The importance of cyber security awareness

21/06/23 Wavenet
The importance of cyber security awareness placeholder thumbnail

Every business is at risk of a cyber-attack.

In 2017, cyber attacks on organisations cost the UK economy £10 billion, with 7 out of 10 companies falling victim to a cyber-attack or breach[1]. When a CEO is confronted with a cyber-attack or data breach, they start to worry about their vulnerabilities in the technology they use and forget to look at the very people using those technologies everyday - their employees. According to the 2017 Data Breach Investigations Report, more than 90% of cyber-attacks were traced back to human error[2], suggesting that mistakes caused by humans both initiates and amplifies the risk of cyber-crime and the damage it poses to businesses. The best way for business directors, CEOs and managers to combat this threat is to create a risk-aware workplace culture, and that starts with cyber security awareness.


What is cyber security awareness?

 

Cyber security awareness is the combination of both knowing and doing something to protect a business’s information assets. When an enterprise’s employees are cyber security aware, it means they understand what cyber threats are, the potential impact a cyber-attack will have on their business and the steps required to reduce risk and prevent cyber-crime infiltrating their online workspace.

 

Creating a culture around cyber security awareness in the workplace doesn’t mean that you’ll be completely eradicating the risk of data theft or cyber-crime to your business. Malware has burgeoned, becoming more and more sophisticated as each new strand is developed, and we expect to see the evolution and growth of cyber-threats and malware to proliferate. It was reported that 123 new strains of malware were found everyday in 2005[3]. During that year, 10,000 of those threats were new strains of malware. 11 years later, research had shown that every second, four new strains of malicious malware were discovered in Q3 of 2016[4] - it’s crucial to highlight that these were the strains that cyber security companies had found and identified. As new strains of malware grow, enterprises need to ensure that they’re implementing the appropriate security measures, educating their employees and eliminating any weaknesses that make them vulnerable to an attack. Human error is an egregious exploit that can lead to fines and severe business damage.

 

Phishing scams: the most prevalent & successful method

 

Your organisation’s cyber security is only as strong as your weakest employee, and a data breach is more likely to come from human negligence rather than a criminal hack. When you strive to create a risk aware culture within the workplace, you’re preventing your employees from becoming unknowingly complicit in cyber-crime activity.

 

According to the 2018 Data Security Incident Response Report, phishing accounted for 34% of data breaches in 2017, making it the number one type of cyber-crime[5]. The report found that “phishing remained prevalent and successful, and employees and their vendors made common mistakes that placed sensitive information at risk.”[6] One form of phishing, known as spear-phishing, is becoming increasingly difficult for employees to detect, posing a huge risk to organisations all over the world. 

 

What is spear-phishing?

 

Spear-phishing is a malicious email-spoofing attack that aims to gain entry to software via malicious malware that’s downloaded through an attachment. The perpetrators target specific organisations or individuals with the goal of gaining unauthorised access to sensitive information. If the person opens the attachment on the email, malware is then downloaded onto the user’s computer. This gives hackers an entry into the organisation’s software, from which they can then move laterally in search of sensitive and valuable information. It is unusual for spear-phishing attempts to be initiated by random hackers with no end goal - they are more likely to be conducted by hackers who are out for financial gain, industry secrets and sensitive information.

 

While the act of spear-phishing sounds rudimental, it has evolved over the last few years, becoming extremely difficult to detect - especially if there’s no prior knowledge or spear-phishing protection software implemented. Victims are targeted via the personal information they put on the internet. For example, a hacker might find an employee’s email address, interests, job role, geographic location and any posts about new products they’ve just purchased, all available on their social media profiles. With all of this information, the hacker then acts as a friend or a familiar entity, and sends a convincing but fraudulent and malicious message to their target. There have been some instances where victims were asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes.

 

WannaCry: the biggest phishing attack to date

 

In May 2017, one of the biggest phishing attacks in history left organisations such as the NHS, FedEx, Nissan and Hitachi crippled. This attack hit more than 150 countries and 200,000 computers worldwide, and was sent via an email that would trick the recipient into opening attachments, which then released phishing malware onto their system. The malware, WannaCry, was aligned with a stolen cyber weapon called EternalBlue. The weapon, developed by the US National Security Agency, propagated a vulnerability in older versions of Windows Microsoft Server Message Block protocol. This exploit of Windows’ SMB then tricked various nodes by specially crafted packets, which then triggered the nodes that were communicating on a network to buffer overflow, causing it to reload, leaving a vulnerability for the execution of arbitrary code. It is thought that this global attack could spur $53 billion in economic losses[7].

 

Investigations found that many users (including the NHS) had not installed patches for Microsoft’s exploit, leaving them vulnerable to WannaCry’s rampage. Alongside this, the NHS were told that they were at risk of a cyber-attack, and did very little to prevent it.[8]

 

eBay: a cyber-attack that lasted more than 200 days

 

In 2014, eBay were subject to a leveraged phishing attack where sensitive information about more than 100 employees was stolen. This information was then used to gain access to eBay's internal network. Once the hackers had infiltrated the network, they extracted the names, passwords, email addresses, physical addresses, and other personal information of more than 145 million customers. It is thought that the attackers went undetected, with unfettered access to eBay's systems for 229 days. The hackers had installed a rogue certificate, allowing them to hide exfiltration in encrypted traffic. eBay didn’t have a HTTPS inspection solution with full access to all keys and certificates, which meant that the rogue certificates remained undetected for a long time. The aftermath of the breach meant that eBay had to lower its annual sales target by $200 million, and they struggled to recover customer confidence and brand value for months[9].

 

The importance of cyber security

 

Colleagues need to understand the role they play in strengthening a business’s cyber security. In most cases, it needs to be taken back to the very basics. Cyber-crime shows no signs of slowing down, and a cyber-attack has the potential to incapacitate an organisation. Training your employees and making them aware is not only your best defence - it also shows you’re paving your way to a more GDPR compliant future. Should you find your company has fallen victim to a cyber-attack, the ICO will look at the preventative measures you have put in place beforehand. It is crucial for businesses to implement the most basic cyber security measures, and cyber security awareness for employees is one of them.

 

TalkTalk: failing the basics

 

In October 2015, almost 157,000 TalkTalk customers had their personal data hacked. A further 15,656 customers had their bank account numbers and sort codes leaked, which meant fraudulent activity took place on their accounts. The hackers accessed this data via three vulnerable web pages within TalkTalk’s inherited infrastructure on their site. The infrastructure was not properly scanned for possible threats by TalkTalk, making them ignorant to these vulnerable pages, and therefore unaware that these pages enabled access to a database that held confidential customer information.

 

The hackers used a common technique known as SQLi (a SQL injection) to exploit TalkTalk’s vulnerabilities. Once the malicious SQL injections (also known as malicious payload) attacked, they had control of TalkTalk’s web application's database server.

 

During an investigation, the ICO stated that a SQL injection is a well understood cyber weapon and there are plenty of defences out there for businesses to protect themselves against it. They also said that TalkTalk ought to have known that SQLi posed a serious risk to their customers’ credentials and business data, but did next to nothing to protect this sensitive information. TalkTalk lost 101,000 customers and suffered a cost of £60 million. They were also fined £400,000.[10]

 

Cyber security awareness best practices

 

CEOs, directors and managers want to keep their data safe, it is up to them to educate their colleagues and create a workplace culture surrounding cyber security awareness. Here are some cyber security best practices every organisation should be following:

 

Implement basic cyber security training

 

Conducting training sessions will ensure that employees use approved software, and have strong passwords. You could also look at implementing common sense practices surrounding technology access and consider adding further levels of protection for staff with multi-factor authentication. This could be something as simple as not letting employees take their laptops home at the weekend, or enforce a two-step verification process.  

 

Have a data recovery strategy

 

A recent survey had shown that one in five businesses don’t have a procedure or back-up plan, should their data get lost or damaged. With more and more businesses relying on the cloud, it’s crucial that you ensure your cloud-based data is adequately protected and compliant with new GDPR regulations. Alongside this, you need to make sure your employees are clear on the strategy, and exactly who is responsible for what.

 

Detect and plan for what you can't prevent

 

Hackers will always try and find a vulnerability, and when they do you need to make sure you have the resources and knowledge to detect their activities as quickly as possible. This way, you can contain the damage  and get back to normal business without experiencing a  massive loss event. Implementing a security information and event management (SIEM) solution will aggregate logs from applications, operating systems, and network infrastructure appliances across the enterprise. It will then analyse the data to identify any questionable activity and flag it to the appropriate people. 

 

It’s clear that the weakest link in cyber security is the human factor, and if your employees are unable to make an informed and educated decision about something as simple as what network to connect to or which email attachment to open, you’re at risk of a potentially devastating cyber-attack. Your business’s cyber security is only as strong as your weakest employee - it is your responsibility to create a risk aware workplace culture surrounding cyber security awareness.

 

[1] https://www.gov.uk/

[2] http://www.verizonenterprise.com/

[3] https://www.pandasecurity.com

[4] https://www.darkreading.com

[5] https://www.itjungle.com/

[6] https://www.itjungle.com/

[7] https://www.reuters.com/

[8] https://www.thetelegraph.com

[9] https://www.theguardian.com/technology/

[10] https://ico.org.uk/

 

 

Backup & Recovery, Product Guides, Microsoft, IT & Technology, IT & Security, Cloud

Latest blogs

See all posts
A happy house tenant is using an app on her phone to report a home issue to her housing provider
From risk to resolution: how Active Assessor helps you stay ahead of Awaab's Law

What does Awaab's Law mean and why does it matter? Damp and mould aren’t just inconvenient maintenance problems - they’re serious risks to tenant health, regulatory compliance, and the reputation of housing providers. Nearly 1 in 7 social homes in England failed to meet the Decent Homes Standard in 2023¹. On top of that, the NHS is estimated to spend £1.4 billion a year treating health issues related to cold, damp housing². And yet, more than half of tenants experiencing condensation, damp or mould don’t report it. Often, they don’t recognise the early signs, or they simply don’t believe they’ll be taken seriously. This silence leaves landlords in the dark and turns small, fixable issues into expensive, high-risk problems. The tragic death of Awaab Ishak in 2020 brought national attention to the dangers of mould in social housing. In response, Awaab’s Law was introduced in 2023, significantly raising the bar for housing providers. Under the new legislation, social landlords must investigate hazards like damp and mould within 14 days, begin necessary repairs within 7 days, and complete the work within 21 days. This has turned what was once a service expectation into a legal requirement. But with so many issues going unreported, housing providers are left vulnerable. Failing to detect or act on early signs doesn’t just put tenants at risk—it can now result in legal and reputational consequences. The Challenge: Strained Teams & Outdated Systems Most housing providers care deeply about tenant safety. The problem isn’t willingness—it’s capacity. Maintenance teams, IT departments, and customer contact centres are already stretched thin. Spotting early-stage issues requires tools they simply don’t have. Traditional, manual inspections are expensive and slow. Reactive workflows leave little room to get ahead of problems. And despite growing demand for proactive service, only 13% of customers actually receive it. The systems many teams rely on today are fragmented, outdated, and not fit for the pressures of a post-Awaab world. The Solution: Active Assessor by 8x8

Read more
Placeholder thumbnail
There's more to the PSTN switch-off than meets the eye

What is the PSTN switch-off? The impending PSTN (Public Switched Telephone Network) switch-off isn’t just about replacing traditional lines. It’s a seismic shift that impacts far more than most realise – and if you’re not prepared, it could cost your business dearly. Most companies are aware that traditional analogue lines and ISDN systems for calls and broadband are being phased out by January 2027. But what many don’t see is the vast ripple effect of this transition – touching everything from lifts to life-critical systems, cash machines, and even traffic lights. What does the PSTN switch-off mean in simple terms? When it comes to the PSTN switch-off, it’s easy to think that it is just about phone lines. But the truth is, it’s much more complex. Here is what’s at stake: Life-saving systems: fire alarms, major medical and safety devices, emergency alarms in care homes, emergency pendants, telemetry services monitoring boiler rooms, dams, sluice gates, and substations. Public infrastructure: traffic lights, bus stops, speed cameras, and traffic management systems. Business-critical devices: PDQ and payment terminals, ATMS, CCTV, video surveillance, door entry, security systems, and remote access points. Transport & emergency services: roadside AA/RAC recovery alerts and devices, and emergency phone lines in hazardous environments. Telecommunications & internet: leased lines, private networking facilities, dial-up lines, broadband DSL services, and international leased lines. Community & public services: emergency teams and vehicles, payphones, modems, industrial control, public alerts, and more. If every one of these vital systems suddenly loses connectivity – chaos, downtime, and danger could follow. The possible business impact of the PSTN switch-off could be financial losses, public safety risks and erosion of customer trust. The PSTN switch-off is a vital business resilience issue – the time to act is now Unlike many providers who may focus on the obvious, we see what others miss. Our team dives beneath the surface, examining your entire network ecosystem to identify what’s at risk when the PSTN switches off. We have mapped out the hidden web of critical systems that rely on legacy infrastructure – and yes, we’ve prepared solutions for each one. Check out our iceberg infographic to see a quick glance of the PSTN switch-off picture. The switch-off is just the tip of the iceberg. Without planning, your operations could face catastrophic disruption. Don’t let your business be caught unaware. Reach out today for an in-depth assessment, and explore solutions tailored to your critical systems. Because when it comes to the PSTN switch-off, we see beyond the iceberg – and help your business stay afloat.

Read more
Placeholder thumbnail
What will happen to businesses when landlines go digital?

Preparing your business for the WLR switch-off and ensuring a smooth transition Most businesses currently rely on traditional analogue lines, ISDN, or broadband connected through Wholesale Line Rental (WLR) – the infrastructure powering your calls, data, security systems, and more. But the truth is, the WLR switch-off is on the horizon – and it’s affecting businesses in ways they might not be expecting. It’s not just about telephony! Do you really know what your WLR lines are powering? And what your options are? The countdown is on - Openreach’s deadline to shut down traditional analogue phone lines, ISDN, broadband, and other vital WLR-connected services is January 2027 (or even sooner). If you’re not fully prepared, your business could face serious disruption: Your phones may stop ringing, cutting off essential customer contact Lifts and critical facilities could cease functioning Broadband and internet services might go offline unexpectedly Your customers’ access to your services could be lost What exactly are your WLR lines powering? Many businesses don’t realise just how much relies on their existing WLR lines and traditional networks. The PSTN and WLR include more than just voice calls; they power card payment terminals, security alarms, lift controls, entry systems, CCTV, emergency systems, and many other critical business operations. Without a clear understanding of which lines are used for what, you risk missing vital services during the switch-over. Managing large estates or multiple sites makes this even trickier – you may be unaware of what lines you have, what they’re used for, where they’re located, or what they are connected to, creating a significant business risk. What do you do when landlines go digital? Don’t wait until disruption strikes. The earlier you identify your current setup and plan your migration, the smoother and more secure your transition will be. Download our free WLR Audit Factsheet – a straightforward guide to show you how we can help. Stay ahead of the clock. Take control now to ensure your business’s ongoing communications and critical services remain unaffected. Visit wavenet.co.uk/pstn-switch-off  for more information. 

Read more
Placeholder thumbnail
What is the WLR switch-off?

The WLR switch-off roadmap The countdown has begun – are you prepared? The WLF (Wholesale Line Rental) switch-off is already underway, and by January 2027, all traditional PSTN and ISDN lines will be switched off. Doing nothing isn’t an option anymore. Without action, your vital communications could face disruption, affecting your business operations and customer service. Why act now for the WLR switch-off? This isn’t just a technical upgrade – it’s a chance to transform your communication infrastructure into a reliable, feature-rich, all-IP network. Moving to an all-IP network unlocks better reliability, feature-rich communication, and future-proof capabilities that keep your business connected and competitive in a digital-first world. Your WLR switch-off migration journey starts here Switching to an all-IP solution is easier than you think. We help you assess your current setup and craft a tailored plan for a smooth, seamless migration. Options include: FTTP & SOGEA: Super-fast dedicated internet for unbeatable connectivity IP Voice & Hosted Voice: Flexible, scalable telephony solutions for modern communication UC Applications: Boost collaboration across your team, anywhere, anytime SIP Trunking: Cost-effective, reliable connectivity that scales with your needs Future-proof your business today Migrating early minimises disruption and unlocks new operational efficiencies. An all-IP network offers smoother communication, advanced features, and easier management, so you stay ahead in today’s digital economy. Be prepared for the WLR switch-off Ready to make the switch? We’ve got the perfect resource to help you stay ahead: our visual quick guide on the Openreach switch-off schedule. It’s a simple, clear, and easy-to-follow overview that helps you understand the timeline and plan your migration effectively. Download the WLR Switch-off Guide now and get your WLR migration plan on track. Be proactive and secure your business’s future communications today! Visit wavenet.co.uk/pstn-switch-off for more information.

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.