Employee education is an essential part of the support given by NSCS to small businesses. The National Cyber Security centre has promised to “ensure public and private sector organisations and institutions have access to the right information to defend themselves”, as well as to “define what good cyber-security looks like” for businesses. In terms of the allocation of £1.6 billion funding, we can't emphasise enough the importance of helping businesses of all sizes educate and train their employees. Breach prevention should be the first line of defence.
When it comes to maintaining an organisation's security, some level of responsibility must be taken by every employee, not just security professionals within the IT department. An organisation is only as strong as their weakest link. Therefore, a portion of the funding should be targeted at helping companies develop a cyber-security education programme tailored to SMEs. Unlike their counterparts at larger enterprises, SME leaders usually have a higher level of hands-on involvement in multiple areas which explains why IT security does not get the time or attention it deserves.
A programme built on educating every employee in the on-going process of safeguarding against threats should begin with increasing knowledge of best practice from the top down. So, what could a comprehensive cyber-security education programme look like for small businesses – and which organisational areas should be prioritised?
Enforce the basics
There are a few basic security principles that every organisation should apply. There should be mandatory password requirements around password length, complexity and how often they should be changed. The IT department should also make sure that new passwords aren't the same as old ones. Rolling out two-factor or multi-factor authentication across the organisation also greatly improves security as it makes employees verify who they are a second time before logging onto accounts.
Manage user access
However many employees your small business has, it is absolutely essential that people access only the information and data they are allowed to see. Even if IT hasn't clearly given an employee access to a particular account, employees may share account information among each other for ease. It's important that passwords are shared securely and with the right people.
The organisation should also be aware that the business can be exposed to risk when an employee leaves a company, passwords aren't updated, or access requirements are changed. There needs to be systems in place to administer who can access what data and how accounts are updated when roles change.
Create a formal policy around account security
It's a good idea for every organisation to create a policy that details security measures taken by it and its employees. This should include such items ranging from password requirements to change management procedures. The policy should also discuss “bring your own device” (BYOD) guidelines. With staff using their own devices at work for convenience these days, there is an added risk in doing so.
Train employees on security practices
When a security policy is in place, employees need security training to be fully aware of that policy and how to abide by it. The IT department needs to educate employees on what risks the organisation is exposed to. By having IT training sessions, talking about best practices, and informing employees about how important basic security measures are, such as using strong, unique passwords, can help decrease a firm's exposure to potential security threats.
Enforce secure Wi-Fi policy
It is important for SMEs to use strong administrative and network access passwords as well as strong encryption (WPA2 and AES encryption). There should also be separate Wi-Fi networks for guests. Wi-Fi equipment should be physically secure. Employees and contractors should use VPN when using public Wi-Fi, while access to sensitive information using public Wi-Fi should also be limited.
Beware of phishing attacks
When in doubt, throw it out. Educate employees about how to spot and flag suspicious emails that might be a phishing attack. Remind employees to not click on links from people they don't know, or that seem out of character from trusted contacts and companies.
Cyber-security will only work when both government and businesses collaborate to solve the problem. Businesses who don't step up cyber-security will face the consequences, but we need a joint approach if we are to move forward, and that begins with education.
Contributed by Joe Siegrist, VP, LastPass
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.