Cybersecurity and data protection have become increasingly important in recent years, with more and more huge data breaches making the news. Plus, the 2018 implementation of new General Data Protection Guidelines (GDPR) thrust data protection into mainstream media with many talking about how businesses need to get compliant.
With so much importance being placed on cybersecurity, having a strong strategy in place is key. And while you might think you’re doing everything you can by putting together a dedicated security team and investing in the latest technology, there’s one thing you may have forgotten. Your staff.
Employees are one of the biggest threats to a company’s cybersecurity. For the most part, this is not down to malicious intent, it is just human error. Even the smallest mistake made by an employee can come at a huge cost to the business. This is why it is vital that your workforce understands the importance of data protection and cybersecurity.
If you’ve not put much thought into your staff training or you haven’t run a training session in a while, it’s time to address that. Here are six ways you can ensure your staff are clued up on cybersecurity, so you can reduce the risk of human error leading to a data breach.
- Including cybersecurity training in the onboarding process
It’s a good idea to create a culture that encourages and nurtures strong cybersecurity practises and one of the best ways to do this is by educating staff on data protection and your policies right from the moment they join the business. Adding a cybersecurity training session to their first week can help. This doesn’t have to be long, just half an hour or so to get them up to speed. Or, if you hand out welcome packs to new employees make sure there is a section within this that outlines in detail the importance of security and any key company policies regarding this.
- Implement strong password policies
Having a strong password policy in place is crucial. Hackers often target employees, exploiting weak passwords, in order to gain access to company data. Ensuring everyone is using reliable passwords can help reduce the risk of a hacking. This can be done by issuing staff with a randomly generated password or setting out guidelines that allow staff to choose their own password as long as it meets the criteria. It is also a good idea to encourage staff to change their passwords regularly, perhaps every six months or so.
- Educate staff on the signs of a scam
Another way that hackers like to target unsuspecting employees is through phishing emails and online scams. As such, it’s important that all staff know the classic signs of a scam and that they’re able to recognise when something might not be legitimate. Whether through training or a handy guide (or both), teach staff about phishing emails and security best practise such as never replying to an email if something doesn’t seem right, looking out for lots of spelling mistakes in the email and never sharing passwords, financial details or any other sensitive information over email with someone they don’t know.
They should also be careful not to click on suspicious links or downloads. These can often be attempts by scammers to install malware on their device. By ensuring staff can spot the signs of a scam and know who to report it to if they think something is suspicious (probably a member of your IT or security team), you can help to better protect your data.
- Run training exercises
Training exercises can be done in a number of ways. Incident Response Exercises give employees a hands on way to test out their knowledge and can highlight any gaps in your security systems. Alternatively, you could get them to look over some email printouts and decide which might be scams, run a presentation or have an open and honest team discussion to see if there are any areas of cybersecurity that your staff are unsure of.
These different training exercises all have merit and can all be a great way to educate your staff. You could even run a combination of different exercises to help keep it fresh and ensure nobody is becoming complacent or switching off during these sessions.
- Set guidelines for working outside the office
Working remotely is increasingly popular and some staff also like to work while they travel. While this is not a bad thing, there are certainly higher risks that come with staff working outside the office. For this reason, you need to set out some guidelines for those who are doing this. They must ensure all devices have strong passwords and are protected by two-factor authentication or encryption, just in case something should happen to their device like it gets lost or stolen.
They must also be wary of connecting to unsecured networks. For example, lots of places now offer free public WiFi, such as trains or coffee shops. And of course, this can be very helpful, but it also increases the risk of hackers being able to intercept the connection and access private data. As such, employees must understand the importance of not connecting to unsecured networks and not sharing sensitive information when connected to public Wi-Fi. Again, all of this can be taught through training sessions, outlined in company policy and should be engrained into the safety-conscious culture of the company.
- Make sure you update staff regularly
It’s not enough to update staff once every few years and assume they take it all on board. If you want to reduce the risk of human error and help staff to spot the signs of a security issue, regular training is key. You need to keep staff up-to-date on any changes in policies or regulations, this can be done by email or newsletters – however you prefer to communicate with your workforce.
Using a mixture of the tactics above, be sure to educate your team regularly on the importance of cybersecurity and data protection. Make sure you have strong policies in place and that staff have access to these materials at all times. Creating a security-conscious culture is going to be the most beneficial way to ensure staff are always putting security first.
Written by Stuart Cooke, Blog Editor at Evalian.co.uk cybersecurity and data protection consultants and training providers.