Cyber security will always be a primary concern for businesses that operate in the online environment. It’s imperative that staff are aware of the dangers of security breaches. This guide will outline the best ways to get your team on board with secure online behaviour, and what to do if faced with a possible breach or threat.
Get employees on board
Using antivirus software will help deflect some attacks, but there is something much more powerful you can use to protect your business – the interest of your employees. The old marketing slogan of ‘what’s in it for me’ applies perfectly here. Help your employees to understand why cyber security is important, and how something bad could impact them. It could be loss of personal data, or loss of income if the work stops, or loss of contracts for the company. It may even ruin their own professional reputation. Could they bear the idea of being the employee that ruined the livelihood of everyone involved? Get them to understand by security is relevant to them, and you’ll find them proactively working to protect your business.
Let them know their role
Help employees to understand that most cyber security breaches come from human error, not blunt force attacks. Humans can be fooled, they can be distracted, they can be malicious. There are simple things they can do that matter a great deal.
- Sending sensitive emails to the wrong client,
- Clicking on unverified files,
- Falling for phishing attempts,
- Being careless on social media,
- Using USBs from home,
- Connecting to public Wi-Fi with a work computer.
Reach out to clients and contractors
Anyone you work with should have clear data security policies in place. Sharing data is sometimes a necessity in business. Can you honestly reassure your clients that their data is safe in the hands of a third-party provider? Likewise, when you have contractors come into your business, you need to ensure your data security is firm. Create a separate, limited guest network that allows site visitors to have Wi-Fi but restricts their access so the main networks cannot be breached.
Maintain digital hygiene
Digital hygiene is vital. Financial transactions should always be conducted with the utmost regard to security. Use dual factor authentication, and always do them over a secure network (preferably your internal network). Never use open source software to process transactions as the code may have vulnerabilities that haven’t been vetted.
If your office uses Internet of Things connected devices, ensure that all default passwords have been changed. There have been examples of IoT devices being hacked and directed toward large scale cyber-attacks. They can also be hijacked and used as a gateway into your secure data. Password hygiene should also be automatically managed for employees so it is required to be changed at regular intervals.
Get your antivirus and malware subscriptions up to date. Even though human behaviour is the largest gateway, it’s not the only one. Make it as difficult as possible to access your files, from every possible angle.
Make sure it’s safe for your employees to report a suspicious looking email. Social conditioning and office environments can discourage people from speaking up if something looks out of place. Encourage an open environment. Often the feeling that something is amiss can be enough of an alert to stop an attack, if the feeling isn’t negated by fear of looking silly.
Training should be provided biannually to all staff. Ensure everyone is reminded of the reasons and the methods. No-one should be exempt from the training – make sure the content is tailored to be relevant to specific staff levels. Make the training easy to implement, and don’t be afraid to create action step checklists for when something sets off a red flag. If it’s simple, staff are more likely to remember. Help staff to be reminded of these steps by creating small desktop cards or create rotating reminders on login dashboards.
Review cyber security practices every 3 months
Internally review your communications practices every three months. Make sure that staff are understanding the messages you release. Review your reporting statistics to see if you’re noticing a return on investment. If you aren’t, find out why. Identify your key messages and communicate them. If you know what you want to highlight you can measure its impact over time. Feedback from employees is invaluable as it helps you to focus on honing the message.
Long term training program
Let’s face it – IT departments have a lot of balls in the air. Developing a company-wide cyber security training program may seem like an insurmountable task. Don’t be put off by the size of the workload. Break the training plans down into year-long goals. In the first year, make it your aim to get company wide basic training guides out and implemented. You may not reach full penetration, but you will see improvements. In the second year, use the content to scaffold a deeper level of training. You may be able to tailor content to be precisely relevant to various parts of the workforce. The third and subsequent years can be focussed on quality control, implementing feedback and improving delivery methods. Throughout the training cycle you will need to monitor any changes in the cyber security environment to ensure the training is up to date, and perhaps above all, useful.
Don’t hesitate to draw on the experience and knowledge of your legal support, HR and marketing departments. These teams will offer considerations like training methods, legal requirements and ways to incorporate cyber security protocol as policy. New hires can be trained from the outset as part of their induction to the company.
About Mustard IT, your IT support partner
Mustard IT provide the design, build, and installation of secure IT servers and networks, and provide value-driven IT support for small and medium businesses. Our trusted team are experienced and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.