Employee risks: How to reinforce secure IT behaviour
From stricter policies to more frequent testing, we’ve outlined the ways you can keep teams properly aligned on cybersecurity.
No business is exempt from human error. Whether you are in a rush processing court documents, in a school updating a lesson plan or maybe emailing business restructure documents – we’re all susceptible to the occasional mistake. However, as we recently discussed, employee mistakes (also known as insider threat), can lead to serious data breaches, with harmful repercussions to both the business and potentially the customers you are serving.
Luckily, today all of us have access to the latest technology, which, if configured correctly, offers added layers of defence to our security posture. But as well as the technology, small and medium-sized enterprises (SMEs) should be thinking about how educated their people are with cybersecurity risks – and reinforce secure IT behaviour whenever possible. We surveyed 5,770 IT decision-makers from SMEs across Europe, and a third (28%) cited a lack of employee knowledge or training as a reason for increased IT security concerns.
Before we dive into the ways you can reinforce secure IT behaviour, let’s explore why some employees might be a more likely candidate for insider threat than others.
The employee risk scale
Your current cybersecurity training procedures and general employee diligence will contribute to secure IT behaviour. However, some employees will pose a greater risk. Contractors may not be as immersed in the security policies of the business as permanent employees are, and therefore might not know all of the latest obligations. New employees, as they get used to multiple systems, or trawl through emails from senders they’ve not quite yet remembered the names of, could be targeted.
Hybrid work is also a risk factor. Are teams constantly on the move, or are individuals frequently working from a local café? Connecting to external networks and working in public spaces could go against standard security practices. So, how do you ensure all those within your business are aligned and exercising secure IT behaviour?
Top tips for reinforcing secure IT behaviour
Prioritise cybersecurity education
All staff, from full-time, office-based employees to those transporting goods to and from a site, should be kept informed on the levels of risk. As an example, malware can infiltrate your business’ systems to shut down operations – and employees might not know that downloading external software on business systems can give cybercriminals a way in.
Staff and contractors should know how to identify phishing attacks. If an employee receives a sudden urgent request for personal information, or instructions to contact the sender via phone call or instant message, this should instantly arouse suspicion. Employees should be trained regularly on how to identify and respond to these incidents – including how to analyse the address or number of the sender and automatically raise it to IT departments. Training procedures should also involve phishing and malware attack simulation tests, demonstrating how easily an employee might be targeted and how susceptible they are to attack.
Beyond phishing attacks, employee security training should explore topics such as smishing attacks (deceptive text messages), social engineering attacks, social media usage, safe file sharing, and safe internet browsing.
Get strict with your cybersecurity policies
It’s worth noting that 74% of data breaches are said to involve a human element. And of the IT leads we surveyed, one-third (30%) are now more concerned about security technology risks because of hybrid working. It’s therefore more important than ever before to implement robust cyber policies, with firm and transparent communication from the top down.
This includes ensuring employees know how to use company devices and systems correctly. Alarmingly, our research shows three-quarters (76%) of SMEs’ security training doesn’t cover using a printer or a scanner, despite the importance of training employees on how to use these devices safely and securely.
Cybersecurity policies should also include clear instructions about the use of public Wi-Fi networks. This is because insecure connections can lead to harmful malware attacks, and even an employee logging on to send a few quick emails can accidentally cause harm.
On top of this, your policy should encourage employees to use company VPNs and to set up multi-factor authentication (MFA) for an extra identification layer during login. Plus, it should warn against accessing work-related platforms via personal devices, and remind employees to never share passwords.
Stay informed on the employee risks
None of the above can be executed effectively if the policy makers and IT departments themselves are not well informed on the latest risks. Of course, threats such as new employees or those leaving the company are evergreen. However, it’s important to stay in the know about emerging threats, such as working with new contractors or employee use of unregulated third-party apps.
At the same time, leaders should foster a working environment in which IT staff can pursue cybersecurity training. Employees should also be encouraged to question or report any security concerns so they can be escalated, as this can help spread general awareness of the types of threats to look out for.
Risk-aware workforces supported by technology
Your IT security is only as effective as your people. However, business leaders and IT professionals should pay close attention to how technology can support workforces in preventing human error.
One-third of IT leaders are either not particularly confident (14%) or not confident (15%) that employees have adequate knowledge of IT security risks. But this doesn’t have to be the case. By following our tips, employees and contractors can expand their knowledge of the risk landscape and the implications of their actions.
For an added layer of support, Sharp offers a comprehensive family of tailored security solutions and services to keep SMEs protected from human error.
Find out more about how our Security services and solutions can support your business.