Why staff training is the missing link when it comes to your cyber security
In 2017, research conducted by Kaspersky into 5000 companies around the globe found that 46% of all cyber security incidents involved employees unintentionally compromising their company’s safety. At almost half of all attacks, many companies and organisations are starting to see the benefits of cyber security training and adopting robust strategies of defence.
However, not all very small to small businesses are catching on to the importance of teaching staff to be aware of the risks. Even though, according to the report, most actually feel like they are more at risk from inappropriate IT use by employees than larger enterprises.
The threat for small businesses is real, and an effective training structure can save your business from loss of data, productivity, and finances. Small businesses are at a disadvantage in some ways as they are less like to know how to effectively protect themselves. The fact that they probably have fewer strict policies in place and a lack of proper training methods only contributes to this. Also, small businesses generally give employees more flexibility with IT resources and this can open the door for malicious hackers to take advantage.
According to Kaspersky’s research, the top three cyber security fears for businesses are:
- The inappropriate sharing of data on mobiles
- Loss of mobile devices exposing organisations’ data
- Inappropriate IT resources use by employees
From this it is clear. Human error in one way or another makes up the majority of fear associated with cyber security. Uninformed staff are considered the second most likely cause of a serious security breach, falling just behind malware. As many as 49% of businesses questioned reported a virus or malware attack in the last 12 months. Over half of these were considered to be the result of employees.
Looking at these statistics, it's obvious there is a real need for businesses to do more to limit the risk and protect systems more efficiently.
As a small business, it can be difficult to know where to start.
Here are some steps you can take to start making your staff cyber security aware...
1. Create security policies in line with your company’s values, systems, and culture
A security policy is the number one place to start, but it needs to align with your company’s values, systems, and employee culture to be successful. A policy alone is not enough to protect your business. The rules and regulations have to work for your employees or they won’t be followed and you will be left open to attack. For example, don’t implement a policy banning employees from accessing WiFi networks outside of the office if you have a flexible working culture, or teams of people out on the road a lot.
Kaspersky’s research found that 44% of companies said employees do not use IT security policies properly, and two-fifths admitted that employees do not follow security policies at all. At the same time though, only 26% of those surveyed said they actually plan to enforce policies among staff. The key is to create a policy that people can follow and that can be enforced easily. Policies need to be clear and concise in outlining risks and good practices.
2, Don’t make punishment a part of your programme
If an employee unwittingly puts the company at risk, it is of real importance that they alert IT or management as soon as possible to avoid the breach having a huge impact on business. However, many employees will be embarrassed or scared by their mistake, and if you’ve got a culture of punishment in place, they may try to avoid retribution by hiding what they’ve done. Kaspersky’s study found that 40% of businesses had employees that hid an incident after it happened.
Silence can have dramatic consequences for a company, potentially resulting in high-cost money, data, and productivity losses. As long as the breach remains hidden, the attack can potentially continue, and the effects deepen, without your knowledge.
On-time detection is key to damage reduction. Businesses should focus on positive training, ensuring employees know that they can admit to a mistake without coming under fire. Users should also be encouraged to report suspicious activity and be an active part of business security. Cyber security is a team effort, and your business approach should reflect this.
3. Review your BYOD policies
Bring Your Own Device programs can cause companies an additional level of stress, with 33% of those surveyed saying they were concerned about the potential for cyber attacks. Small businesses are generally the most concerned with BYOD practices; specifically the inappropriate sharing of company data via mobiles they use at work.
The fear here is partly fuelled by the fact BYOD lays the security of a business and its data in the hands of its employees. The loss of control can be worrisome for some, but there are ways that you can mitigate the risk.
In our blog post, ‘These simple tricks will make managing your business mobile security easy,’ we take you through some ways to make mobile devices more secure.
4. Have the most robust security solutions
Ensuring you can monitor and detect potential threats to your business before they become a real and present danger is another key to limiting the risk of uninformed employees. It’s another part of the puzzle that will help keep you safe.
For example, using the latest and most advanced email threat protection software for all your company devices will stop a potential phishing attack before it even reaches your employee’s inbox, reducing the potential for human error. Get a documented patching process in place, access and password management systems and an incident response plan. End-point security solutions can actually address the majority of threats related to unaware employees.
As a small business, if you haven’t got the security experts within your team to implement this a managed IT services provider can be the safety net you need.
5. Track and measure your success
When you’ve got your security policies, systems, and employee training in place you need to start tracking your results and your success! The goal of your strategy is, of course, to lower your risk. While you can’t completely eliminate it, getting it down to an acceptable level is what you’re aiming for. Experts suggest that 1% is a good goal.
As you continue implementing your strategy you should see a reduction in malware and ransomware infections and also phishing click rates. Start tracking how many employee devices are requiring IT support as a result of viruses or malware and see whether the number drops. If you’re not getting results you need to review your strategy. Do you need to do more training? Do you need better systems? Do you need to turn to a managed IT services provider?
If you’re a small business looking to implement these strategies, don’t be put off. You don’t need to start big. Initially, it can be as simple as bringing your employees together to have an informal chat about cyber security over coffee. Start with the basics and work your way up.
Ultimately, a culture of cyber security really has to work from the top down. Getting employees to take the risks seriously means management leading the process. Everyone has a role in protecting the company. Make sure you and your employees know their roles.
We help small businesses in Colchester, Essex and London with their cyber security, and will be holding a talk on the subject at The Business Show this November.
For a quick chat about how we can help protect your business, send us a message or give us a call.