The consequences of security breaches for businesses can be devastating. In the online trading environment, any time your sales portal is down costs money. It’s easy to watch a brand lose its reputation, usually hand in hand with its share price. The financial impact of a breach cannot be understated. Depending on the type of breach and the particular information compromised, your company may have a case to answer under the new GDPR regulations. Data loss can open a company up to law suits, fraud cases and extortion, particularly in the realm of ransomware attacks. Partnering with a reliable IT company can help to reduce many of the structural concerns, but employee behaviour remains the most critical influence on company cyber security.
Fostering a sense of responsibility in every employee will help to change the overall cyber security culture of the business. When staff understand that a security breach has the potential to hurt them personally, there is often a renewed understanding and stronger efforts made to protect the company’s online environment.
Here’s how to develop a strong cyber security culture in the workplace. The process is two-fold. The first begins with strengthening existing security infrastructure and protocols. The second involves comprehensive staff training on behaviour management and reporting guidelines.
Structural precautions
Training staff can take some time to implement. You will need to identify the most important things that staff need to be aware of and design a training program to communicate that. In the mean time it is very important to provide as much structural security as possible. This will help shore up your defences while you bring your team on board.
- Automate your software patches and upgrades as much as possible. They are issued to correct known security weaknesses, so never delay installing them on company hardware.
- Use Virtual Private Networks on all company devices. VPNs help to protect the transmission of sensitive data when using unsecured Wi-Fi networks such as those provided in cafes and airports.
- Do not allow private USBs or other data storage hardware to be used on company computers. Use cloud sharing to access data between devices where possible.
- Make sure your network requires staff to update their passwords every 8-12 weeks. It’s very common for people to use universal passwords across personal and professional accounts. A breach of a personal account may lead to a cyber security breach of your workplace.
- Double down on password safety by requiring 2-factor authentication for company email or even company network access.
- Limit staff access to data. Restrict general employee profiles so they can only visit relevant company information. If you provide Wi-Fi for contractors or guests, ensure it is completely independent of the internal network.
- Manage your staff exit procedure. Partner with HR to ensure all network privileges are revoked and profiles deleted (including on any devices that may have company access).
Staff training and behaviour management
Establish the ‘why’
It is essential that staff understand why cyber security is critical to the safety of data, the company and by extension, their jobs. When you have genuine buy-in from staff you are much more likely to see decreased resistance and consistent compliance. How can you do that?
- Start with the global picture. Help them understand the global costs of data breaches and how often they are occurring.
- Show examples of businesses that have recently suffered through cyber attacks and the consequences that followed. There are plenty of high profile cases in the news.
- Describe what could happen to your business if it were to be compromised by an attack. Along with the costs to reputation and financial losses, any non-compliance with new GDPR regulations risks immense additional fines and consequences.
Implement a training program
Depending on the size of your business, you may need to call in cyber security experts to help develop or deliver a safety training program to your staff. Using modern training methods is far likelier to see improved engagement and information retention, so stay away from static PowerPoint presentations where possible. One-off sessions are unlikely to encourage long term implementation, so consider offering regular training sessions over a period of time. These sessions do not have to be long – it’s the regularity that helps to keep the information ‘top of mind’ for staff. Deploy proven techniques like gamification to help staff immerse themselves in the information (and the consequences of non-compliance) and keep training to smaller numbers. Short, regular training sessions also helps to avoid information overload. Choose 2 or 3 urgent priorities and make sure they are communicated, even while the longer tail of the program is being developed.
Start from Day One
New employees present a great opportunity for establishing a cyber security culture in your business. While they may have developed habits while working elsewhere, induction provides an unmissable chance for you to demonstrate the importance of cyber security and how much it is valued in your workplace. Don’t reduce IT security to a compliance contract. Pair each new employee with an IT specialist and establish appropriate protocols and behaviour standards while they are shown the ropes of the operating system and online environment.
Positive reinforcement
Reward proactive secure behaviour at every opportunity. When staff can see that there is personal benefit to maintaining compliance, there is a far greater chance that they will. Encourage and reward staff to undertake additional training, even externally if it demonstrates a clear benefit to the company.
Build inter-department relations
Unfortunately, there is often a disconnect between regular staff and the IT department. There is sometimes hesitation to reach out for help or to report potentially suspicious activity. This reluctance to communicate can allow small problems to escalate quickly. Give staff clear ways to communicate with IT and prioritise user support as within your IT team.
Computers in the City, your cyber security partner
Computers in the City is London’s longest standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, digital security and cloud computing needs. Let us help you develop the cyber security culture in your business. We’re proud to be local, offering 24 hour support in straightforward language that takes the stress out of IT support.