Keeping your business secure is any IT professional’s biggest challenge. But what do you do when your weak link are your employees?
While much of the media focus is on foreign hackers and dramatic malware, the humble employee is often the real source or trigger for many of the security woes that can befall any company. Training and education are the main methods to prevent your staff acting as unwitting participants in a malware disaster, along with the appropriate software solutions in place to protect the business.
From people bringing in their own personal devices to the risk of someone opening an official-looking email attachment, the security threats against all businesses are growing. From one department sneakily running an insecure server or application to a single worker inadvertently visiting a fake malware-laden website, there are huge number of risks lined up to take advantage of a single slip up by any one person.
Every company is vulnerable, from the damage done to shipping giant Maersk by the NotPetya attack, to the recent British Airways hack. Criminals and their tools will take advantage of any attack vector, regardless of the brand or size of the company, attacking known weaknesses and spreading at frightening speed across the internet.
On the positive side, these headlines and the stories behind them provide all businesses and workers with a suitable wake up call to better manage their security posture. While the detail of these attacks is complex, and many businesses might still feel the risk is remote, every company needs adequate preparation.
Consider these five simple ways you can better educate employees and protect your systems.
1. Information security is everybody’s business
Many workers assume that their IT department or staff are the people to take care of any hacking, data security or network risk. AI-based risk management and other technologies might sound like a magic bullet, but they’re not perfect, and some fast-growing companies might think all their cloud services are automatically secure. Whatever the thinking, every company is at risk from attack, and all workers need awareness training so they can play a part in helping to protect systems and data.
The business, from the c-level executives down to new hires need education that emphasizes staying safe is everyone’s responsibility and be taught how to think defensively. Companies should also open up and encourage people to report potential weaknesses, such as the use of unauthorized devices or cloud services, or workers who are taking data outside the business.
Ingraining the workforce with a bunker mentality when it comes to data security will help to defend the business, and also help highlight those who aren’t taking the risks seriously.
2. Provide clear communication about incidents
Whatever they do with a computer, data file or mobile device, most workers are not thinking about security. Every business should take the time to explain to their staff how every publicized attack happened, and demonstrate how workers can avoid the same pitfall.
Through regular awareness sessions, training and a regular reminder email, employees can be taught the best practices to stay safe and what to avoid. Businesses should encourage openness about mistakes, creating a positive culture around defending the company and being on the lookout for risks.
If there is a breach within the company, then clear and transparent information about the action that caused it, the consequences and what measures have been put in place will help avoid repetition. Since the GDPR mandates disclosure impacting businesses operating within the EU, it is best to be up front.
Finally, be prepared to share the IT dashboard data about all the blocked intrusions and scam-laden emails to highlight just how great the risks are, should one ever slip through.
3. Be good at the basics
Explain to everyone the importance of strong and secure passwords, and employ systems that mandate regular changes. Highlight the risks of connecting office systems to insecure networks when on the road and the danger of sharing data outside the business via email or other methods. These are the simple ways that every business can help protect themselves and provide a good basis for teaching more complex risks.
Businesses also need training about secure data destruction, disposal of old systems in accordance with waste directives and similar issues. While each business is slightly different, security training needs to be provided for all roles and made responsive through testing and training exercises.
Finally, regular updates about the latest scams and threats will help prepare people for when one appears, either at work or in their personal email account, creating a better informed and aware workforce.
4. Learn from actual events
The dramatic stories from real world hacks and malware events show how fast damage can cripple a company. Workers need instruction on exactly what to do in likely situations, however remote the risk.
Being able to disconnect PCs from networks or shut down the Wi-Fi when malware appears on a system could help save systems and productivity. Ensuring data is safely backed up in multiple locations, and testing business continuity plans will help any company come back fast should disaster strike.
With so many data-hijacking examples available, people should also be taught not to try and pay a dubious bitcoin ransom themselves, but report the problem and let a professional deal with the fallout.
5. Deploy the best technology to protect the business
The IT protection software market has changed rapidly, bringing together a range of tools like virus checking, firewalls, intrusion detection, network security and others into a single service. Few companies have the time to manage a wide range of security tools, so focus on one that provides comprehensive security to protect against the zero-day exploits that are the new favorite tools of hackers and criminals.
Whatever your business IT footprint, invest in the best and most comprehensive technology available that provides protection against those zero-day threats as well as a clumsy staff member. The costs for having data exposed could be huge, while smaller businesses could simply collapse under the weight of damage from an effective attack.
Whatever the size of your business, the reliance on IT continues to grow, and people remain the weak link. Teaching them how to react when faced with a potential hacker or malware disaster could help save the business.
IFP Expert: Chris Knight writes about how new technologies can help business, from AI and chatbots, virtual and augmented reality to the latest in mobile and cloud developments.