The majority of organisations are guilty of neglecting one key area which can have a massive impact on their IT security; their staff. If you only do one thing next year, make sure it’s taking the time to educate your employees about the key security threats to your business and their role in helping to minimise risks.
Employees do not go to work to purposely sabotage the IT system, but their actions could unwittingly leave the business open to possible security threats. This in turn could lead to substantial damage to business reputation, or mean that the business has to choose between paying a ransom to hackers and losing vital corporate data.
Generally these actions are caused by a simple lack of awareness of potential threats and how to respond to them. It is impossible to prevent all attacks, but making employees a key part of the security process can make security significantly tighter.
For example, people have become used to accessing new applications at the touch of a button and we can’t blame them if they bring the same approach to work. They want to have access to the same high-end technology they have at home so in many cases we find that employees are bringing their own devices to work. This can be a cost saving for the business but it comes with risks, such as an increased chance of data leakage and the possibility that these devices may not have up to date anti-virus protection. We shouldn’t necessarily discourage employees from doing this but clear rules and guidelines for those wanting to do so need be in place and strictly adhered to.
Emails are the lifeblood of most organisations but they too open a business up to a whole range of risks, from spam and viruses to accidental data leaks. Noone wants to be the next company making the headlines for all the wrong reasons, with the resulting loss of business and corporate reputation. For small companies, this could even lead to them going out of business.
Email security education low on the agenda
However, in a survey we carried out last year with Mimecast among a mix of small, medium and large organisations, only 10 per cent of respondents said that educating their employees about email security risks was a priority. What makes this even harder to understand is that many of them recognised the potential risk from employee behaviour. In our survey, more than a quarter (28 per cent) of respondents said that accidental data leaks from within the company were their main concern relating to corporate email security. This was considered the same level of risk as spam and email viruses.
The solution is not rocket science. Businesses simply need to teach employees how small changes in their behaviour can make their organisation a safer place to work, and then put appropriate policies in place to support them. Employee training should include explaining ways to identify potentially threatening emails. For example, many people are wary of those with attachments from unknown correspondents, but it is worth regularly reminding them that malware can lurk in even the simplest emails from a known source, such as a colleague or supplier.
Minimising the risks
To support the IT security education process, businesses need to implement effective policies and processes to minimise the risk of any malicious attack. These need to be straightforward, easy to understand and suitable for the specific business. If they are too complex, many employees will simply find their own solution, potentially opening up the organisation to those with malicious intent. They also need to apply to every single employee – noone is too junior or senior. The CEO may in principle appear to be more security conscious, but he or she will have access to much more confidential information, so potentially poses a greater risk.
Finally, it is vital to educate all employees about what they need to do if they suspect that they are a victim of hacking or malware. If the worst happens, they need to know what action to take and who to call, and to know that they will be thanked for addressing the problem immediately, rather than trying to solve it themselves or hoping it will go away.
One of the biggest current challenges for a business is trying to keep up with security threats. Technology advances quickly and as we find solutions to one IT problem, new ones emerge. It’s therefore imperative that businesses invest in security software and maintain it to keep up with emerging threats and make sure that their systems are not open to attack. If you don’t have the expertise in-house, consider out-sourcing. It is impossible to be 100 per cent secure, but by using the right technology and educating our employees we can all make our business security significantly tighter.
Mike Dearlove is managing director of EACS.