Nearly half of Australian SMEs say that human error is a notable risk to their data security, but fewer than 30% of small-to-medium businesses reported having trained their staff on information security policies, according to a 2016 study by ShredIt.
Human error is one thing, but cyber attacks are also increasingly common in Australia. In fact, ransomware attacks quadrupled in 2016 and are expected to continue to be a problem for small-to-medium businesses this year. Several Australian businesses were affected by the worldwide ransomware cyberattack on June 27, 2017. It hit more than 200,000 victims in more than 150 countries.
What strategies can your business use to protect your data from human error and malicious cyberattacks? We’ve put together a list of strategies that are now essential for Australian businesses, which are outlined in ISO 27001.
Use Effective Password Procedures
This sounds so simple, but it’s extremely important. Passwords are your company’s first line of defence against attacks. While it’s tempting to use passwords that are easy to remember and universal across all platforms, do what it takes to avoid this common, dangerous practice.
Best practices for password procedures include changing passwords regularly and using a combination of symbols, numbers, upper and lower case letters. As you train your employees about these password procedures, emphasise the reasons behind password policies. These best practices are not an effort to make their lives more difficult; in fact, dealing with the aftermath of a cyberattack is much more difficult than changing passwords on a regular basis.
Limit Access to Information
Sensitive data can be put at risk when too many people have access to it. If an employee has a file on his computer that he’s not responsible for and has no need of, that file is unnecessarily at risk of attack or loss due to carelessness.
You can help to protect your data by allowing staff access only to information that is required of their roles. Do this by setting controls over what information is available to different staff levels. Additionally, create confidentiality agreements to be signed by all staff members. This should include all employees with access to the premises, such as maintenance and cleaning staff. Such agreements not only protect the business, but they also protect your staff. If someone asks them for information, they can say, “Sorry, I signed a confidentiality agreement.”
Use Encryption on Devices
Any device that holds sensitive company data should be encrypted. Effective file encryption converts data into code. It’s a fairly simple security measure, but it’s also extremely helpful. If a staff member loses a laptop, you don’t have to worry that the person who finds it will be able to read any data.
Keep Tabs on Removable Media
Small items like USB sticks, smartphones, digital cameras, and hard drives can all contain large amounts of sensitive data, but they’re easily misplaced and difficult to track. Also, for someone who would like to steal data, these devices are unlikely to arouse suspicion, and they’re easy to slip into a pocket or other small space. Solve this data risk by training employees about how to use removable media, and install encryption, two-step verification, and other controls on these devices.
Provide Regular Training on Security Issues
Technology is constantly changing, so it’s important to regularly update your staff about new data security threats. Everyone is busy focusing on their important roles, so it’s good to take some time out to remind employees about changing passwords, remembering removable device protocols, and so forth.
Cyberattack perpetrators are constantly working to develop new ways to access sensitive data, so you need to also be on your guard. Learn what you can about new threats, and include this information in your regular employee training meetings. A little prevention can go a long way toward protecting your company’s sensitive data.
Risk and Safety Templates
For strategic safety professionals.
Sign up to get Vault Intel articles delivered to your inbox.