Cyber security’, two small yet powerful words, that we hear increasingly often. But what do these words actually mean? What does it mean to your business, your customers or even to you? We hear them so often that I think we have almost become immune to their meaning.
If you are responsible for managing IT, some of the things you are likely to think about are firewalls, access controls, malware and virus protection and system monitoring. All of which are absolutely appropriate tools to deploy within your business to protect what you see as your most valuable asset- your data; and along with it your business operations and reputation. But what about your organisation’s other equally important asset – its people? However robust and resilient the technologies that you deploy are, they can be rendered virtually useless if you do not consider and engage with the people working in the business.
As a friend recently said to me, “the human element is the most fragile component of any IT environment”.
Whilst many cyber-attacks exploit basic weaknesses and vulnerabilities in your IT systems or software, many of them are specifically designed and engineered to exploit weaknesses in people; our trusting nature, our time pressured lives and our resulting lack of diligence, poor working practices and business processes or just plain human error.
The most recent data from the ICO (Information Commissioner’s Office) illustrates just how critical the engagement of people is in the quest to keep your business secure. In the first 9 months of 2016, over 50% of reported incidents were down to human error, this included 285 incidents of data being posted to the wrong recipient, 173 incidents of data being sent via email to the wrong recipient and over 300 incidents of loss or theft of paperwork or devices. And these are just the occurrences that we know of.
So what can you do to mitigate this ‘human element’? Cue common protestations of “All this stuff is so complicated, our people just don’t understand it!” While the technical elements can be complex, the principles are often very simple. Learning how to recognise a phishing or scam email, learning the principles of online safety, taking extra care when sending out data, adopting the simple process of picking up the phone to someone who has emailed you an “invoice for immediate payment”. All these things are really simple steps that everyone can be taught.
Make your people the strongest element. Engage with them, at every level of your organisation; make sure they’re aware of how their actions impact the security of your business. Embed cyber security training into your 2017 workforce development plans (and indeed every year’s plan) or performance plans and reviews.
You don’t have to spend a huge amount of money, there are some excellent free resources out there. A great place to start is the Governments portal “Cyber security training for business” where you will find many free online training resources https://www.gov.uk/government/collections/cyber-security-training-for-business. But you do have to spend the time – invest the same amount of time with your people that you did when you considered the technology. By truly engaging with them and training them, you are giving them knowledge and awareness that will protect your business, your data and your reputation.