Unfortunately, the use made by employees of a business’s technology brings with it various risks. It is critical for all staff to be aware of their personal security responsibilities and the requirement to comply with corporate security policies.

Summary

Businesses that do not produce user security policies or train their users in recognised good security practices will be vulnerable to many of the following risks:

What’s the risk of not managing your security?

1. Without a clear policy on what’s considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage
2. Staff may consider it acceptable to use their own removable media or connect their personal devices to the business infrastructure.
3. If users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the business may be subject to legal and regulatory sanctions.
4. If users do not report incidents promptly the impact of any incident could be severe.
5. If users aren’t trained in the secure use of their business’s systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system
6. Users remain the weakest link in the security chain and they’ll always be a primary focus for a range of attacks (phishing, social engineering, etc) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. It only requires one user to divulge a logon credential or open an email with malicious content for an attack to succeed.
7. A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others.

How can you manage the risk?

1. Produce a user security policy.  The business should develop and produce a user security policy (as part of their overarching security policy) that covers acceptable use.
2. Establish a staff induction process.  New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process.
3. Maintain user awareness of the cyber risks faced by the business.  Without exception, all users should receive regular refresher training on the cyber risks to the business and to them as both employees and individuals.
4. Monitor the effectiveness of security training.  Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the business’s security culture.
5. Promote an incident reporting culture.  The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.
6. Establish a formal disciplinary process.  All staff should be made aware that any abuse of the business’s security policies will result in disciplinary action being taken against them.

As always if you need any advice please get in touch.

Dave