The majority of UK sales staff are not being provided with IT security training, despite being the most exposed to cyber attacks, according to new research from Intel Security announced today.
The firm, which has now fully incorporated McAfee, interviewed hundreds of IT decision makers from across Europe to better understand where organizations are most exposed to phishing, malware and other online threats.
It rated sales staff as most exposed to cyber threats because they speak most often to people outside of the organization. Call center and customer service employees came next.
However, 51% of UK firms don’t give sales staff any training in how to spot or protect against online threats, exposing them to greater risk, the report found.
The findings are concerning given the rise of stealthy, evasive attacks designed to bypass traditional security filters and trick users into clicking on malicious links or opening attachments in phishing emails.
Often the attackers have spent months researching their targets to make their spear-phishing messages are as convincing as possible.
Malware is then designed to download in the background with the user completely unaware, which can leave organizations infected for weeks or months while their most sensitive data is being exfiltrated.
Intel Security details this and more in its recent report: Dissecting the Top Five Network Attack Methods: A Thief’s Guide.
It also highlights the growing threat from DDoS attacks, which are the largest single contributor to network attacks, accounting for 45% of the total. Yet just fewer than a fith (19%) of UK IT leaders questioned said they thought DDoS was the biggest threat to their company.
Commenting on the findings, Ashish Patel, UK regional director of network security at Intel Security, argued that firms need to think about tailoring their training programs according to the importance of the data they’re handling and the risk posed by its theft.
Time should also be taken to consider what levels of training are required according to specific roles, he told Infosecurity.
“You may find administration staff with access to very little confidential data and low administration rights need an IT security overview every six months to discuss key, simple security measures, such as the importance of keeping passwords confidential, logging out of PCs, and the art of social engineering as used by cybercriminals,” he added.
“In comparison, staff with high levels of admin rights and access to a lot of highly confidential information should receive quarterly training which encompasses both basic and more advanced areas of IT security such as DDoS attacks.”
In the case of the latter, training should include practical testing on how to identify attempted breaches and how to respond if one occurs, taking into account social engineering and “working through scenarios of natural human behavior.”
“This training would suit a classroom environment where roles are acted out and reactive behavior is monitored and examined,” Patel concluded. “It’s important for all employees to understand the consequences of overlooking basic guidelines and neglecting to adhere to good IT security standards.”