As the old adage goes, the best offence is a good defence, and never has that been more appropriate than in the world of cyber security. But the defences of many businesses have a fundamental flaw built into them, and that’s the people. You see, most business owners think that preventing cyber attacks starts with implementing high end security technology, like DDoS protection, anti-malware tools, web filtering, firewalls and even intrusion detection systems. But the truth is, the best security technologies in the world can’t protect your business data if your employees aren’t part of the solution.
Your employees play a key role in ensuring the security of your computers and networks, because they are the people using them every day. So it’s crucial that they understand their roles and responsibilities in protecting sensitive data and your business resources. Think of them as the guardians of your data. But for them to be effective, they need to understand what they are protecting, why they are protecting it and how they do it. This means that one of your first steps as a business owner should be to compile a list of policies and procedures around data security to serve as guidelines. Then, you need to train every single employee.
While there may be some specialist instances in your business, depending on what data you deal with, most businesses will need to train their employees on at least 5 key things. Here’s a brief overview of the things you should be covering:
Software: A simple thing, but you would be amazed how many employees don’t have a clue what they are allowed to download and install onto their work machines. Because downloading software is a process fraught with risk (for businesses in particular), with rogue links and malware downloads always waiting, you need to make sure everyone knows what they are allowed to have and how they should go about it. When in doubt, have them contact your IT department for permission to download a new program, and to have the source checked beforehand.
Password Practices: Work passwords are child’s play for the experienced hacker, because so many businesses have ‘set’ passwords, or they keep the same passwords for long periods of time. Implement a policy that requires all passwords to be changed every 45 to 90 days, and include within that the need for numbers and characters. Educate your employees on the importance of complex passwords in security, and to never reuse the same password with a different number on the end (something many are guilty of).
Backups: Ensure you have implemented an effective backup system, not only for your main servers, but your employee machines and corporate data as well. Make sure your employees understand that solution, including if they can only recover deleted information for a certain amount of time, to avoid data loss issues. This way if they accidentally delete an important file (it happens more often than you’d think), they know they can just contact IT and recover it, instead of panicking and potentially losing that data forever.
Spam And Phishing Education: One of the biggest methods of infiltration for businesses is through spam or phishing emails. Just one click from a work machine means that the malware can be spread through the entire network, allowing hackers to do as they please. Educate your employees on the issues, including suspicious links and convincing emails. Teach them to hover over links before they click, and to never click on suspicious links in emails, ads or social media posts. Tell them that if they aren’t sure, don’t click. Make sure you have regular refresher training on this issue.
Ongoing Updates: This flows on quite nicely from the previous point. After your initial training, make sure you keep your employees in the loop about any known issues or scams doing the rounds, to avoid being caught up in them. If you hear of a new phishing email going around (like the Google Doc’s one recently), let people know, and explain how to deal with it if they receive it. Ongoing training and updates helps your employees know what to look for, and how to keep your data safe and secure.
At Bridewell, we not only offer in depth, tailored advice around cyber security, but we also offer comprehensive training around data privacy awareness. Here, we can perform an analysis on your business, give advice on any risk points and undertake training with you and your employees to ensure everyone knows the risks and what they can do to protect the business. For more information, get in touch with Bridewell today.