Cybersecurity matters, and we all know that, but do we do enough about it? Does cybersecurity even matter when it comes to the recruitment and employment cycle? We would argue that it does.
DOES CYBERSECURITY MATTER TO RECRUITERS, CANDIDATES, AND EMPLOYEES?
There is an interesting problem when it comes to the practical element of security for your IT system. If you ask anyone whether it is important, they will all say yes. We all know it matters. They tend to be less sure about who is responsible for prevention when, in fact, they are. Somebody recently put this into real perspective for me by using the analogy of fire safety. Everyone knows both are dangerous; everyone knows that prevention is better than cure. The major difference is while everyone knows not to play with fire, not everyone, in fact very few people, even know what a cybersecurity risk is, let alone when not to play with it.
The way that most safety risks are dealt with is through awareness of the risk, understanding where the hazard is and shared responsibility to take action to prevent it from happening. With fire, health and safety awareness is key. With cybersecurity, however, it is often buried and not attended to until there is an issue or it comes up on a training list.
The bottom line is that 39% of businesses were victims of some form of cybersecurity problem last year. OK, yes, many of those were larger-scale enterprises. Is that good news for small businesses? Sadly, no, it isn’t because 38% of SMEs reported cyber breaches and 27% of those were attacked once a week. You can see more scary data here in the Cyber Security Breaches Survey 2021 on the .gov website.
Just before we move on, let’s just take a couple more stats from that report, though, because they are really sobering in the light of that 38% of SMEs who had a problem. 77% of directors said that cybersecurity was a priority for them, but only 13% of businesses train their staff in specific cybersecurity. That suggests that there is a possible disconnect between the employee and the needs of the business. Since we know very few directors are not concerned about the problem, it would seem that the issue is a practical one, rather than anything to do with complacency or not appreciating the importance of the matter.
THE EARLIER THE COMMITMENT, THE BETTER
It would seem clear that the earlier the commitment to the cybersecurity knowledge required for prevention takes place, the better. That pushes it right back to the employment and introduction phase.
Here are a few ideas about where cyber security awareness can be instilled early and how it can be part of the recruitment process:
Where appropriate, add understanding for security as a desired skill in the job specification – but not as an essential skill so as not to dissuade anyone who feels they are not up to speed
Make it clear that understanding cybersecurity will be an expectation of the role and that training will be provided as an ongoing necessity of the job
Training is key, so rather than wait until the employee is embedded, perhaps start it as part of the induction procedures
Run security testing as part of your skills audit during interviews, including recognising phishing attacks
Have a clear policy on remote working and devices that is part of the induction process
Ask your recruitment partner to make it clear to candidates that they should add any cybersecurity training to their CVs and/or application as applicable skills
Thinking back to that fire safety analogy, the one thing we all know for certain is that fire hurts us, so we all watch out for it for everyone’s protection. Perhaps raising awareness of cybersecurity early in the employment process will start to instil that same awareness in new employees and help create the same culture of mutual safety.