Although hacking techniques are getting increasingly sophisticated and able to get into the most robustly-protected systems, unfortunately, most security breaches are caused by human error.
Employees who are ill-informed, do something without thinking it through, or don’t ask for advice, are the most likely people to click on something they shouldn’t. Whether that’s in an email or by inadvertently downloading and installing something that infects not just their machine, but the entire business server.
To reduce the risk of this happening, we’ve put together a checklist for you to share with your teams.
Cyber Security Checklist
1. Staff training
All new staff members should have cyber security awareness training as part of their induction process.
Share with them your company policies, their responsibilities and what the company does to keep their data safe too. Schedule regular refresher training to make sure staff know how to keep them safe, and also let them know of any updates or changes to procedures.
Ideally, have a regular online training program so that it is always at the front of their mind - 10-15 minutes a month has a great impact.
2. Policies and procedures
Have these clearly set out so they are easy to follow by everyone in the company, whatever level they’re at. Make them easily accessible and ensure staff members review them regularly.
Encourage managers and team leaders to support their staff to reread the policies and ask questions.
Explain what phishing is and the kinds of tricks used by cyber criminals. Ask staff not to download software and encourage them to report any suspicious-looking links, email addresses or requests for information. Help them understand that it’s better to be safe than sorry, and report anything they’re unsure of, no matter how small it seems.
A great way to make them aware of phishing attempts is to send test phishing attacks - it's better to make the mistake on a test than for real.
4. Have a clear chain of responsibility
If an employee is concerned or uncertain about anything, who do they report to? Are they able to raise basic queries with the IT department or support company to get answers quickly? Who do they report to in the event of an absence of their key contact?
Document who these people are, as well as the contacts in the event of an incident.
Have a policy in place to ensure staff have strong, hard-to-guess passwords. Try not to enforce a set password complexity because users will often be lazy. Requiring a password with an uppercase character, number and special character will result in Ronaldo1!, and if you enforce password changes, that will result in Ronaldo2! Or RonaldoDec2019!.
The best advice for users is 3 random words that only they will remember, such as BalletPlaystationCooker, or maybe a favourite film quote with something changed DoYouFeelLuckyFloppsy? Further password advice can be found from NCSC here.
6: Unsecured wifi
Do not have a wifi system that can be used by anyone. Have a password or security process for people to follow in order to gain access to it, and offer visitors a separate wifi network to the one you use internally.
Encourage staff not to use unsecured wifi while they’re out and about with their own or company-issued devices too - it's easy to fake airport or coffee shop wifi to steal your employee’s credentials.
7. Display key information prominently
There’s no harm in gently reminding people about their responsibilities. Put up posters reminding staff about the company policies around passwords, accessing third-party sites and anything else that’s important to the business.
8. Restrict access
The majority of your employees don’t need access to everything you have stored on your systems. Password-protect or otherwise restrict access to only the information that staff need to do their jobs. This reduces the impact of an attack.
9. Have a BYOD policy
With flexible and home working on the rise, more employees are using their personal smartphones for work purposes. Decide whether or not to allow BYOD (bring your own devices) and implement a company-wide policy.
If people ARE allowed to use them, restrict access to certain data and consider how you’re managing that access in the event that they’re lost.
10. Thumb drives and portable storage devices
Staff may also want to use their own memory sticks to be able to access work on their home computers. Again, decide if you want to allow this. Be aware of the risks of employees taking information off-premises and the likelihood of them losing a small thumb drive.
Our advice is to only allow company approved encrypted devices.
11. Dropbox and cloud storage
Ask staff not to use Dropbox or other free or public cloud storage to transfer or store files and folders.
If you have people working from home, either give them access to a secure drive or invest in a private cloud storage facility that you can protect. If it’s in a location you don’t administer, you no longer have control of that data.
12. Share the business priorities
Explain to all employees the most important part of what your business does, and what you need to ensure business as usual. Then tell them how they can help to keep things safe. By involving them in this, they feel more invested in the company and more likely to be security-conscious.
Got any questions? Contact our dedicated team here, who will be only too happy to help!