With more and more companies experiencing cyber attack, the key to cutting the risk of damage or data loss lies in promoting employee engagement in cyber protection, writes Davis Kessler, head of cyber risk, Travelers Europe


This year, 32% of companies in the UK have experienced cyber breaches or attacks, according to the UK Government’s Cyber Security Breaches Survey 2019. Nearly half of those companies identified at least one breach or attack per month.

While cyber crime can cause significant financial and reputational damage, a company can fortify its cyber protection by managing a critical resource.

Employees are a valuable and necessary part of any company’s cyber resiliency. When a company delivers appropriate training and has a cyber awareness culture that is visible at all levels of the organisation, employees become critical partners in protecting against cyber threats.

In fact, the most common cyber attacks that companies reported in the Cyber Security Breaches Survey were, 1st, phishing emails, 2nd, the online impersonation of their organisation, and, 3rd, viruses or other malware – each being threats that employees can help to identify when given the appropriate guidance.

“Employees are often the last line of defence in managing cyber risk, where other defences have failed,” said Ian Birdsey, Partner and Head of Cyber at law firm Pinsent Masons. “They play an extremely important operational role in identifying and reporting cyber threats, which is an essential part of the threat response process.”

Cybersecurity education – and appreciation

Security awareness training teaches employees to identify vulnerabilities and threats to business operations – and the role each person can play in helping to prevent them. Employees need to understand their responsibilities and accountabilities when using a computer on a business network, and new-employee training and regularly scheduled refresher training courses should be established to instil into new employees your company’s data security culture. 

Training should cover, but not be limited to:

• Employees’ legal and regulatory responsibility for company data

• Document management and notification procedures

• The need for strong passwords

• Policy on the installation of unauthorised software

• Internet and email policy, including how to identify suspicious links or messages

• Social media policy

• Social engineering and phishing risks

• Your mobile devices policy

• Safeguarding of company computers and keeping virus protection updated

While it’s important for employees to understand their responsibility for protecting cyber security through training, it’s just as critical for top management to emanate appreciation for the actions employees take to protect their organisation against cyber threats. 

For example, Birdsey said it has become common for companies to promote positive employee engagement around cyber protection by sharing with staff the percentage of employees who identified and reported a phishing email during a cyber threat simulation, rather than identifying and sanctioning those who failed.

Preparing for when, not if, an attack happens

Even when a company has proper employee training and controls in place, a breach can still occur. But here, too, employees have an important role to play. When they understand how to communicate with and help customers and other stakeholders following an attack, they can minimise harm to their company’s customers and reputation.

Preparing employees to deal with cyber threats – and having a culture that values and reinforces employee efforts to identify and respond to cyber security problems – is critical to ensuring the company comes out of the situation in the best way possible.