raising.

This is despite a 78% rise in cyber-related claims from 2015 to 2016. The vast majority (90%) of those claims came from organizations with less than £50m in revenue, suggesting that many are SMEs.

In fact, SMEs believe cybercrime is the number one threat to their business after Brexit, the poll suggested.

CFC Underwriting claimed that the lack of movement on training programs could be a result of many SMEs simply not understanding their risk profile: as many as 20% have apparently never assessed their business exposure to cyber-risk.

Training programs are not a silver bullet for dealing with online threats, but they could help staff with identifying phishing and BEC scams, for example. Over a third (38%) of CFC’s claims in 2016 were related to phishing.

CFC Underwriting’s chief innovation officer, Graeme Newman, said firms should have in place processes to ensure phishing emails are swiftly reported, and any wire transfer requests are first followed-up with a phone call to check their veracity.

“There’s a massive human element to cyber-risk and having staff understand that this human link even exists is a good start in trying to get everyone within an organization on board with making their work environment more secure,” he told Infosecurity Magazine.

“If an organization’s people are aware of the potential threats – and of what they can do to help mitigate them – then that’s a huge stride forward in adopting a best practice approach.”

Other essentials on the training to-do list should be encouraging vigilance with corporate devices, to mitigate the risk of loss or theft, Newman claimed.

“Along those lines, a lot of problems start when employees use company computers for personal use, so having rules in place to limit that is also helpful,” he concluded.

What’s Hot on Infosecurity Magazine?