6 Tips for Creating a Positive Cyber Culture
We have written a lot about the various practical steps you can take to protect your business from a cyber-attack. Most businesses are aware of the importance of security measures such as firewalls, malware protection, and multi-factor authentication. But one of the most important factors – one that is often overlooked – is your people.
Think Concepts Regional Manager Gary Smith provides some practical suggestions on creating a positive culture around cybersecurity within your workplace.
Hacks happen… to everyone
Over the past few years, New Zealand businesses – from self-employed workers and small business owners to the likes of Air New Zealand and the RBNZ – have fallen victim to international hackers.
Hackers are using increasingly sophisticated methods of breaching digital security, and while most businesses have protected themselves with the usual security measures, there is still one point of potential weakness in every business – and that’s the human factor.
The irony is that sometimes it’s the simplest of emails that gets through because it's a straightforward email, it looks and feels ‘normal’. It's got nothing sinister to it, so anti-spam robots can't detect that it’s malicious. That’s where it’s vital that the person on the receiving end can see the subtle clues that trigger a red flag.
Tips for talking to staff
Creating a culture where staff feel positive and comfortable discussing cyber risks and policies is a crucial step in your cybersecurity plan. Here are a few steps to help get you started:
1. Make cybersecurity a comfortable part of the work conversation
While we don’t suggest flogging the issue at every staff meeting – in fact, if it’s a constant topic it could end up being ignored completely – cybersecurity should be commonplace enough that it’s front-of-mind for every staff member. At the very least, it should be a part of every new employee’s induction process. And depending on the business size and structure, the topic can be refreshed at staff meetings as needed. Find the balance that works for your business.
2. Use language everyone understands
Cybersecurity can become quite a technical subject, and it’s easy to assume that everyone understands the terminology you’re using. Bear in mind that, depending on your type of business, some staff may not be familiar with terms that are second nature to you. Use layman’s language and explain at a basic level rather than risking staff switching off or not asking for explanations because they feel silly. Provide opportunity to ask questions and check in with individual staff members if needed.
3. Keep it positive
In the past, it wasn’t uncommon for staff to be vilified or belittled if they happened to fall victim to a scam or clicked on a malicious link. Unfortunately, the fear of being seen as ‘silly’ or naïve, means that many people don’t feel confident to seek out advice on potential scams, or to put their hand up if they have accidentally allowed a breach. One idea is to initiate a bit of friendly competitiveness in your team. Let your staff know that sometime in the near future, the IT team will be creating a harmless phishing campaign with prizes for the person/team who spots the most false emails. This not only creates heightened awareness, but also a bit of excitement and positivity around the topic.
4. Have clear policies in place
It’s important to have robust policies in place that give staff clear guidance on what they should do if a potential threat arises. Let’s take the example of a staff member receiving an email from a service provider requesting that a scheduled payment be made to a different account number (a sophisticated ‘man in the middle’ hack that is very hard to detect). A policy that states that such requests be first approved by a manager means the staff member doesn’t have to question the best course of action – because there’s already a clear pathway to follow.
5. Keep security up to date
As much as we hope employees will never make mistakes and click on malicious links, it will happen. Therefore, it’s vital to ensure your IT infrastructure is as robust and well-protected as possible. We recommend regular security audits including password and antivirus update scheduling, and having multi-factor authentication in place wherever possible.
Think Concepts offer a large range of cyber security products and services, including IT hygiene audits, employee training, comprehensive antivirus protection with ThinkProtect, and proactive dark web monitoring with Dark Web ID.
With businesses increasingly relying on technology and remote working, robust cyber security matters more than ever. Proactive solutions rather than reactive fixes will help safeguard your data and keep you ahead of even the savviest cyber criminals.
6. Have a response plan in place
No matter how careful or vigilant team members are, breaches do happen so having a clear response plan in place is also important. Your plan should outline:
· Who employees should contact in the event of a breach (or potential breach)
· A list of roles and responsibilities for incident responders
· Obligations to any governing body, customers, or other stakeholders who may be impacted by the incident