In organisations both big and small, the important job of securing data and cyber systems is often left up to the IT department. However, in today’s environment, everyone has a responsibility to implement best practice in cyber security, from the lowest level employee to top-level directors and other senior members of staff.
Cyber security is a growing concern in the UK, with the number of cyber attacks growing all the time. Almost half of all UK firms were hit with a cyber attack or breach in the last year. Data loss or leaks can have a significant impact both financially and in terms of long-term business reputation.
Unfortunately, cyber security training in the UK is still woefully inadequate in many UK organisations. When it is offered, it is often restricted to IT staff only – probably the department that benefits least from additional security training.
‘Only A fifth (20%) of businesses have had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.’ (Cyber Breaches Report, 2017).
To prevent against data loss and leaks and to minimise the damage done by any cyber attacks, it’s vital that every department is aware of the role they play in maintaining cyber security for the organisation as a whole. Although not every department is listed below, let’s explore some examples of how different departments can take responsibility for the safety of their business data.
The Human Resources department plays a pivotal role in ensuring cyber security as they are responsible for relaying company policies and procedures to new recruits.
All employees within an organisation should be familiar with the cyber security policy, which should include best practices to avoid data leaks (not using email to relay sensitive data, not using personal devices such as USB sticks to copy data or upload data to personal cloud storage etc.), how to spot phishing emails, what to do in the event of a suspected data breach, and other important security practices.
‘72% of the most common types of cyber breaches are related to staff receiving fraudulent emails’ (Cyber Breaches Report, 2017).
The position of the marketing department is somewhat unique, as they must do their part to safeguard the data of individuals outside the organisation, as well as following cyber security procedure within.
This means making sure people get the marketing emails they sign up for, taking steps to ensure personalised information is never inadvertently sent to the wrong person, and ensuring databases of contacts and leads are kept safe and secure. The major impact of the EU GDPR on marketing technology will increase the responsibility marketing plays when it comes to ensuring compliance doesn’t leave an organisation’s brand behind.
‘Nearly three in five marketers (58%) report having concerns over the compliance of their in-house customer data. ‘ (Royal Mail New Customer Data Research Report 2017).
The legal department will be left with sorting out the mess in the event of a catastrophic data breach, so it’s in their interests to ensure they’re doing their part in protecting the data of the entire organisation.
‘One in ten (11%) have a cyber security incident management plan in place.’ (Cyber Breaches Report, 2017).
This means ensuring every department is complying with GDPR (general data protection regulation) and also cascading GDPR responsibilities into supplier contracts.
As in the marketing department, the sales department must take responsibility for the security of their customer data. This means keeping company data, systems, and devices separate and secure and ensuring that customer data is protected online and offline.
This is particularly important for sales made online, where sensitive financial information is transmitted. While the IT department can advise on the relative security of different payment gateways, the sales department must make sure data is secured at all stages of the sales process.
The finance department is naturally privy to sensitive information that should not be accessible by general employees or anyone outside of the organisation.
Every member of the finance team should be trained to ensure the company account number or other financial data is never given to the wrong person. This may seem a simple point to make but it’s often very easy for a cyber attacker to attain such information by posing as a senior member of staff or external supplier or contractor.
‘27% of the most common types of cyber breaches are related to others impersonating organisations in emails or online.’ (Cyber Breaches Report, 2017).
Cyber security has traditionally focused on attacks from outside the organisation but in businesses of today, internal threats are also a serious concern. Internal attacks include deliberate attacks by malicious individuals, but also cases in which data is inadvertently leaked or lost by a careless or untrained employee.
Human error is a factor in 95% of all security incidents. Rather than focusing solely on strengthening IT systems, it makes sense for organisations to invest in their people and ensure a robust holistic cyber security policy across all departments.
It is down to those in leadership positions to stress the importance of cyber security to other employees and develop a unique strategy that is tailored to the risks of each organisation.