You know when you’re a little bit late leaving the house? The minute or so you spend getting into your coat and out of the door can become a bit of a blur as you grab your bag, stuff your phone into your back pocket and try to hold the dog in with one foot so he doesn’t follow you out. You pull the front door behind you and…click. It’s locked. Patting down your pockets, you realise that in your haste to get out you’ve left your keys in the house and there’s no getting back in unless:
- You can get your other half to drive 35 miles back from work
- You call a locksmith
This scenario is an inconvenience (and one that many of us have experienced) but the upside is that whilst you’re going to have a bit of a wait and potentially some expense, no-one else is getting in. Essentially, your home is secure. The money that you spent on getting the 5-lever mortice lock that is so beloved by insurers is doing its job of keeping out anyone who doesn’t have a key.
Having decent locks fitted to your house is the first step in good home security. From here you might want to move on to CCTV connected to an app, security gates and if your profile is high enough (and your pockets deep enough) you could even employ a security guard to ward off threats before they get close to your walls.
The same applies for cyber security. There’s are some basic, inexpensive things that you must do before you even consider adding the bells and whistles which is why this post – the fourth in our Cyber Security Series – is focused on helping you articulate to the rest of your business why cyber security begins at home.
Your starting point
The first thing it’s vital for everyone in your business to understand is that it’s not possible for any organisation (or person) to be 100% secure against cyber threats. As the National Cyber Security Centre (NCSC) points out – every one of the 5.7million businesses in the UK, along with government, military and third sector organisations (and every person with a digital account) is a target. The role of every individual – whether as an employee, a CISO or someone with an online bank account – is to make sure cyber criminals don’t have an open door to access our data.
Cover your essentials
If you’re having to explain the basic principles of cyber security to employees, the Cyber Essentials programme www.cyberessentials.ncsc.gov.uk is a great place to start. As a government-backed, industry-supported scheme, Cyber Essentials helps organisations protect themselves against common online threats. Straightforward and easy to understand, it makes for valuable reading for everyone – not just IT professionals.
The self-help section is particularly useful as it provides a clear explanation of, and advice on, five basic technical controls.
- Virus protection
- Updating devices
- User access controls
- Security settings for devices and software
You may also want to apply for Cyber Essentials certification. Costing £300, this involves assessment via an external organisation and (provided that you pass) gives you certification plus a listing in the Cyber Essentials directory. For small businesses in particular, this helps to reassure customers that you take cyber security seriously.
An important conversation
Another effective activity is to engage employees in a consumer-based cyber security conversation because, despite prolonged efforts on the part of security professionals and software vendors, people are still making it easy for cyber criminals. A new survey from the Government’s Cyber Aware campaign in partnership with Experian revealed 52% of respondents aged 18-25, and 27% of respondents from all age groups, reuse their email password across multiple accounts1. But it’s not just about slightly worrying statistics, Cyber Aware provides free online resources that offer solid advice on topics such as the value of a strong password in reducing fraud susceptibility.
Another excellent resource to share with employees is Get Safe Online – a public / private sector partnership with an emphasis on providing fact-based, unbiased, advice. The site spans a range of subjects from how to avoid phishing emails designed to exploit tragedies such as the Indonesian earthquake and tsunami, to how to discuss internet safety with young children.
Hey Google, are you listening?
And what about connected devices? According to the NCSC, by the end of 2018 the IoT will be made up of 11bn devices worldwide2. With many of these deployed in a home environment, questions are being raised about the implications of the type of data that they collect and the conversations they might ‘overhear’. A Sophos blog on the topic has a lively and interesting thread which is worth a browse and offers potential topics that you could discuss within your business – giving you the opportunity to talk about cyber security in a context that everyone will have an opinion on.
Creating the right culture
Whilst cyber security is the responsibility of everyone within a business, we believe in owning the conversation, IT can demonstrate further leadership, deliver additional value to employees and proactively seek out cross-business partnerships. Examples of this might include partnering with HR to add cyber security to the induction process or with sales to set up a customer cyber security forum.
We believe that encouraging employees to discuss how they can better protect themselves at home, and helping them to do so, creates a culture where people are more alert to potential cyber threats and more careful about protecting corporate assets – so whether they’re logging-in, signing-out or walking out of the office door, the network’s safely locked behind them.