Training employees to protect your data is absolutely essential for all businesses.
We have all seen the scary headlines of cyberattacks on companies and the loss of clients’ personal information to hackers, resulting in fines for data security breaches. Although it is essential that business owners understand the threats endangering their data and how to protect that data effectively, it is also vitally important that this knowledge is passed on to staff.
Your staff can be your best asset for making sure that client data is stored and accessed properly and that your business is compliant with data loss regulations. Training employees to protect your data should be included as part of the induction process, with regular refreshers when regulations are changed or updated to reflect those changes.
Most businesses will have a staff handbook detailing procedures and behaviours that are expected. It therefore makes sense to outline cyber security best practice, including their use of social media platforms and company devices, particularly when not in the office.
To help you we have identified ten main areas of risk where your business may be vulnerable to data security breaches to cover in your policies, education, and training.
1. Email use/phishing attacks
The main method of communication for most businesses is email which is used at every level for both internal staff and external suppliers and customers. But unfortunately, email is not the most secure method of sending and receiving information.
Your employees are your first line of defence against a cyberattack via email, so they need to be aware of methods used by hackers to gain access to your email server:
URLs can be faked
The sender’s address may not match the company the email is supposed to be from
Spelling or bad grammar may indicate the sender does not have a good understanding of English
Links contained in the email may contain malware or connect to a fake web site
Requesting personal information in an email is a definite sign that something isn’t quite right
Email attachments may contain malware or viruses
Company details in the footer may be different from the real company
Staff trained to spot phishing emails and malware can greatly reduce the risk of data security breaches from cyberattacks and the training should include what to do if they spot something suspicious:
Who do they report it to?
What should they do with the email?
Employees need to know how to report a suspicious email so it can be checked out. You can read more of our tips on email security in our blog ‘How secure is your email?’
If your business is located in Yorkshire or Lancashire We Can Help to improve your email security. Talk to the experts at SquareCubed today about the security benefits of email encryption or moving your business email to Microsoft 365.
2. Password protocol
It is important that your company’s password protocol is included as part of training employees to protect your data. Cybersecurity training and handbooks should include clear instructions about:
Strong password construction i.e. random phrases of characters and numbers
Frequency of password changes
Not to use one password for multiple accounts
No recycling or sharing of passwords
Don’t write passwords on post-its!
Businesses should also be clear whether employees may face sanctions, such as a verbal warning, if they are found in breach of password protocol. If you would like more advice on what constitutes a good password policy, take a look at this guidance published by the National Cyber Security Centre.
3. Multi-factor authentication
We would recommend multi-factor authentication (MFA) wherever possible for accessing accounts, especially those based in the cloud. MFA works by providing additional security via linking the user’s mobile phone to their account. MFA is now commonplace for banks and other companies as it provides an extra level of protection against hackers.
4. Removable media
Removeable media is any kind of portable storage that can be moved between devices such as USB drives, CDs, or SD cards. Training should include clear instructions when using these types of storage in your business and the associated risks of, for example, malware and copyright infringement.
5. Social media use
Training should outline the dangers of sharing company information on personal social media accounts. Giving away information about your business can result in hackers posing as employees to gain access to your system. If they don’t know already, staff should also be shown how to protect their social media account via privacy settings.
6. Internet use
Along with internet access whilst at work, training should also educate employees to be safe online, for example, making them aware of the dangers of using the same password for multiple accounts or downloading free software, especially to company devices.
7. Working from home or remotely
Since the pandemic and its effect on our working environment, many companies now offer working from home as part of a role. In addition, many people work away from their home or the office, visiting clients, seminars or exhibition. Employees working remotely need to understand how this impacts on their cybersecurity.
8. Public Wi-Fi
Further to the previous point, those working remotely need to know how to use public Wi-Fi without risking a data security breach. Training employees to protect your data should increase awareness of fake public networks and scams and encourage them not to share confidential information via public Wi-Fi.
9. Company mobile devices
Unfortunately, the increase in connectivity through mobile devices has also resulted in an increased risk of data breaches. Making sure employees receive security training specifically for mobile devices will reduce the risk to a business of losing data through malicious mobile apps. MFA or biometric authentication can reduce the security risk if a device is lost or stolen. A separate mobile security policy may be necessary for those using mobile devices for the majority of their work.
10. Physical security
Physical security is another topic that should be covered when training employees to protect your data. Topics to include in this part of security training are:
Locking away important/confidential documents – clear desk policy
Log off devices when not in use
Don’t write down passwords, or share them with anyone
Although all businesses have different security requirements, training employees to protect your data by sharing cyber security best practice, and by actively promoting awareness of what could go wrong, your staff will be an effective first line of defence against data security breaches. If your company lacks the resource or IT expertise to implement security protocols, make an appointment to talk to us at SquareCubed to find out how We Can Help you and your employees to stay safe online with email encryption, backups, disaster recovery, cloud migration and Office 365.