Information Security and your staff

20 Sep, 2017

Updated: January 2023

Most businesses appreciate by now that improved secure technology is a good way to protect your biggest business asset, your data.  No doubt as a business you have various technological improvements in place to assist your information security.

But do you realise that your staff can be your biggest information security threat?

Have you considered the following which are all examples of how employees can breach your information security?

• Opening unknown e-mail attachments;
• Forwarding suspicious e-mails;
• Clicking links in e-mails;
• Visiting unsecure websites;
• Leaving confidential paperwork on desks;

And what about these ones?

• Holding conversations about clients in open plan reception areas;
• Allowing unauthorised individuals to wander around your office;
• Leaving computer screens open;
• Taking paperwork out of the office;
• Home working;
• Working on public transport;
• Using their own devices for work purposes.

So what can you do to help your staff become part of the information security solution for your business not the problem?

Robust Procedures

It goes without saying that the starting point has to be putting robust policies and procedures in place.  All businesses should have something in place in this regard.  If you haven’t already, create policies and procedures that are relevant to your business.  These should not be complex or overly long but cover all the things needed to protect your business such as e-mail usage, internet usage and document control.  Polices should be in plain English and avoid jargon.

Policies should be easy to access by staff and regularly updated to take account of the rapidly changing nature of information security knowledge.

Relevant Training:

On policies

You can have all the great policies and procedures you like but if you don’t train your staff in their usage they are all but useless.  Therefore staff training is essential.  All new starters upon induction should be made aware of the policies.  It is best practice to get them to sign that they have read and understood these policies.

As for existing staff, they should be trained as part of integration of the policies.

Staff should be made aware of the importance of the policies i.e. that they are not just there to make their job more difficult.  Staff may try to circumvent processes and procedures if they feel that they are slow.  However, frequent reminders that they are in place to provide a method for securing confidential data will help avoid this.  Further, it will probably serve you well to remind employees that as their employer you hold significant confidential data on them and therefore any data breach could have an impact upon them not just your clients.

On the basics of information security

Whilst it’s a good idea not to seek to scare employees with too much information, teaching them the basics of good information security habits/terms is a good thing.

Firstly, all employees should be made aware of the following:

• Spam
• Malicious e-mails
• Phishing whereby e-mail or malicious websites are used to collect personal or financial date or infect machines with malware/viruses;
• Spear phishing targeted against smaller groups;
• Password usage (see our previous article on effective password management here)
• Confidential waste;
• Data encryption in e-mails;
• Securing paper files in filing cabinets;
• Clean desk policy;

Secondly, all employees should be reminded that any updates that are prompted by their computer/tablet/mobile should be done immediately.  It is easy to hit ‘cancel’ when these pop up but it is important to have the most up to date software to handle the most recent viruses and bugs.

Ongoing Training

Training of staff should be ongoing.  Even if your polices don’t change, ongoing staff training acts as a useful reminder for staff about the things they should be doing to minimise your threat of an information security breach.  Further it helps to keep on top of emerging threats and how to deal with them.  As a minimum we would suggest quarterly updates for staff.

Open reporting environment

The key thing for employees is to create a safe environment for them to report if they feel either that they have breached your information security policy or if they feel another member of staff has.  Employers should operate on a no blame basis where employees learn from errors to ensure that the same thing does not occur again.

For more information on information security and how ISO 27001 can help you and your staff please click here or contact our office on 0330 058 5551 or email info@isoqsltd.com.