The importance of cyber security awareness

21/06/23 Wavenet
The importance of cyber security awareness placeholder thumbnail

Every business is at risk of a cyber-attack.

In 2017, cyber-attacks on organisations cost the UK economy £10 billion, with 7 out of 10 companies falling victim to a cyber-attack or breach[1]. When a CEO is confronted with a cyber-attack or data breach, they start to worry about their vulnerabilities in the technology they use and forget to look at the very people using those technologies everyday - their employees. According to the 2017 Data Breach Investigations Report, more than 90% of cyber-attacks were traced back to human error[2], suggesting that mistakes caused by humans both initiates and amplifies the risk of cyber-crime and the damage it poses to businesses. The best way for business directors, CEOs and managers to combat this threat is to create a risk-aware workplace culture, and that starts with cyber security awareness.


What is cyber security awareness?

 

Cyber security awareness is the combination of both knowing and doing something to protect a business’s information assets. When an enterprise’s employees are cyber security aware, it means they understand what cyber threats are, the potential impact a cyber-attack will have on their business and the steps required to reduce risk and prevent cyber-crime infiltrating their online workspace.

 

Creating a culture around cyber security awareness in the workplace doesn’t mean that you’ll be completely eradicating the risk of data theft or cyber-crime to your business. Malware has burgeoned, becoming more and more sophisticated as each new strand is developed, and we expect to see the evolution and growth of cyber-threats and malware to proliferate. It was reported that 123 new strains of malware were found everyday in 2005[3]. During that year, 10,000 of those threats were new strains of malware. 11 years later, research had shown that every second, four new strains of malicious malware were discovered in Q3 of 2016[4] - it’s crucial to highlight that these were the strains that cyber security companies had found and identified. As new strains of malware grow, enterprises need to ensure that they’re implementing the appropriate security measures, educating their employees and eliminating any weaknesses that make them vulnerable to an attack. Human error is an egregious exploit that can lead to fines and severe business damage.

 

Phishing scams: the most prevalent & successful method

 

Your organisation’s cyber security is only as strong as your weakest employee, and a data breach is more likely to come from human negligence rather than a criminal hack. When you strive to create a risk aware culture within the workplace, you’re preventing your employees from becoming unknowingly complicit in cyber-crime activity.

 

According to the 2018 Data Security Incident Response Report, phishing accounted for 34% of data breaches in 2017, making it the number one type of cyber-crime[5]. The report found that “phishing remained prevalent and successful, and employees and their vendors made common mistakes that placed sensitive information at risk.”[6] One form of phishing, known as spear-phishing, is becoming increasingly difficult for employees to detect, posing a huge risk to organisations all over the world. 

 

What is spear-phishing?

 

Spear-phishing is a malicious email-spoofing attack that aims to gain entry to software via malicious malware that’s downloaded through an attachment. The perpetrators target specific organisations or individuals with the goal of gaining unauthorised access to sensitive information. If the person opens the attachment on the email, malware is then downloaded onto the user’s computer. This gives hackers an entry into the organisation’s software, from which they can then move laterally in search of sensitive and valuable information. It is unusual for spear-phishing attempts to be initiated by random hackers with no end goal - they are more likely to be conducted by hackers who are out for financial gain, industry secrets and sensitive information.

 

While the act of spear-phishing sounds rudimental, it has evolved over the last few years, becoming extremely difficult to detect - especially if there’s no prior knowledge or spear-phishing protection software implemented. Victims are targeted via the personal information they put on the internet. For example, a hacker might find an employee’s email address, interests, job role, geographic location and any posts about new products they’ve just purchased, all available on their social media profiles. With all of this information, the hacker then acts as a friend or a familiar entity, and sends a convincing but fraudulent and malicious message to their target. There have been some instances where victims were asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes.

 

WannaCry: the biggest phishing attack to date

 

In May 2017, one of the biggest phishing attacks in history left organisations such as the NHS, FedEx, Nissan and Hitachi crippled. This attack hit more than 150 countries and 200,000 computers worldwide, and was sent via an email that would trick the recipient into opening attachments, which then released phishing malware onto their system. The malware, WannaCry, was aligned with a stolen cyber weapon called EternalBlue. The weapon, developed by the US National Security Agency, propagated a vulnerability in older versions of Windows Microsoft Server Message Block protocol. This exploit of Windows’ SMB then tricked various nodes by specially crafted packets, which then triggered the nodes that were communicating on a network to buffer overflow, causing it to reload, leaving a vulnerability for the execution of arbitrary code. It is thought that this global attack could spur $53 billion in economic losses[7].

 

Investigations found that many users (including the NHS) had not installed patches for Microsoft’s exploit, leaving them vulnerable to WannaCry’s rampage. Alongside this, the NHS were told that they were at risk of a cyber-attack, and did very little to prevent it.[8]

 

eBay: a cyber-attack that lasted more than 200 days

 

In 2014, eBay were subject to a leveraged phishing attack where sensitive information about more than 100 employees was stolen. This information was then used to gain access to eBay's internal network. Once the hackers had infiltrated the network, they extracted the names, passwords, email addresses, physical addresses, and other personal information of more than 145 million customers. It is thought that the attackers went undetected, with unfettered access to eBay's systems for 229 days. The hackers had installed a rogue certificate, allowing them to hide exfiltration in encrypted traffic. eBay didn’t have a HTTPS inspection solution with full access to all keys and certificates, which meant that the rogue certificates remained undetected for a long time. The aftermath of the breach meant that eBay had to lower its annual sales target by $200 million, and they struggled to recover customer confidence and brand value for months[9].

 

The importance of cyber security

 

Colleagues need to understand the role they play in strengthening a business’s cyber security. In most cases, it needs to be taken back to the very basics. Cyber-crime shows no signs of slowing down, and a cyber-attack has the potential to incapacitate an organisation. Training your employees and making them aware is not only your best defence - it also shows you’re paving your way to a more GDPR compliant future. Should you find your company has fallen victim to a cyber-attack, the ICO will look at the preventative measures you have put in place beforehand. It is crucial for businesses to implement the most basic cyber security measures, and cyber security awareness for employees is one of them.

 

TalkTalk: failing the basics

 

In October 2015, almost 157,000 TalkTalk customers had their personal data hacked. A further 15,656 customers had their bank account numbers and sort codes leaked, which meant fraudulent activity took place on their accounts. The hackers accessed this data via three vulnerable web pages within TalkTalk’s inherited infrastructure on their site. The infrastructure was not properly scanned for possible threats by TalkTalk, making them ignorant to these vulnerable pages, and therefore unaware that these pages enabled access to a database that held confidential customer information.

 

The hackers used a common technique known as SQLi (a SQL injection) to exploit TalkTalk’s vulnerabilities. Once the malicious SQL injections (also known as malicious payload) attacked, they had control of TalkTalk’s web application's database server.

 

During an investigation, the ICO stated that a SQL injection is a well understood cyber weapon and there are plenty of defences out there for businesses to protect themselves against it. They also said that TalkTalk ought to have known that SQLi posed a serious risk to their customers’ credentials and business data, but did next to nothing to protect this sensitive information. TalkTalk lost 101,000 customers and suffered a cost of £60 million. They were also fined £400,000.[10]

 

Cyber security awareness best practices

 

CEOs, directors and managers want to keep their data safe, it is up to them to educate their colleagues and create a workplace culture surrounding cyber security awareness. Here are some cyber security best practices every organisation should be following:

 

Implement basic cyber security training

 

Conducting training sessions will ensure that employees use approved software, and have strong passwords. You could also look at implementing common sense practices surrounding technology access and consider adding further levels of protection for staff with multi-factor authentication. This could be something as simple as not letting employees take their laptops home at the weekend, or enforce a two-step verification process.  

 

Have a data recovery strategy

 

A recent survey had shown that one in five businesses don’t have a procedure or back-up plan, should their data get lost or damaged. With more and more businesses relying on the cloud, it’s crucial that you ensure your cloud-based data is adequately protected and compliant with new GDPR regulations. Alongside this, you need to make sure your employees are clear on the strategy, and exactly who is responsible for what.

 

Detect and plan for what you can't prevent

 

Hackers will always try and find a vulnerability, and when they do you need to make sure you have the resources and knowledge to detect their activities as quickly as possible. This way, you can contain the damage  and get back to normal business without experiencing a  massive loss event. Implementing a security information and event management (SIEM) solution will aggregate logs from applications, operating systems, and network infrastructure appliances across the enterprise. It will then analyse the data to identify any questionable activity and flag it to the appropriate people. 

 

It’s clear that the weakest link in cyber security is the human factor, and if your employees are unable to make an informed and educated decision about something as simple as what network to connect to or which email attachment to open, you’re at risk of a potentially devastating cyber-attack. Your business’s cyber security is only as strong as your weakest employee - it is your responsibility to create a risk aware workplace culture surrounding cyber security awareness.

 

[1] https://www.gov.uk/

[2] http://www.verizonenterprise.com/

[3] https://www.pandasecurity.com

[4] https://www.darkreading.com

[5] https://www.itjungle.com/

[6] https://www.itjungle.com/

[7] https://www.reuters.com/

[8] https://www.thetelegraph.com

[9] https://www.theguardian.com/technology/

[10] https://ico.org.uk/

 

 

Backup & Recovery, Product Guides, Microsoft, IT & Technology, IT & Security, Cloud

Latest blogs

See all posts
sd-wan
SD-WAN benefits for education: enhance school, college and university networks

Online learning platforms, cloud-based applications, virtual classrooms, and bandwidth-heavy multimedia resources have become essential to modern education. As these demands grow, many institutions are turning to SD‑WAN (Software-Defined Wide Area Networking) to support their digital transformation.

Read more
it in education
Best IT support for schools: enhance education

The right IT support services help schools and colleges operate smoothly, prevent downtime, and enhance the overall learning experience. This guide breaks down the most effective IT solutions for educational institutions and explains how to choose the right IT partner. Why IT support is essential in modern education Schools and colleges depend on technologies such as cloud platforms, WiFi networks, learning management systems (LMS), and safeguarding tools. Without strong IT support, everyday learning can easily be disrupted. High‑quality IT support ensures: Consistent uptime for learning platforms Secure protection for student and staff data Smooth operation of classroom hardware Reliable connectivity across campus A strategic roadmap for future IT improvements Top IT support services for schools and colleges 1. Managed IT support Managed IT support gives schools access to a fully equipped technical team without needing an in‑house department. Typical features include: 24/7 help desk Device and server management Cyber security monitoring Backup and disaster recovery Software updates and patch management This approach reduces costs, increases system reliability, and frees educators to focus on learning—not technical issues. 2. Student technology support Students rely on devices and online platforms every day. Student tech support ensures they can access lessons without interruption. Common services include: Device troubleshooting (laptops, tablets, Chromebooks) Login and password resets Connectivity support Assistance with online learning platforms Safety filtering guidance This support is especially vital in hybrid or remote learning environments. 3. Classroom technology solutions Modern classrooms need fully supported and integrated digital tools. Classroom IT solutions typically include: Interactive whiteboards Projectors and AV systems Classroom management software WiFi optimisation Digital collaboration tools These technologies make lessons more engaging and interactive. 4. Microsoft education support Microsoft remains one of the most widely used platforms in schools. Supporting these tools effectively helps ensure seamless digital learning. Key areas include: Office 365 management Teams for Education Intune device management Azure cloud services Identity and access management 5. Microsoft education training Empower your teaching and facilitate innovative learning for your students with Microsoft education training. Key areas include: Microsoft 365 Education Tools Training Microsoft's Showcase School Programme How to choose the right IT support provider When evaluating IT support services, schools should consider: Budget and funding constraints Current IT infrastructure Scalability needs Security and compliance requirements Provider’s education-sector experience Availability of both remote and on‑site support Choosing a specialist with education experience ensures better safeguarding compliance, user-friendly solutions, and long‑term value. The benefits of outsourcing IT support Practical and operational benefits More schools now outsource IT due to benefits in security, performance, management and cost: Lower long‑term costs Access to specialist expertise Faster response and issue resolution Stronger cyber protection A strategic, future-proof technology plan Learning benefits Technology is enabling and facilitating better learning experiences and outcomes, empowering teachers, increasing pupil engagement and enriching the classroom experience: Personalised learning paths Instant access to learning resources Better collaboration among students Support for SEND and diverse learning needs Preparation for a digital workforce Schools that invest wisely in IT create stronger educational outcomes. The growing demand for IT skills in education As digital transformation accelerates, technology is playing a key role in enhancing learning and schools increasingly require IT professionals skilled in: Networking Cyber security Cloud infrastructure EdTech implementation Support and troubleshooting Online IT certification programmes are helping build the next generation of education‑sector IT specialists. Wavenet: A trusted IT partner for UK schools and the public sector For educational institutions seeking a reliable and experienced IT services provider, We are one of the UK’s leading education technology specialists. With over 30 years of experience delivering designed‑for‑schools solutions, we supports more than 4,000 education establishments nationwide across cloud platforms, cyber security, communications, safeguarding, and network services. We provide ICT services, broadband, WiFi, audio‑visual systems, remote support, and fully managed IT services - all delivered by DBS‑checked staff and supported with clear, transparent SLAs. By partnering with us, schools gain access to expert guidance, best‑practice ICT strategy, robust cybersecurity, and a long‑term technology roadmap - helping them create a connected, secure, and future‑ready educational environment.

Read more
managed security services provider
What is a Managed Security Services Provider (MSSP)?

Managed Security Service Providers (MSSPs) offer outsourced monitoring, management, and protection of an organisation’s security infrastructure. Their services typically include managed threat detection, continuous security monitoring, incident response, and vulnerability management. By partnering with an MSSP, businesses can leverage specialist expertise and advanced technologies to safeguard their digital assets more effectively.

Read more
UK digital infrastructure connectivity
Higher ROI for firms investing in infrastructure

Digital infrastructure is now a national and commercial priority For UK C-suite leaders, the growth conversation has fundamentally shifted. The latest UK infrastructure analysis1. shows that 2026 marks a major shift from policy vision to project delivery, unlocking billions in digital infrastructure, fibre connectivity, grid upgrades, and modernisation programmes. This shift positions digital infrastructure as a core driver of competitiveness, innovation, and long-term business ROI.

Read more
Placeholder thumbnail
A pupil’s review of Bett by Billy H, year 5

I’m in Year 5 and this was my second time visiting Bett, and I think it might be one of the coolest places ever. There were loads of new gadgets, games, and learning tools to try out, and everything made school feel like it could be a massive adventure.

Read more