Menu Close

Six ways to reduce your cyber risk

Jack Smith

More company-wide training will not improve your cybersecurity, but there are measures you can take to tackle the threat, write Michael Sulmeyer and Mari Dugas for Harvard Business Review.

Companies are aware of the increasing threat from hackers, yet the number of cybersecurity incidents continues to rise. You have invested in the latest state-of-the-art technology to protect your network from attack. What should you do next? Most companies opt for staff training programmes. You should not follow their example.

“Putting them through 50 more hours of cyber-hygiene training a year won’t help any more than warning our elders not to click on links in emails from strange addresses,” write Sulmeyer and Dugas. “We will never be able to train every email recipient to discern what looks like phish.”


You should provide training for senior managers, who are often the targets of cyber attacks. Forty per cent of senior managers lack understanding of their company’s cybersecurity protocols, according to a multi-industry survey conducted by BAE Systems.


When it comes to everybody else, here are six measures you can take to make sure the company network and its users are more secure:

1) Know your network. The first step to defending your network is understanding it. You will never be able to protect everything, but if you invest in getting to know your network you can focus your defence of the most important areas.

2) Get rid of links. If you don’t want your employees to click on potentially dangerous links, remove them. It might be inconvenient, but if you convert all incoming emails to plain text, the cyber risk will be eradicated.

3) Block known threats. Rather than just sharing information about known threats, use services such as Facebook’s Threat Exchange to block attempts at malicious connections.

4) Go low-tech. Most of your employees are probably using computers with far more capability than they need to do their job. More capability equals more cyber risk. Think about replacing your employees’ current machines with something less risky, like the browser-based Chromebook.

5) Let Google do the work. If you are an SME, don’t waste money on state-of-the-art security products. Instead switch your back-end email infrastructure to Google, who invest millions in keeping hackers at bay.

6) Don’t forget the insider threat. IBM estimates that 60% of all cyber attacks come from inside companies. Create a culture of mutual accountability, segment your network so access is based on necessity and “watermark” data so you can see who accessed it and when.


You will never be able to eradicate the risk of cyber attack, so instead of embarking on the thankless task of training every employee to be a cybersecurity expert, focus on simple practical measures. You will be rewarded.

Source Article: More Training Won’t Reduce Your Cyber Risk
Author(s): Michael Sulmeyer and Mari Dugas