With a steady rise in online threats and a heavier reliance on the IT environment for business activities, it has become increasingly important for businesses to re-evaluate their IT security policies. When talking about IT security, we often consider the IT infrastructure, security programs and backups. What is often forgotten is the human factor which should be considered equally, if not more important.
Kaspersky Lab’s study of over 5,000 businesses globally found that ‘in 46% of cybersecurity incidents in the last year, careless/uniformed staff have contributed to the attack’. By implementing some simple policies and procedures you may be able cut the amount of security incidents in half!
Back to Basics
Some essential steps to reducing the human factor include installing quality antispam and antivirus software, implementing software restriction policies on all computers, implementing simple restrictions to stop users downloading “.exe” files and having restricted use of administrator rights to only essential users.
Additionally, have a security policy that outlines the user’s rights and responsibilities regarding their use of the IT environment. Outline your policies and build this outline into your employee induction.
Another useful tip is to add a module to your staff induction that covers security, including:
Where to find it, how to interpret it and who to contact should they have any questions relating to its contents.
Use of resources
Reasonable expectations relating to the use of company IT resources, be it for business or personal use.
Outline what restrictions are present to reduce the risk of security incidents as well as explaining the company’s clean desk policy if there is one.
Inform users that computers are to be restarted regularly to ensure any patches or security updates are applied as soon as they are available.
The company’s policy regarding the use of personal devices for business purposes, as well as the policy for connecting devices to the corporate network when they are not administered or maintained by the company, i.e. BYOD (Bring Your Own Device).
Password protection on all devices that contain company information including mobile devices that have access to company emails and contacts, routinely locking any device that is not in use and appropriately protecting the device from loss or theft.
Outline types of threats and simple ways to recognising threats such as:
Outline simple ways of recognising threats and types of threats such as:
- Phishing through email and social media
- Malware infiltration through email and web browsing
- Insider theft/malicious compromise of data
- Physical theft of hardware
A short review of how to recognise compromising emails and suspicious web activity as well as the company’s procedure for reporting such things as they arise will help cement the user’s understanding.
We recommend you also make it a policy to regularly communicate with staff about the importance of security and relevant issues that may affect them. For example, a quick email to all users following a ransomware outbreak containing details of the attack will ensure security is at the forefront of their minds in the coming days and will keep them vigilant.
When dealing with security breaches time is a critical factor in mitigating possible consequences. Being aware that an incident has occurred and taking decisive action is vital rather than appointing blame. Remember that your staff and users have access to valuable corporate information. Invest in training, foster communication and empower the team to raise questions, concerns or mistakes. Prevention is much better than cure!
IT security requires the right systems and training in place and empowering your staff. There are many approaches and no one size fits all solution for protecting the organisation. The most important thing is to ensure that security is always on the priority list, your systems are maintained and staff are informed.
About F1 Solutions
For over 20 years F1 Solutions has been building quality software solutions for Federal and State Government departments, small and large not-for-profits, and businesses in Canberra and across Australia. We also provide organisations with trusted IT support and advice, as well as a range of other services.