Why Your Staff Are The Missing Piece Of The Security Puzzle

It’s all too easy to look at security as a combination of hardware and software measures, but that misses out an equally important factor: people.

In the best case, your staff are among your weapons for protecting your organization’s cybersecurity. In the worst case, they are one of your biggest weaknesses. Let’s run down some of the steps you can take to make sure it’s the former.

Training

You should dedicate staff time to training on cybersecurity matters in exactly the same way as you do for health and safety, human resources issues and other workplace matters. Think of it this way: a study by a health and safety consultant found the average fine for a violation was $129,336. Meanwhile, the cost of an average data breach at a publicly traded company has been estimated at $116 million. That’s not necessarily a fair comparison, but you certainly need to take both issues seriously.

Make sure everyone gets training, even senior management. That’s partly for the “all in it together” factor that will make sure junior staff know to take the training seriously. It’s also important because management and executives could be subject to targeted attacks, particularly if they have access to sensitive information.

Include cybersecurity training as part of your onboarding process. This not only shows you take the issue seriously, but it helps establish people’s mindsets and culture in their new job right from the start.

Think carefully about how to pitch your cybersecurity training. It needs to be useful and productive, but also understandable and at an appropriate technical level. You may deter staff from paying attention if you use too much “geek-speak” but they may also tune out if they feel patronized. Don’t be afraid to tailor the training based on the specific interactions different staff have with your systems and technology.

Make sure to educate your staff on the risks of social engineering such as phishing scams and attempts to trick them into clicking links or opening attachments. Make clear that they will never be penalized for being too cautious or double-checking when they are uncertain about a message’s authenticity.

Include data protection laws among the cybersecurity topics. Staff need to understand that hacking and data breaches aren’t just about direct financial losses or company secrets being revealed. Failing to protect customer or supplier data could lead to significant fines as well as a damaging loss of trust among the public.

Don’t make cybersecurity training a one-and-done affair. Revisit the training regularly so it stays fresh in staff’s minds and they realize it’s a high-priority topic. You’ll also need to refresh the training to deal with new threats and hacker tactics.

Policies

Think carefully about password policies. You need a balance between something that’s effective and something that’s practical. If you have too many specific requirements or demand that staff change passwords too regularly, some staff may simply resort to counterproductive measures such as writing passwords down. Explore whether technical solutions such as a password manager tool may be appropriate for your set-up.

Have realistic but clear policies on what people can and can’t do online while at work. Although you are legally in control, it may be unrealistic to say staff must never access the Internet for personal reasons while at work. Instead, you’ll need clear guidelines on what sites and services are off-limits, as well as an explanation of what risks these guidelines aim to mitigate. Examples of such rules could include “no posting content online using work devices” or “no downloading files or installing applications.”

Explore technical solutions for keeping a clear divide between work and personal use of devices and computers. For example, you could insist on different user profiles for personal use, with limited access and administrative privileges. Think about the balance between the benefits of staff being able to use a work-provided smartphone or tablet and the risks of it being stolen or accessed without authorization.

Use checklists for key security measures. For example, you could have a list of steps to take before opening an attachment. This creates good habits and avoids people overlooking or forgetting steps that might seem too obvious to mention.

Have a clear structure for reporting any suspicious activity or security threats. You need to establish a culture that staff should speak up if they spot anything out of the ordinary in an email, message or application. They need to know who they should report it to and what steps to take next, for example quarantining a message until it’s been investigated. Make sure staff know they won’t be penalized for not immediately dealing with a message that may be a security risk.

The Next Steps

Keeping your staff informed and educated about cybersecurity is a necessary task but not sufficient in itself to guarantee you won’t be compromised. Speak to Simplitfy today and we can help you find and implement the technical measures to back up your staff’s efforts.

Erick Solms is the Founder of Simplitfy in West Palm Beach, Florida. Simplitfy provides a myriad of professional IT Services for small and medium sized businesses. To contact him personally or to inquire about information technology services, please email [email protected] or visit www.simplitfy.com