Elijah Lawal, online safety communications manager at Google UK, told Real Business that embedding a culture of security after recruiting was vital to protect firms from attack.
“Starting cyber security training and awareness on day one should be as common as showing a new starter where they need to go to get coffee,” he said.
“It should be essential at the beginning and remain ongoing for the rest of their working period at the business. Cyber training should become an ethos at a business because much of the prevention boils down to what humans do.”
According to recent figures from Beaming, UK firms are subject to a remarkable 578 cyber breach attempts a day.
Lawal said threats to SMEs from criminal hackers are increasing – particularly phishing emails.
“The biggest challenges are where hackers focus on social engineering, sending emails to scam an employee into opening links to malware or ransomware,” Lawal says.
“Phishing is much more nuanced than it was even two years ago where you would receive emails asking you to send over money to a Prince from a developing nation in return for a greater amount. They looked suspicious and were littered with bad grammar.
“Today you might receive an email supposedly from your bank noting that there has been unusual activity in your bank account. You are worried, it looks legitimate and without thinking you click on the link provided.”
Another route in for hackers are weak passwords, with Lawal stating that, based on previous Google research, with a single guess an attacker would have a 19.7% chance of guessing an English speaker’s answer to the question “What is your favourite food?”. The answer, of course, is pizza.
“Businesses need to look at preventative methods such as 2 factor authentication which includes not just passwords but codes and security keys for an employee to get into the system,” he says.
“You can also restrict access to parts of the network for employees. Someone in the legal department, for example, may not need to have access to information in marketing. It is about narrowing the risk. Y
“ou can also get products which will stop spam emails getting to your system and warning you of malicious pages when you are on the internet. SMEs are on a budget but none of these methods will break the bank.”
But Lawal emphasises again it is the people element which remains the biggest concern.
“SMEs need to see awareness of phishing threats and passwords as the gateway to their systems and treat them as seriously as any other area of their business,” Lawal adds.
“It doesn’t matter how much you spend on other security technology if you keep the front door open for hackers. Humans can be the weakest link in the chain. We don’t want to scaremonger because an SME could go their entire life span without facing an attack, but the threats are just so prevalent now.
“They are not always successful, but they only have to be successful once and you face a huge loss in reputation and information.”