A guide to educating employees about cybersecurity
6 January 2016
3 min read
It’s a business cliché that staff are a company’s greatest asset and potentially its greatest risk. And while that has always been true in the area of customer relations, it’s now equally applicable to data security.
Employees are the first line of defence against cyber-attack, and also – potentially – an SME’s most glaring vulnerability.
Education is the key, but a balance needs to be struck. Employees need to know the risk their online activities pose and how to manage it, without being rendered unproductive by overly complex procedures. At the very least, staff need to be regularly reminded of the real and present danger of cybercrime.
"Employees are a company's first line of defence but they also need to be aware of the security threats out there in order to avoid them,"
says Richard Walters, vice-president of identity and access management at the cloud service provider Intermedia.
And those threats are constantly evolving. Many SME employees will know of the dangers of opening unsolicited email attachments; far fewer will be aware that both the company printer and their personal mobile phones are potential gateways into the company network.
A 2015 report by Intermedia found that 93pc of the "knowledge workers" surveyed admitted to engaging in at least one form of risky data security – from sharing account credentials to installing non-sanctioned applications.
"Despite the fact that more and more organisations are taking the threat of their own staff more seriously and giving their employees training in data security, user awareness of security threats and adoption of protection technologies still remains very low," says Greg Aligiannis, security director at email security company Echoworx.
Mr Aligiannis believes threat-awareness training and a "seamless integration of preventive measures" should be ingrained into everyday working life.
Basic security should be second nature, in other words, from intern to executive, but that will only happen if SMEs encourage it to happen, says Dave Stanley, director at network security company Aditinet.
"You can encourage staff by holding learning sessions – lunch and learn for instance. What we see is that most security issues are based on ignorance, not malicious intent. There’s an expectation we all know the answer. Especially in SMEs, assume staff don’t and give them an environment to learn."
Language around cybersecurity issues should be simple and jargon-free, and messages should encourage personal responsibility and common sense, Mr Stanley adds. A culture in which employees feel confident to ask questions and seek answers for themselves should be instilled from the top of an organisation down.
"Common sense is invaluable," he says. "If it looks wrong it probably is wrong. Really, it’s treating the virtual world like the real world. If you wouldn’t give it away to a stranger don’t make it available online to one."
A culture that encourages personal responsibility should be combined with an up-to-date IT policy. Intermedia recommends creating and implementing guidelines incorporating best practices for employee security and access to IT services during employment, as well as a rigorous "IT offboarding" process (repealing network permissions) for departing employees.
Policies on strong password practices, application usage, and a list of approved websites, services, software and applications should be integral to any IT policy, says Intermedia’s Mr Walters. These policies and permissions should be regularly updated and communicated to employees.
The intention is to make everyone in an SME aware of cybersecurity risks, and fully engaged in their evasion. "Again this ties back to culture," says Mr Stanley.
"Showcasing personal responsibility and ownership to help your staff understand their role in your business’s security. That engagement can make all the difference, making cybersecurity not another admin-led layer, or "IT’s problem", but a collective responsibility"