Jamie Randall is the founder of The Friendly Nerd, which provides practical and approachable cyber security training and awareness. He is also Technical Director of the IASME Consortium, the body that controls the IASME small business information security standard. Passionate about how small changes can make big differences in cyber security, he shared with us his thoughts on the impact that your staff can have:
Good news! We now care more about protecting our data than we used to.
Headline news about big companies such as TalkTalk and Wetherspoons losing their customer information through cyber-attacks has made many business owners stop and think about data protection. But are we putting into place the right kind of processes to stop these data breaches happening?
Basic errors by staff, from sending emails to the wrong recipients, to not encrypting USB sticks and using poor or default passwords, make up the vast majority of all data breaches reported to The ICO. It is these sorts of incidents which can cause significant harm to the individuals whose data is lost, through fraud and identity theft, and to the organisations themselves, who may face fines from the Information Commissioners Office and negative publicity.
What is missing in most businesses is the provision of practical cyber security knowledge and data protection to non-technical staff including managers, directors and general employees.
More good news is that most employees are now more aware of the threat of data breaches and thanks to the explosion of social media; some have understood the notion of keeping safe online. The key is to tap into that basic idea of good practice at home, expand on it and bring it into the workplace:
- Have a clear figurehead for the messages about cyber security and data protection within your organisation. Ideally this shouldn’t be the IT department because staff are weary of their demands. HR or finance teams oddly can be a great source of messages on the subject, not least because they control access to employees pay and are often are involved in existing training.
- Put out clear messages that set expectations on security and keep staff updated to recent trends and incidents perhaps via email, intranet or regular team meetings.
- Regular staff training is a great way to get people on-board data security. One way could be to train directors and managers in cyber security and use them to message to wider staff via an awareness campaign. Alternatively, provide two levels of training; practical, day-to-day advice for general staff, and strategic advice for decision makers. Use online training to support rather than replace face-to-face training.
For more information and advice on this topic and more, Jamie is hosting a Masterclass in Data Protection at The Growth Hub on 9th March 2016. Keep an eye on our events calendar for other cyber security-themed events.