By Asher de Metz

Are you watching your employees closely enough?

You may be surprised to know that your main concern when it comes to cybersecurity is not some external threat, but the people who surround you on a daily basis. Yes, it’s your employees that you really need to worry about, not some hackers in a garage in Idaho. That’s not to say that your staff has an agenda to bring your company down (or at least, let’s hope not). It’s just that human error and carelessness while doing everyday tasks are the main causes of business security breaches.

Whether it’s leaving their laptops and mobile devices lying around in public places, storing data in insecure locations, or failing to protect sensitive information and networks with effective passwords, there are numerous ways in which your employees can leave your business vulnerable to attack.

How can security threats be avoided?

Don’t lose heart – with the right approach, the people who work for you can be transformed from your greatest weakness to your greatest strength in combating malicious cyber attacks.

The first thing you need to do is ensure that you have a rigorous IT security policy in place. This policy should be thorough enough to cover all realistic eventualities, updated regularly to take into account newly emerging threats, and contain a clear step-by-step plan for responding to any security issues that arise.

Once you’ve implemented this, you need to make sure your employees understand what the risks are, and the scale of impact they can have.

To put it in a language they’ll understand, the costs of recovering from a cybersecurity issue can potentially be enough to put you out of business – which means no more jobs.

Your staff may be more than willing to follow your security policy, but if it’s not drummed into them on a regular basis, they will simply get caught up with all the other important things they have to keep track of to do their jobs effectively.

This means that you’ll not only need to educate your staff on the risks and best practices to avoid them, but you’ll need to constantly remind them of their duty to keep your company safe, and the ways in which they can do so.

To help you out, we’ve put together our top five tips to keep your employees up to speed on cybersecurity:

  1. Make sure they understand how a cybersecurity breach could affect the business
    Cybersecurity is no game – a breach can be invited by the most innocent of oversights, but the consequences can be devastating for your whole organization. You may suffer financial losses. Your valuable digital assets and intellectual property could be compromised. Or your customers’ private data could be leaked, leading to fines and costly lawsuits. Any of these things can also lead to an irreversible loss of trust or irreparable damage to your public reputation. And all it takes is one careless act by a member of your team – leaving their laptop on a train, working with sensitive files over an open Wi-Fi network, or clicking on a link in a phishing email. They may not realize it, but by using memorable dates or family members’ names in their passwords, and revealing that information on social media or other online locations, your staff can unleash a trail of evidence that allows smart hackers to place your entire business at risk.
  2. Get everyone involved in cybersecurity
    Just because someone is a manager or an IT expert, it doesn’t mean that they won’t make mistakes that can compromise the safety of the company. Everyone needs to be educated on cybersecurity – in fact, senior staff members have access to a greater range of information, which makes them more attractive to potential cybercriminals. Your technical staff may have the knowledge they need to remain secure, but they’re also more likely to be targeted by savvy hackers, who will know that they have greater access rights to your systems, networks, and data. Because IT professionals know more, they can also become complacent, which is why regularly reminding them of their responsibilities is no bad idea. Remember, it only takes one person to make one mistake to put the whole company in a vulnerable position.
  3. Have regular recaps on best practices for cybersecurity
    You must make sure that training is a regular practice in your company. It’s no good explaining best practices when a mistake has already been made. This means educating new staff on the risks and also holding regular sessions where you remind workers of the ways in which they can keep the company safe and update them on any new habits that they need to bring in. You should also make resources available to your workforce in between training sessions, in the form of information packs, forums where issues can be discussed, bulletins and opportunities to speak to IT experts in the company who can remind them of their responsibilities and clarify anything that they don’t understand. You can make the information you provide interesting, keeping it up to date with the latest news about cybersecurity breaches at other companies, and discussion about how this affected those companies to reinforce how seriously this issue needs to be taken. Another trick you can try is to introduce regular tests to ensure that the advice you’re giving is being taken on board.
  4. Create clear-cut rules for online activity
    If your employees have strict rules for how they browse the web, send emails, or use company devices, they’re more likely to follow them than if you give vague guidelines. Introducing a “safe browsing” culture can keep staff vigilant of suspicious links or email scams. Enforcing regular password changes and implementing security measures to keep data safe is useful, but remember that if you make it too difficult, staff might find workarounds that compromise the security that these measures are supposed to enhance.

    For example, if they have to change their passwords too frequently they may write them down on a notepad and leave it lying around, and if they have to go through an overly complex process every time they want to access their files on the server, they may store them offline or on external storage devices, saving everything into the network at the end of each day.

  5. Have a plan in place for recognizing and dealing with cyberattacks
    Of course you want to have measures in place that will ensure you avoid a cyber attack, but however safely you and your staff are behaving, the unthinkable can always happen. If it does, you’ll want to make sure that you have a process in place for minimizing the threat and returning to normality as quickly, painlessly, and cheaply as possible. One thing you can do to this end is to have a way for staff to alert the relevant person if they’re concerned that a breach may have occurred or that something doesn’t feel right.

    This could be an emergency phone number that is publicized around the office. If an attack happens, you’ll need to make everyone aware of it as quickly as possible, and have a procedure in place that will ensure everyone knows what they should and should not do. An internal communications plan will enable you to get information to the people who need it. It’s also useful to have a PR strategy so that your people know how to respond to questions from the press and stakeholders to maintain a responsible public image.

    Unfortunately, we live in an age where there will always be people targeting your business, and it’s vital that you protect yourselves against them in any way possible. The best way to keep your business safe is to make a commitment to educating your staff and making sure that they’re aware of the security threats their activities can present, the scale of damage that can be caused by simple mistakes, and what they can do to minimize the risk.

About the Author
Asher de Metz has approximately 20 years of experience in the cybersecurity industry consulting to some of the world’s largest companies in all of the top vertical markets. Starting in London he has worked across Europe, the Middle East, and has spent the last 8 years in America working for Sungard Availability Services where he runs the Technical Security Practice.