Why cyber security isn't about tech

By Sarah Adams, cyber risks insurance expert at professional insurance broker PolicyBee

In case you hadn't noticed, the relentless rise of cybercrime means the UK's small businesses are really up against it.

Keeping safe means a daily battle against data breaches, hacks, malicious emails and viruses.

So which of these do you think is the biggest threat to your business? Which of these is most likely to cause damage? What software or systems will you need to stay safe? Tough call.

The answer might surprise you. The biggest threat to your business isn't some anonymous hacker out there somewhere - it's the people you see every day. And it's not tech you need, it's training. Here's why.

Man v machine

When it comes to cybercrime, ignorance is definitely not bliss.

If your people aren't aware what's a cyber risk and what isn't, your business is vulnerable. Are you confident every employee knows not to use unsecured public wi-fi networks? Or that storing customers' personal data on USB sticks is a bad idea?

Research by risk and insurance consultancy Wills Towers Watson showed that around 60% of cyber insurance claims were a direct result of employee negligence and around 90% were a result of some other kind of human error.

These stats paint a very clear picture: knowledge is your best defence.

So where do you start? Educate your people on recognising, and dealing with, the most common pitfalls:

Phishing emails

Emails sent by scammers that look like genuine emails from trusted people or organisations are common. They usually ask for sensitive info or encourage you to a click a link or open an attachment.

Make sure your people know how to spot one (look for things such as iffy spelling and iffy sender email addresses), and constantly reinforce the idea that clicking unknown links or attachments is a Very Bad Idea Indeed.


Make it clear that keeping personal or sensitive data on portable drives or USBs is undesirable. Businesses can be fined for data breaches - a likely consequence of lost or stolen storage devices. Heathrow Airport, for example, was fined £120,000 in exactly those circumstances.

It's essential staff know how to handle, access, transport, store and destroy data. Make data encryption and password protection an essential part of the process. Strict GDPR regs mean you can't afford to cut corners here.

Software updates

Hackers love a gap in your security. Software updates are designed to plug those gaps.

Not everyone's clued up about tech, however, and it's possible update messages are dismissed as an inconvenience or snoozed indefinitely. Explaining why they're part of essential maintenance helps embed a siege mentality - essential to keeping your business safe.

Unsecured networks

Fancy a nice relaxed meeting at the local café? Got a bit of catching up to do on the train?

Public wi-fi is convenient but if it's unsecured it could also be an open door to hackers and malicious software. An unsecure network is straightforward to intercept, and any sensitive data not encrypted can find itself in the hands of the unscrupulous.

Remind your people to use a Virtual Private Network instead when possible. Or leave the web-based stuff for when they're back in the office.

Truth is, your business is more likely to be a victim of cybercrime because a member of staff has done (or not done) something than it is a random attack.

Addressing this problem is all about awareness. There's truth in the saying ‘people respect what you inspect' so make cybercrime a thing you talk about. Back that up with specific, structured training and, if needs be, look at tightening up here and there - no more work laptops down the pub on Fridays, for example.

For a cyber insurance quote, visit policybee.co.uk/cyber-insurance or call 0345 222 5374.