By Dejan Kosutic
Believe it or not, 59 percent of data breaches are happening not because of some smart hacker who wants to do harm to your company, but because of your own employees. In order to stop these incidents, a small business has to focus on two things: set internal processes and procedures correctly, and train employees to make them aware of the security threats.
To train employees effectively, here’s what you should include in your security training and awareness program:
1) Authentication rules
Your employees must use complex passwords, and should never share these passwords with anyone. This is because if their computer, laptop, smart phone, or any other device gets stolen, not only will the thief be able to control all the data on the device – he will also be able to penetrate your company network and create havoc with your data.
The best practice is to use special software called password managers, because with such software your employees will need to remember only one complex password, while the password manager will remember all the others.
2) Network connection – what and when to use?
Unfortunately, wireless connections have proved to be very unsafe. Your employees should be instructed to avoid Bluetooth whenever possible, because it has proved to be the easiest to break.
Public Wi-Fi networks are not much better either – hackers set up such networks in public places, claiming to be legitimate providers, with the purpose of gaining access to users’ Internet traffic. In this way, they can access all the passwords and other sensitive information.
The VPN service is probably the best way to keep your data safe; it makes sure all the transmitted data is encrypted before it leaves the computer.
3) Data encryption
No matter how careful your employees are, a laptop or a smartphone can easily get stolen. Some physical security rules, like never leave mobile devices unattended, are never bad to teach. However, to protect for the case when a theft occurs, you should teach employees how to encrypt their data, so if a device gets stolen, the only loss is in the device, and not the data.
Since most of the data is now transferred or archived through the cloud, encrypting it also makes sense. Most cloud providers claim they do encrypt the data in their systems; however, it might be better to encrypt the data before it reaches the cloud – you never know how much the cloud provider can be trusted.
If data is lost, backup is usually the last resort – in many cases, backup has saved not only days, but also months or years of someone’s work.
So, make sure your employees have the right backup system in place (very often a simple cloud service will do), but also that the backup is updated regularly. One word of caution: having a backup system means that data is stored at least in two places – e.g., on a computer, and in the cloud. Keeping the data only in the cloud doesn’t constitute a real backup.
5) Basic security “hygiene”
There are some security practices that should be considered as normal, for instance:
- Links in emails should be clicked very carefully – some links might take your employees to infected websites.
- Provide a list of allowed software to your employees, and allow the installation of only that software onto the devices that are used for business purposes. Very often, there are some games or utility software that are offered as free downloads, only to be discovered later that they were used by hackers to inject viruses onto your employees’ computers with the purpose of extracting information.
- Transferring data with USB flash drives should be avoided – they are the easiest way to infect a computer with a virus.
Invest wisely in your security. Of course, each small business will have to adapt its training & awareness programs according to its own needs, so you should not take these 5 items as a definitive list. For more information, check out this free ebook about 9 steps to Cyber security learn how to plan cybersecurity implementation from a management perspective.
No matter how you train your employees and how you make them aware of security, remember the most important thing: simply purchasing the new technology won’t increase your level of security.
Dejan Kosutic is a known Expert in Cyber Security Information and Author at 27001Academy, the leading online resource for ISO 27001 & ISO 22301/BS 25999 implementation. As ISO 27001 Lead Auditor and Approved Tutor he has delivered certification audits and many courses throughout Europe. He helps business implement information security management (ISO 27001) and business continuity management (ISO 22301) standards. Follow him at @Dejan_Kosutic.