January is traditionally the month in which people start a new role or start the hunt for a new job, meaning that businesses will soon be experiencing an influx of new staff. At this time, businesses are exposed to an increased risk of a security breach through new, ill-informed employees inadvertently breaking the company’s security policy. With this in mind, now is the ideal time for businesses to ensure their security policy is fit for purpose. And while conveying it to new staff, it would also be worth giving existing staff a refresher course in the dos and don’ts of corporate IT.
Cyber security is now high on the government’s agenda, with plans in place to educate and inform all who are at risk. One of the problems the government faces is that many SMEs do not believe that they are at genuine risk from cyber criminals, as they do not operate in a top-secret environment. This lack of awareness, or disbelief, that their corporate information could be of interest to anyone outside the organisation is the root cause of security malaise. It also opens the door to cyber-criminals.
An excellent example here is a UK-based cleaning company that discovered it was the victim of a cyber attack only after it had lost a contract to clean the local council buildings. The directors had thought that no one would be interested in the information held on the computers of a cleaning company; after all, what would be the big secret?
They didn’t consider their competitors, who were also pitching for the same contract, which would, if secured, bring in several million pounds over its duration. It was this – the amount they were going to charge for the contract – which was of value. In this case the overriding factor in choosing the supplier was cost (most other variables were the same), so a lower bid was the winning bid. Understanding what the competitive bids were enabled one company to outbid the others. As a rule of thumb, if it’s valuable to you, it’s probably of value to someone else too.
When revisiting the corporate security policy, it is also recommended that particular attention is paid to the use of personal devices for work. Bring your own Device (BYOD) is becoming more and more commonplace within UK businesses as employees use their own smartphones, tablets and laptops for work.
But these also represent more points of entry, and therefore risk, to a business and must be secured appropriately – according to the policies set out. Similarly, the policy must cover other eventualities: for example, what happens if that employee leaves the organisation? They should be made to wipe the device of all company data. Or what happens when the device breaks? What is the policy around getting it fixed as quickly as possible, to minimise the amount of non-productive time?
Security measures are not there to hinder business, but to safeguard reputation and income. The best defence is to choose the necessary technology for the business, and create – and enforce – a robust security policy. For example, if the organisation has a high turnover of staff in a particular business unit, you may wish to set parameters on the emails to ensure disgruntled staff don’t cause embarrassment by sending inappropriate emails. Likewise, if your company heavily uses social media platforms, you may wish to put a system in place to blacklist certain words from being used in postings.
The methods cyber criminals use are changing all the time. We constantly hear of new uses and attacks being devised and deployed, so it is essential for employees to be kept updated, ensuring they don’t fall victim and inadvertently cause an information breach. A thirty-minute meeting today for all staff outlining the new attacks, how to spot them and how to respond, could save a business thousands of pounds and the impact of reputational damage further down the line.
Dr. Guy Bunker is senior vice president of products at web security specialists Clearswift, and board member of the Jericho Forum, which advises the government on cyber security strategy.
Share this story