While most businesses understand the importance of cyber security and the need to have safeguards in place for employees, it’s equally important to consider non-technical steps you should take to keep data safe.
Here are our top non-tech ways to protect your business against security threats:
The best way to make sure staff are aware of their responsibilities to business information is through training. You will already have an induction process in place for new staff, so include a section on cyber security awareness and their offline responsibilities as well.
Make sure they know what the company policy is on data protection and what to do in the event of a breach, and reassure them that you keep their personal information secure, protecting it in the same way as company data.
Set regular review sessions for each staff member – this can be every six months or annually, as appropriate – to let them refresh their memories and to ask any questions. If there have been any updates since their last review, share that information with them also.
And of course, if you introduce any major change, such as a new piece of software or cloud solution, schedule time for some focused training.
Related content: Prevent Cyber Security Incidents: Use this staff training checklist
2. Policies and procedures
Have these clearly set out so they are easy to follow by everyone in the company, whatever level they’re at. Make them easily accessible and make sure that staff members review them regularly. Encourage managers and team leaders to support their staff to reread the policies and ask any questions.
Share with staff all relevant policies, including HR, finance (as it relates to them) and any others specific to their departments. Walk through each step in the IT and security procedures with new employees and during refresher training, to help them understand their role in information security.
Related content: After a Security Audit: How to create a Cyber Security Action Plan
Clear communication is key to business success, and this applies both internally and externally. Help staff by displaying posters or notices about the important business policies, such as password setting, accessing the internet and using their own devices (BYOD).
Also, communicate what staff need to do if there’s a data breach or a problem. Give them key contacts in the IT department, if you have one, and make sure they know who to speak to for an issue they’re having with their machine, and who to go to if there’s a possible security breach. If this happens, ensure there are ways for staff to communicate offline so they can be kept up to date with the situation.
External communications are also important. If you don’t have an internal IT team, or the problem requires specialist support, provide all staff with contact details for your third-party IT provider.
Have a policy around communicating with clients and suppliers too. If the servers go down or data is compromised, how and when should this be shared with interested parties, and how much do you tell them? Encourage staff to be careful when talking to suppliers and clients, to make sure they don’t accidentally share sensitive information.
Related content: How to recover from a cyber attack
4. Help staff understand their place in the business
If you want your team to help you to keep data safe and to reduce the chance of cyber criminals targeting your business, you need to make them feel engaged and a vital part of the company.
Share business priorities with them, how they can keep information safe and how to ensure business as usual if a breach or server failure happens. Share with them how you want to grow, so they can see where they can contribute to that growth. The more invested they are, the more care they will take to keep data safe.
Set out a chain of responsibility so everybody knows how to escalate a problem – this can be included in the staff induction. Outline who to contact in an emergency, when to speak to the IT support partner and what’s appropriate to pass to the internal team, and who their immediate superior is.
Include names of who to speak to if their contact is unavailable, and make sure you update all of these details if somebody leaves, gets promoted or the responsibility has passed to someone else.
5. Physical security
Are your servers and comms cabinets in a secured area? Is the door locked? Who has access?
Do you ensure that you keep a log of key holders, do you have a policy for them to be kept on the person at all times and to report if keys are lost?
Encourage staff to be vigilant when there are visitors to the office, particularly if they ask for access to the wifi. Perhaps you want to make sure visitors are never left unattended once they’ve gone past reception, or computers should be locked when they’re in the office.
Do you have windows where the public or a member of staff can see your screen or you typing in a password, could this be a risk?
6. Security awareness
General security policies should also be in place. One of the best and easiest ways to keep information safe is to use passwords on all devices and to state exactly what is and isn’t appropriate. You may also want to include a reminder to staff to lock their workstation when they leave their desk and agree on a policy for out of office notifications.
If you allow staff to take their work laptops home or they can bring in their own smartphones and other devices, who has access to these? Give clear guidance on how to protect work machines when they’re out of the office, and remind staff to have any files and folders related to business password protected.
Likewise, encourage staff to be careful if they use or carry devices on public transport, and if they attend an event or conference to make sure they keep laptops and smartphones either on their person, in their sight or with a trusted colleague.
Related content: Why is a cyber security risk assessment so important for SMEs?
How do you ensure your business is fully protected against cyber security threats? Do you have any other non-technical ways you use that we haven't included in the list above? We'd love to hear how you do this - why not let us know in the comments below.
Alternatively, if you would like to talk to an experienced member of our team about this topic or anything else cyber security-related, please don't hesitate to give us a call!