The National Cyber Security Centre has promised to “define what good cyber security looks like” for businesses.
With £1.9bn funding to back it up, the government hopes the National Cyber Security Centre will help make the UK one of the safest places in the world to do business, with a world-class cyber security industry and workforce.
The National Cyber Security Centre move couldn’t come a moment sooner. It was revealed by the government last year that two-thirds of UK businesses were hit by a cyber breach or attack in the previous twelve months and in some cases the cost of cyber breaches and attacks reached millions.
The Cyber Security Breaches Survey found that while a quarter of companies experienced a breach at least once per month, only a third of all companies had security policies in place, while a mere ten per cent had an incident management plan.
This highlights a significant knowledge gap for SMEs in the ways they train their employees to identify, mitigate and respond to cyber threats. While it’s incredibly important to train up the next generation of cyber experts, when it comes to maintaining an organisation’s security, responsibility must be taken by every employee, not just security professionals or the National Cyber Security Centre.
Organisations are only as strong as their weakest link. Therefore, the National Cyber Security Centre must ensure companies develop a cyber security strategy to equip their IT teams and employee development teams with the right resources and people to engage every employee in the on-going process of safeguarding against threats.
So how would this look in practice? It’s important that SMEs are provided with the right tools and resources to implement an ongoing program of improving the skills and training for each employee; whether new to the company or part of the future. The digital skills gap is alive and well, therefore this must be delivered in a way which is accessible to all.
Enforce the basics
First things first, there are a few security basics that all companies should implement. IT should establish mandatory password requirements around password length, complexity and frequency (how often they should be changed).
To take this one step further, IT teams can also require that a new password cannot be similar to previous passwords (e.g., changing “123456” to “1234567” won’t cut it). Another baseline security tactic is to enable multi-factor authentication, which would require employees to verify their identity before logging in to their accounts.
Manage user access
Regardless of the size of the company, it’s important to make sure information stays in the right hands. Even if IT doesn’t give certain employees permission to access certain accounts, often details are still shared for convenience.
Additionally, when an employee leaves a company, failing to update passwords and change access requirements could leave the business exposed to greater risk. IT leaders should ensure there is a system in place to manage who has access to what information and how accounts are updated when roles change.
Create a formal policy around account security
Every company should have a security policy in place which outlines password requirements, shadow IT policies and change management procedures. This policy should also consider guidelines around “bring your own device” (BYOD).
Today, more and more companies are transitioning to a BYOD environment. While it’s convenient and effective, there is risk involved. Enforcing guidelines such as staying off public WiFi or identifying which apps are allowed on devices can help keep company data safe on employee devices.
Ongoing training for employees
After a security policy is put in place, the next step is employee training. IT teams should educate employees on the different security risks the company is exposed to in order to protect the business and become more resilient in the digital world.
Holding IT trainings, offering general best practice tips, and educating employees about the importance of basic security measures like creating strong, unique passwords can help minimise the company’s exposure to potential security threats.
Consider a password manager tool for teams
One bad password is all it takes to bring down a business. We know that people take more risks with company passwords than they do personal accounts. Our recent research into the psychology of passwords revealed more than a third (39 per cent) of people create more secure passwords for personal accounts over work accounts.
A password management solution built for businesses can help IT departments manage password sharing and user access by offering advanced admin controls and integration support. Through a centralised admin dashboard, IT teams can create, manage, and enforce the right password policy for their organisation.
Joe Siegrist is VP and GM at LastPass
Share this story