Businesses Need To Teach All Employees About Cybersecurity (And Blow Their Own Trumpets)

Every employee in an organisation needs to know about cybersecurity, according to David Jones, the head of the BBC's information security team.

Using his own company as an example, Jones said that security scares can provide great learning opportunities.

Last year, the BBC was repeatedly targeted by the Syrian Electronic Army, which at one point seized control of the BBC Weather Twitter account, resulting in a few unusual updates, one of which read, "Saudi weather station down due to head on-collision with camel."

If you don't believe us, here's a screenshot taken at the time of the hack:

In response to the SEA's actions, the BBC developed an automated system that blocked the domains from which the attacks came from and also removed all examples of the attack from staff mailboxes.

"We see incidents as an opportunity to learn about our systems, process and people, and to improve all of those things," said Jones. "Whilst attacks can be damaging, at the same time we try to gain as much as we can from them."

However, due to BYOD, these initial measures were not entirely effective. Employees still had to be warned that their personal devices were also potentially in the firing line.

The corporation then decided to launch a company-wide education programme, which Jones says was immensely successful. Soon after, employees from all over the organisation started sending Jones' department further examples of suspicious emails.

"In the first three weeks we found several new types of malware which even the security companies said they hadn't seen before," Jones added. "You have to involve everybody in education."

Jones reckons that even company shareholders need to know about cybersecurity. He thinks that senior management are often completely oblivious to the work that security people do and, if they help get the message across, blowing your own trumpet and scaremongering aren't the worst things in the world.

"It's about education, and getting the message back out to the stakeholders," he added. "Explain what you've done. Even a little bit of trumpet-blowing is important."