Every week there are stories about security breaches and guidelines issued on improving security to avoid breaches; from trade bodies, industry experts, software vendors and the Government. For many SMEs, the whole subject can be confusing. Is this something they should be concerned about? And do you, for example, have to do everything in the guidelines or just some things? This series of blogs provides an introduction to Information Security and what it means for an SME.

Previous blogs looked at what Information Security means https://www.tiptopmedia.co.uk/blog/what-is-information-security and if this is relevant for your business https://www.tiptopmedia.co.uk/blog/is-information-security-relevant-for-my-business protecting physical assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-physical-assets and protecting electronic assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-electronic-assets. This blog takes a high level look at how to deal with the human factor.

What is the human factor?

Anything to do with security breaches caused by deliberate actions of employees or from accidental disclosure. 35% of current employees are the source of security incidents according to the PwC 2016 Global State of Information Security Survey http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html. An IBM survey http://www-03.ibm.com/security/services/2014-cyber-security-intelligence-index-infographic/index.html reported that 95% of all security incidents involve human error.

In many ways, protecting physical and electronic assets through the use of software and access controls is the easy part of being secure. Checking the status of your anti-virus software is not difficult, but how do you know if employees are doing the right things to protect against scams and, for example, not reading sensitive information in public places where anyone can see them? It isn’t possible. The main answer is to educate employees on what they need to do and make them part of the solution, not the problem.

Educating employees

The induction process needs to include a short session on what staff are expected to do and their responsibilities. Employment contracts must include references to treating information securely and the consequences of non-compliance. Hold an interactive session with some follow-up reading, rather than just giving out documents to read. The format of the session could be:

  • Examples of what happens when there is a security breach.
  • Where company information is stored.
  • The company approach to
  • What is acceptable and staff responsibilities.
  • Where to go to find out more information.
  • How to report issues and ideas.

When someone leaves

Make sure access to all local and cloud services logins are closed down straight away. There should be a leavers checklist to ensure consistency.

The last blog in our Information Security series will look at how improved information security can grow your business.

Other blogs in this series

What is ‘Information Security’? https://www.tiptopmedia.co.uk/blog/what-is-information-security

Is Information Security relevant for my business? https://www.tiptopmedia.co.uk/blog/is-information-security-relevant-for-my-business

Protecting physical assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-physical-assets

Protecting electronic assets https://www.tiptopmedia.co.uk/blog/information-security-protecting-electronic-assets

Find out more on how to improve your information security at http://wadiff-consulting.co.uk/first-step-to-improving-information-security/

 

Ian Grey
WADIFF Consulting