It is well known that the majority of breaches in cyber security are caused by human error. Depending on which study you choose to look at, the stats are high, finding that between 82-95% attacks have resulted from employee mistakes.
While these figures make for alarming reading, the good news is that if the majority of breaches are caused by humans, that also means that the majority of them are preventable.
Working with your IT and Security team will enable some easy solutions, which go somewhat to preventing the basic mistakes that we all make.
Ensuring staff use strong passwords is a good start. We tend to use associative passwords so we can remember them (i.e. Pet Names, Wedding Dates or Kids’ Birthdays – and of course the classic, Passw0rd!) and we then use these passwords across multiple accounts, making them vulnerable to credential stuffing and brute-force attacks.
Passwords do not have to be hard to remember – filled with a bunch of random letters, numbers and symbols (e.g. TnfjUO()78%^>mJRDEnF). You can make a password out of a phrase that is relevant to you. For example, Iliketogoforlongwalksonthebeachandwatchbeautifulredsunsets is stronger than Patr!ck1997.
The National Cyber Security Centre (NCSC) recommends a combination of three random words. You can check out their comprehensive guidance to approaching passwords here.
Multi-factor Authentication (MFA) is a simple and effective way of making sure you are the right person logging into a particular account and is easy to implement.
You can conduct MFA (sometimes referred to as 2FA depending on the amount of steps) in different ways. It could be a code via a text or email or an app, like Google’s Authenticator.
Encouraging its use across your organisation reduces the risk of staff using weak passwords and in some cases can remove the need for passwords altogether.
Security Culture & Engagement
The best way to protect your business however, takes longer but is more effective in establishing a strong security culture and that is to educate your employees and to get them engaged with the security processes and protocols.
It is common practice to assume security responsibility is only for those in the IT and Security teams. However, to truly protect your business, you need the technical and the practical from the whole business – cyber safety is everyone’s responsibility.
And the key to success is engagement, i.e. make it fun.
More than paper-pushing
We know it’s necessary but for those not familiar with the technical side, it can be boring to read through multiple documents of difficult sounding phrases and if you just have to tick a box at the end to say you’ve “read them” the information won’t stick.
Procedures and protocols are important, especially when you need to protect yourself legally but why not gamify it?
Have a quiz on the documents, make it into a competition with a leader board. Send them out in categories to continually ensure staff are up-to-date. This means that not only are you assessing people’s knowledge of your security procedures, you are also incentivising staff to make sure they are well versed in them.
There’s nothing quite like experiencing something for yourself to see how it actually works. None of us thinks we’ll be the cause of a security breach or that we will fall for a scam email so being able to show how easy it can be for a mistake to be made is an effective way of engaging more people with security protocols.
- Can you see if an unauthorised person can enter the building because one of your staff members politely opens the door for them?
- What about falling for a phishing email that looks like it’s been sent from the MD?
- Can you leave a message on someone’s computer if they’ve left it open because they’ve got up to make a quick cup of tea?
- Maybe you could place an alien object in the office and see how long it takes for it to be reported?
Make sure to carry out engagement and gamification of security promotions across the full hierarchy of your business. C-suite members are just as fallible as the intern when it comes to cyber security breaches.
Making Security for Everyone
The consequences of a cyber security breach are extremely serious for a business but engaging your employees in security practices doesn’t have to be. Bring your Security, Marketing and People teams together to collaborate on how to effectively engage staff with your security measures.
By making the process fun and creating internal campaigns that familiarise your staff with the ways breaches can happen, you’ll be making your business more resilient. You’ll be opening conversations, creating positive communications and getting staff to ask more questions on security issues.
Good practice makes perfect and keeping security front of mind for your employees is only going to make your security culture stronger and therefore, your business more resilient.