When it comes to preventing cyber crime, everyone in a business has a part to play. In fact, it would be fair to say that your employees are your first line of defence.
From the apps they download on the company phone through to how often they update their passwords, your employees’ actions often decide how safe your company is from cybercrime.
A big part of preventing cybercrime involves making sure employees are aware of their responsibilities, as well as giving them the tools and support to meet them. With this in mind, we’ve put together a small overview of why it’s so important to educate your team in preventing security breaches, as well as how you can go about achieving this.
Building a cyber smart culture
Oftentimes, the small business owner ends up shouldering the responsibility in the event of a security breach. If you are unable to process orders because your systems are down or if customers are unable to visit your website, it’s going to translate directly into lost sales and lower profits. Customers are likely to walk away if they feel that their information is not safe in your hands. Worse still, you could even find yourself facing a regulatory fine in the event of a serious customer data breach.
However, even in a small business, you can’t be everywhere at once. Day-to-day, it’s your employees who decide which emails to open, which links to click on, and with whom to share sensitive information. In short, they keep your business safe and need to be trained how to do so effectively.
The standard advice is that you need a ‘cybersecurity policy’: a list of do’s and don’ts for staff to follow. The points we’ll cover below deserve a place in your policy; on their own, however, a list of rules can be difficult to translate into real-life situations. What you should really do is aim to promote cyber-smart behaviour. Your plan should be to create a culture where staff know what is expected of them – one where they are savvy enough to spot possible security issues and could do so in real working scenarios.
Firewalls can help to screen out hackers, viruses, and other threats that could reach your business systems via the internet. Similarly, anti-spam software can stop unwanted emails from reaching your employees’ inboxes, while anti-virus software can recognise the code that forms known viruses and stop it spreading across your network.
These measures are important, but they cannot block out every threat of cybercrime. Opening an infected attachment, clicking on a pop-up window and even playing what looks like a harmless video could all potentially trigger a cyber attack. This is something your employees need to be made aware of.
If you’re keen to circumvent this issue, a more direct solution may be restricting internet access through the business network. You could opt for a ‘locked down’ system where access to the vast majority of websites is restricted and staff can only access domains that are on an authorised list. It’s an effective measure in terms of security; however, it could also significantly hinder workflow and staff may perceive such measures as a lack of trust.
A ‘managed’ system might make more sense. In this case, only those websites that have been identified as potentially dangerous by your anti-intrusion devices are blocked. Yet for this to work effectively, staff need to be aware that sites they are not familiar with should not be accessed. Likewise, files and programmes – including mobile apps – should not be downloaded on work devices without permission.
Stay vigilant against targeted attacks
Recently, a number of law firms were hit by the ‘Friday afternoon scam’. Criminals got wise to the fact that Friday afternoon was a prime time for completing house sales. As a result, they focused on cloning clients’ accounts and sent fraudulent instructions to solicitors providing new bank details — thereby duping firms into transferring cash to criminals.
This type of targeted scamming can easily catch employees unawares. If you hear of specific instances of scamming, ensure to warn your staff. Above all, have set procedures in place for communications with the people you deal with. For instance, your bank or HMRC would never ask you to confirm log-in or give out account details via email. For your customers and suppliers, work out a set procedure for payments, and instruct your staff that any instructions to divert from this procedure should always be double checked.
With automated cracking tools, hackers can attempt to break into thousands of websites simultaneously with relatively little effort. Once staff are aware of this, the need to follow the rules on password usage should become clearer. Depending on the system, a password minimum length is of at least 8 characters. This should be made up of a combination of letters, numbers, and symbols. It is vital that passwords across the company are unique. This is so that if a single log-in is breached, it doesn’t provide a gateway into multiple systems. This may be off-putting to your employees. However, there are ways of making the prospect more manageable. For example, providing a dedicated password management tool for your staff can help reduce the burden of remembering lots of different log-in details.
It’s easy for a member of staff to repeatedly click ‘remind me later’ when asked to install updates. However these ‘patch cycles’ are very often geared towards security, and ignoring them could leave the business exposed. Remind your staff of this. Better still, you can take this task out of employees’ hands completely by having a system of remote update management in place. It means updates are taken care of centrally so you know everything is protected by the latest software.
Protection against cybercrime is one of those areas where tech know-how needs to be combined with adequate training. To learn more about the actions you can take to prevent cyber-crime in your limited company, check out our recent blog about how to spot the red flags of cyber attacks. For more information on each of these elements of running a business, head on over to our help centre.