Every CIO / CISO / IT security leader knows that it’s imperative that their organisation’s employees understand the importance of cyber security.
Breaches of customer or employee data have cost UK companies millions of pounds. In once such incident, The Telegraph reported that mobile phone company Three were hacked and the personal information of six million of their customers was breached. Hackers successfully accessed the information by using an employee login. Three reportedly lost 95,000 subscribers after the incident, which cost the company in the region of £60millon.
Dell’s recent End-User Security Survey, which interviewed 2608 professionals in companies of more than 250 workers, revealed that 65% of employees recognised their responsibility to protect confidential information, but many said security programs limited their productivity. Of those who received cyber security training at work, 24% admitted they used unsafe behaviours anyway to complete a task.
The survey also reported that 46% employees admitted to connecting to public Wi-Fi to access confidential information and 35% said it was common to take corporate information with them when leaving a company.
In this article, our IT solutions consultants reveal how you can instil a cyber security conscious culture within your organisation.
Action 1 of creating a culture of cyber security – Legislate:
CIO.com suggested that IT leaders should “create simple, clear policies that address potential breaches”. These policies should include;
- Rules for keeping a clean machine, including what programs, apps, and data that employees can install and keep on their work computers.
- Best practices for passwords.
- Backing up work.
- Notifying the appropriate staff members if strange happenings are noticed on an employee computer.
- Throwing out suspicious links in email, tweets, posts, online ads, messages, or attachments. Even if an employee knows the source.
One of the most significant causes of data breaches is through phishing via employee email accounts. Specific policies need to be created for maintaining email security. ICS defined these as;
- Where possible, avoid sharing personal information via email, unless it is encrypted and being sent to a verified source.
- Turn off cookies and cache when checking email on someone else’s computer or a public computer.
- Don’t follow unknown links sent in an email; type them into a web browser instead.
- Sign out of email every time you leave your computer.
- Don’t use your work email for personal matters, especially for buying or selling.
- Don’t use ‘Reply All’ and don’t forward chain emails.
- Use complex passwords to protect your email and change them regularly.
When establishing your organisation’s cyber security policies, implement measures such as encryption and protect all company mobile devices.
Action 2 of creating a culture of cyber security – Communicate:
It’s fine having cyber security policies, but they are useless if people don’t know about them. Employees in your organisation need to be engaged through regular training and via key stakeholders leading by example. Provide staff with regular updates about the status of your cyber security and notify them if their behaviour is not in line with your company’s cyber policy.
Action 3 of creating a culture of cyber security – Knowledge:
Make sure you hire candidates with up-to-date data security knowledge and invest in continual professional development for them. These people will be responsible for maintaining the protection around your systems, checking for breaches / dangerous staff actions, and educating your non-techy employees. Take care that these staff are equipped with the tools they need to guard your organisation’s data.