The 7th of February marks Safer Internet Day, and in today’s high-tech climate, organisations need to protect themselves from cybercrime and comply with data protection and IT security legislation. Although Safer Internet Day’s focus is on students and young people, it’s an excellent opportunity for Irish organisations to increase cyber awareness in the workplace.
Cybercriminals have developed a range of tactics to infiltrate organisations – and organisations without an effective IT security strategy can be susceptible to hacking, fraud and loss of customer data. Insecure networks, untrained employees lacking cyber awareness, and poor IT security policies can lead to failing to comply with regulations such as GDPR, resulting in hefty fines and the potential for significant reputational damage.
Read our guide on how to demonstrate GDPR compliance.
Employees are often the weak link in IT security – 95% of cyber security violations, such as phishing emails, malware, and ransomware, result from human error. A holistic approach to cyber security awareness can help reduce the risk of cyber attacks.
Implementing an information security management system and obtaining certification in standards such as ISO 27001 and Cyber Essentials can provide a robust framework through a process-based approach to monitoring and improving IT security.
IT security – 8 cyber safety tips for employees
1. Lead by example
Cybersecurity requires organisational leadership to model excellent cybersecurity behaviours and foster a culture of IT security across sites, departments, teams and individuals. Senior leaders should lead by example, communicating with employees about maintaining cyber security awareness. Leaders should actively support employee training, provide an open-door policy for reporting security concerns, and actively enforce, monitor and report on cyber security metrics.
While a dedicated IT security role within an organisation is helpful, ensuring that employees are clear on responsibilities and tasks, with leaders accountable for their actions, can help embed good IT security practices.
2. Implement IT security training
Cybercriminals constantly discover new strategies to break into networks. It can be a good idea to conduct regular and up-to-date staff security training. Organisations should train all their employees in how to spot common security issues and scams, such as phishing emails, and what to do if they spot a problem.
Ensure that training is recorded and updated with new threats, with employees undergoing refresher training annually.
3. Create a culture of cyber security
Employees can view cybersecurity as a distant issue that doesn’t directly affect their day-to-day role. Consider creating a positive culture relating to cyber security, and ensure employees discuss and understand how IT security issues can affect the organisation, customers and their role in the process.
- Put staff at the heart of all cyber security changes. Encourage employees to be a part of the decision-making process and ask them for regular feedback about which cyber safety techniques are or aren’t working.
- Demonstrate how day-to-day actions can prevent breaches and the impact if something goes wrong.
- Use real-world examples to demonstrate how social engineering can play out, such as when Dublin Zoo lost almost €500k after an employee unintentionally opened a phishing email installed with malware. Real-life examples can help staff discuss and remember the importance of cyber security.
4. Make cyber awareness training engaging
Make training fun and lightly competitive for example, conduct mock phishing emails to see if staff can spot them and reward successful staff. Team bonding exercises like this will positively affect employees and cause them to retain important information better.
5. Ensure clear communications
Ensure employees know how to report potential cyber security issues. Managers should provide clear directions on where to report social engineering attacks. Consider using organisation-wide screensavers and desk drops with information on how to report a problem. Use tools such as a dedicated phishing email address where employees can forward suspected phishing emails, which is monitored by IT security teams.
Reward employees who spot and flag security issues and encourage employees to err on the side of safety.
6. Regularly change passwords
Passwords like 12345 or “qwerty” are used by millions of people globally and are easily guessed by cybercriminals. Passwords involving offspring or pet names are also commonplace and can be easily deduced from employee social media platforms.
Encourage staff to use hard-to-guess passwords and enact regular password changes.
Creating a secure password is important to protect your online accounts from hackers. Here are some tips for creating a strong password:
- Ensure employee passwords are at least 8 characters long.
- Avoid using easily guessed words like “password” or your name.
- Use a mix of letters, numbers, and symbols in passwords.
- Avoid using the same password for all of your accounts.
- Enforce a password policy of regularly changing passwords.
- Consider 2FA (two-factor authentication), where an employee must enter a code sent to a device such as a mobile phone in addition to their password.
7. Establish a no-blame culture
Employees may feel embarrassed or anxious reporting unusual behaviour or activity that could be part of a cyber attack, such as downloading malware or falling victim to a phishing email. Employees may worry about the repercussions of blame from management and colleagues if they are held responsible for the problem.
To establish a no-blame culture about IT security, it is important to ensure everyone understands that mistakes are part of the learning process. Instead, employees should be encouraged to learn from their mistakes and to see them as an opportunity for growth.
Creating an environment where employees feel safe to speak up, and flag issues is essential to IT security.
8. Encourage robust IT security when working from home
In the aftermath of a pandemic, more people are working hybrid or remotely, which can reduce the robustness of an organisation’s IT security.
Conduct home assessments of security set-ups as part of training and risk assessments, such as home router firewalls and passwords, through to other household members having access to laptops and mobile devices. Consider 2FA for logging onto systems remotely or deploy a virtual private network (VPN) to control network access.
Communicate with employees that work equipment is monitored, such as personal web browsing on organisation laptops, and outline processes and penalties for employees in breach of IT security rules in your employee handbook.