But it’s important to remember that whilst you can invest in all the innovative cyber security technology you like, if you’re not also focusing your efforts on your own people, the investment is effectively redundant.
Studies have shown that as many as 95 per cent of cyber incidents involve human error, usually down to simple lack of awareness rather than any kind of malicious intent. A cyber-attack or data breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, using default passwords or clicking on a malicious link.
While human error is sometimes unavoidable, better awareness and education amongst employees can play a huge part in minimising risk and making you better prepared to detect and respond to an attack, if the worst does happen.
Yet despite its importance, the role of employees is frequently overlooked, with the government’s recent data breaches survey finding that less than one in five businesses have given staff cyber security training in the last 12 months. .So how can you make sure your staff are a cyber security asset, rather than part of the problem? Here’s a few key steps you can take.
Implement a cyber security policy
Start by developing a cyber security policy, written in plain English, outlining key processes and procedures, what staff should and shouldn’t do, and what could happen if the guidelines aren’t followed. The exact issues covered will vary from business to business but potential topics are likely to include:
•Guidance on handling sensitive information
•Stipulations regarding password security
•A policy covering remote working and the use of personal devices
•How to look out for, report and respond to a security issue – including a 24/7 number to call
•Required checks on suppliers to ensure they are complying with security best practice
Ask all employees to read and sign the policy, to show they understand their responsibilities. It should also be available and accessible on an ongoing basis and make sure it’s updated regularly, to allow for changes in the business and new threats on the horizon.
Read more about securing data:
- What does Brexit mean for the EU data protection laws?
- Security of personal data: Are you complying with your obligations?
- Four EU business laws that have a dubious future after Brexit
Regular training and communication
Employee training can also make a huge difference to ensuring staff are aware of the threats the company faces, as well as the role they have in preventing and detecting them. Try to avoid taking a ‘sheep-dip’ or box-ticking approach, whereby employees are trained once and that’s it. Instead, it needs to be an ongoing activity, as cyber threats and company systems change and evolve, to ensure it is always front-of-mind for employees.
But that doesn’t mean it needs to be arduous. Try creating a cyber security awareness team, including IT and non-IT professionals, to be in charge of keeping an eye on new risks and threats, then communicating and reminding staff in a friendly and engaging way. Cyber security needs to be seen as a collective responsibility, rather than a chore, to work most effectively.
Focus on senior members of staff
Cyber security needs buy-in from the top rungs of the organisation, both to highlight its importance and provide a good example to other employees. But aside from that, studies have shown that senior executives are also amongst the most likely to be hit by an attack – in what is known as ‘whaling’ – as they invariably have access to the most sensitive and valuable information. So make sure they are top of the list for all employee training and communication, and take their responsibilities seriously.
You can minimise the risk of some of the most common human errors, such as insecure file sharing and weak passwords, by providing tools for employees to manage these more securely. For example, many file sharing applications now provide Information Rights Management functionality, whereby you can limit access to certain users, revoke access as you need and even destroy a document remotely. Similarly, password managers can generate and store your various passwords for you – so you don’t need to remember them all, or write them down somewhere insecure. These can make life a lot easier for staff, while keeping your data safe at the same time.
Cyber security is undoubtedly a complex subject and there are myriad ways that your business can be hit. And while there is no fail safe way of stopping an attack, your employees are a weak link that can be strengthened through transparency, regular communication and building a culture of cyber security. By doing so, you’ll make it infinitely harder for any would-be attackers.
Ben Rose is insurance director and co-founder of Digital Risks.
The recent hacking incident involving Mumsnet highlighted the issue of data security for small businesses – and Russell-Cooke’s Guy Wilmot shares what SMEs can learn from the event.
Share this story