How to address the biggest cyber weakness a business has
There are plenty of best practices to follow around cyber security. Two-Factor Authentication and password managers go a long way to keeping data secure. Storing documents on cloud systems creates useful backups too. However, the biggest cyber weakness is the same in every business – people.
Even with the best intentions, it’s almost inevitable that people make mistakes. There’s often nothing malicious about it. Staff might skip security processes to save time. Or, they might unwittingly share information with an unfamiliar email address.
So what can you do as a business owner to prepare for and reduce human error?
In this guide, we look at how you can address this weakness. We’ll also outline the proactive steps you can take to keep your business safe.
How employees pose a cyber security risk
The digital landscape is increasingly complex. Security systems are constantly evolving to be more effective. But there are always new threats to be on guard against.
Most malicious programs rely on employees to activate them. People are often tricked into clicking on an attachment or pop-up. That then downloads and spreads the attack code.
However, malicious software can also spread through networks by itself. High-profile cyber attacks like WannaCry prove how easy it is to exploit carelessness.
In the case of WannaCry, Microsoft had issued a free patch for the weakness in March 2017. Yet when the attack spread in May, many businesses still hadn’t updated their systems. Some staff had also disabled security solutions on their computers.
While employees were the weakest link, it’s not hard to see how it’s done. Let’s imagine some of the irritations your staff might experience:
“Security apps are bulky and slow everything down”
Some security apps can lead to slower loading times. This tends to be the case if they're outdated or competing with other security software. Older computers may struggle to cope. It’s not hard to imagine employees switching them off for a high-bandwidth video call.
“I’ll lose all my tabs if my computer restarts”
We all work differently. For some people, being organised means having dozens of tabs open. They know where everything sits, from the email tab to individual documents. The problem is, updating your computer requires a restart. Employees may be reluctant to do this and disrupt their process.
“It’s easier to work on my mobile or home computer”
The increase in home working requires extra vigilance around data security. Employees might have separate laptops for home and work, plus a mobile phone they work on. This makes it harder to track data shared between devices.
“When it comes to cyber security, there are so many attack vectors to consider that sometimes people forget that it's not just software and hardware that are vulnerable – it's the people that build or use systems. Given the ‘cloud’ nature of our working lives, most companies are potentially one employee’s bad day away from disaster.”
Stephen Jones, CTO of Business Data Group
Steps to address cyber weakness in your business
Provide relevant cyber security training for employees
Relevant training is a logical first step to enforce security measures.
Having a cyber security policy isn’t enough. Policies are often written in complex language that’s hard to understand. They’re also usually hidden away in a HR folder.
Training is essential to bring your policy to life. Staff need to hear about best practice in clear terms and how to act in the worst case scenario.
Providing cyber security training should also motivate employees to pay attention to your company's safeguards.
It’s easy to pass the buck when it comes to cyber security. But the truth is, it’s everyone’s responsibility. Your employees need to know that it’s their job to take time to follow best practice. This might include installing security updates or double checking suspicious links.
The Centre for the Protection of National Infrastructure has a number of useful resources. These cover major areas of cyber security risk, like social engineering and phishing attacks.
Install user-friendly tools
There is a wealth of sophisticated cyber security tools out there. Most businesses will already have anti-virus software and password managers.
It’s important that you choose user-friendly tools. If something’s difficult or time-consuming to use, your staff will slip back into old habits.
These habits can undermine your entire policy. It might include writing passwords down on paper or emailing files from unsecured networks. It’s best to avoid the risk entirely. Choose tools that are accessible and run training sessions on how to use them.
Don’t punish employees who fail security measures
Employees need to feel comfortable reporting any security concerns. While it’s true they’re a cyber weakness, they’re also the ones who can mitigate threats.
If an incident does happen, the worst thing that can happen is that it goes unreported. This will increase the amount of damage caused and may even lead to a more extensive breach.
There are a few reasons why staff might hide an incident:
Your employee’s embarrassed that they made a mistake
The first reason an employee might cover up a mistake is that they feel embarrassed. Many phishing emails, for example, are obvious in hindsight. But it’s incredibly easy to fall for them in the moment.
You can address this concern by making it clear that phishing messages are difficult to spot. Never punish anyone who has struggled to recognise deceptive messages.
As the National Cyber Security Centre (NCSC) found, creating a blame culture doesn’t work. What’s more, it can cause distress and even distrust amongst employees. It’s best to use any mistakes as an opportunity to revise your training:
- Encourage users to come forward if something looks suspicious
- Get creative. Some businesses have had success asking employees to craft their own phishing emails. It forces staff to think about techniques used in attacks. It also reminds them how easy it is to mistake them for legitimate messages
Your employee doesn’t know who to speak to
The second reason an employee might hide a mistake is that they don’t know who to speak to.
Bigger companies often have dedicated a cyber security role. But small businesses need to decide who will be that point of contact.
Have a clear protocol in place and share it with everyone. Let employees know exactly what to do if they come across an issue and who to report it to.
“A good way to think about your frontline security is that it’s only as good as your least trained member of staff. That's where you’ll get caught out – phishing will inevitably go to them. That’s why company-wide training is so important.”
John Williams, MD of Northstar
Have a plan in place if something goes wrong
Even with robust systems in place, don’t get lax. There are two inescapable facts about cyber security.
One, threats are changing and evolving. They’re growing more complex, which makes them harder to spot.
Two, people are prone to mistakes. All it takes is for an employee – or even you – to intuitively click the wrong link at the end of a day.
A well-planned response will reduce the damage caused by a cyber attack. This could include reducing the impact on staff or clients, or reducing the data lost.
The NCSC outlines how to create a basic response plan. It breaks down how an incident should be managed in practice.
Key steps include:
- Identifying key contacts. These contacts may include senior management, legal and HR. Remember that people may not be available, so include two or more contacts
- Listing preferred contact methods. If your digital systems go down, what’s your plan for reaching people urgently?
- Determining escalation criteria. How will you determine the severity of the incident?
- Creating a step-by-step overview of your response. This overview should cover the incident from start to finish. Think about comms with staff or customers, and any documentation you will need
- Providing basic guidance on legal requirements. When you will need to engage legal or HR support
Dealing with cyber security risks in your business
Small businesses are busy and it’s easy to push cyber security to the back burner. The problem is, this attitude is infectious.
If you don’t see cyber security as a priority, your staff will adopt a similar attitude. At worst, it can become a box-checking exercise that happens each year.
You need to lead from the front and show staff that you’re all in it together. Look carefully at your own habits and make sure you’re setting the right example. If your staff see you skipping security measures to speed up a meeting, you’ll send the wrong message.
Make sure you offer robust training too. Quick refresher courses every quarter can be a great way to keep cyber security part of the conversation.
Finally, remember that people are prone to making mistakes. It’s crucial that businesses don’t play the blame game.
See errors as a chance to improve how you educate staff and create a workforce that’s more vigilant against future attacks.