Staff – the best and last line of security defence

September 5, 2018 | Security

Written by

We have all heard the phrase “the security landscape is always changing”, yet so many of us still believe that technology alone can protect our businesses and our data.

The reality is that this just isn’t the case anymore.

I have been around long enough to remember the good old days, when all an attack meant was a drive was fried by a virus. Sure it meant that the data was corrupted and it caused man hours to be lost, but if your tape backup actually worked and you could recover the data, it was more of an irritation than anything else.

Sadly, times have changed, and so have the types of attacks.

These days, attackers don’t care about irritating you, they care only about silently dropping malware onto devices, having that malware spread across your network and then rely on traditional endpoint security to ignore the fact that the malware has infected Chrome.exe or Flash.exe for 220 days.

All that time is spent quietly sending your data to the dark web, where it is bought and sold until one day, it gets to a particularly nasty individual or group that uses it to drop a ransomware attack onto your network.

That is when the trouble really starts.

If you are a large enterprise, with massive budgets, you can buy advanced threat intelligence and protection, you can buy tech that allows you to search for your data within the dark web and get ahead of any potential drama, but not all businesses have the budget to spend £1m or more on tech like this.

So, what do you do if you don’t have that kind of budget?

The good news is that there is a lot of good affordable technology out there that allows you to put various layers of security in place.

One part a lot of people ignore is that the best way to defend your business is by making staff security aware.

I was speaking to a great partner of ours recently and during the discussion, we came up with an analogy for present day security which I have given a Game of Thrones theme.

Think of security as a castle. Castles have moats around it to keep attackers from attacking from all sides, forcing them to attack through one point only, then it has strong high walls which protect the inhabitants and give the inhabitants an elevated position to view their attackers.

Of course, all this security is pointless if you don’t have soldiers within the walls to fight attackers off.

Your staff are very much like the castle soldiers, if they are well trained and security aware, they can be a hugely effective last line of defence, should attackers manage to make it through your security technology.

Too often, businesses and staff believe that by having basic security tech in place, they are 100% protected. Sadly, this just is not the case. Part of the problem is that staff go to work and once in their office, they feel like they are in a nice secure bubble where security is covered. As a result, they are simply more likely to be fooled by realistic spoof emails claiming to be the companies bank, or another Linkedin connection request, so they click on the link.

The best option is to use a security awareness solution that can provide tools for you to test staff and see how any why they fail, and then train them based on that data. If your staff can recognise a potential phishing attack and are trained to treat look for potential reg flags in emails, it can only be a positive for your business.

It is for this reason that making staff aware of their responsibilities and security policies is such a fundamental part of the GDPR.

So as many of you start planning your IT/Security budget for 2019, make sure you include security awareness training too.

To learn more about security awareness, why not join our webinar on Wednesday 3rd October 10:00am: KnowBe4 – Human Patching –


Recommended reading


We are delighted to announce that we won Security Distributor of the Year at the 2021 The Computing Security ...

Cyber Essentials is changing on 24th January 2022 – Will you be ready?

Let’s assume that you know what Cyber Essentials is and that you realise that it is a good basic standard for ...

Why people don’t want to do their training and how to get around it

There are very few people in this world that think, “Oh goody! My next security training module now needs ...