Your employees are your best form of defence against hackers
Some of the most common factors when dealing with security breaches in a workplace are down to human error, with so many mobile devices, emails being sent it’s no wonder why hackers target employees within the workplace.
Social engineering and phishing campaigns have come a long way in the sophistication stakes since the days of being promised riches by an overseas royal family should you kindly fund their long lost son in his quest to be released from unlawful imprisonment.
Hackers are increasingly using all of the data that is readily available in the public domain to target employees within firms. There is a wealth of information for them to choose from – LinkedIn, the company website, news articles – as well as other social media outlets. Their methods are creative and intelligent, and many people (including CEOs) have fallen foul of them. The hackers often take their time and build trust before sending that malware that could be their way of getting into your system.
So what can you do as a responsible business to try and mitigate this?
Firms spend huge amounts of money on building firewalls and other means of protection against hackers. However, if the hackers are determined and they can’t get in via that route then they will try another angle – which is usually trying to engage with people.
An educated and aware staff is the best defence against security breaches. Creating a culture of security within the business is key.
Having selected staff across all functions of the business to be data ambassadors so that it isn’t just the IT department who are responsible for ensuring data security will help with this. Training and awareness must be continuous to be effective.
Another question – do you know where your information security policy is stored? If you do and you’ve read it then you’ll be in the minority – statistics show that 90% of all employees don’t even know where their information security policy is stored.
The average size of a security policy is 10 – 15 pages. Companies are now starting to question whether people are really going to engage with this, and subsequently reducing them to 2 – 3 pages. Interestingly, it is increasingly common for them to be written by someone within the company who works in either marketing or sales, so that they are more enjoyable to read.
It has to be workable – can employees really be expected to remember a 16 digit security code? If it’s too complicated then the inevitable will happen – people writing things down, which defeats the object.
Making the policy more positive, such as ‘do this’ rather than ‘don’t do this’, as this will encourage engagement and create a culture of openness and trust as opposed to employees being too scared to confess if they think they have made a mistake, which can only make things worse.
60 % of hacks are through insider threats. That is either, new staff, existing staff or staff who have left.
When people leave your firm or change departments/roles, do you cut off their access and change their permissions?
However, data security isn’t just about IT – it extends way beyond that. Simple things such as enforcing clean desk policies can go a long way to helping keep client data secure.
Also, consider things such as who does your shredding? Have you performed due diligence on them? The same goes for your cleaning firm.
Clearly, there is no magic solution. Whilst you can buyCyber insuranceto transfer some of your exposures, training your staff is just as important as building a secure system when it comes to protecting your clients and their data.
To learn more or to discuss things further, please feel free to get in touch with me onEloise.Ellis@larkinsurance.co.ukor 020 7543 2823.