Our business does not do anything which would be of interest to hackers.
Any business, no matter what it does, is of interest to criminals. The fact that it believes that it does not present a target, in and of itself, increases the likelihood of attack. Criminals do not only seek to steal from their targets. They are always looking for opportunities to attack other victims from unexpected directions. They also constantly collect intelligence to use in socially engineered attacks. Names, roles, email addresses, facts and back-stories can all be used to create credibility for the criminal with the ultimate victim.
Our employees have all had some online training done.
Whilst online training is better than nothing, it is only just. All firms must have in place a constant and comprehensive system of governance that ensures that all employees understand the threat, understand their place in countering the threat and understand what their responsibilities are. The board is ultimately responsible for a company’s data protection and executives must ensure that meaningful governance is in place and is enforced. The days of blaming someone else for failures in governance are long gone.