Earlier this year, Nationwide commissioned Edelman Intelligence to conduct a 20-minute, online survey among 1,000 U.S. business owners with between 1 and 499 employees. They found that while as many as 76 percent of business owners believe it’s important to establish security practices and policies to protect sensitive information, just 47 percent have actually established security practices and policies.
Having best practices and policies in place, properly training employees, and holding them accountable can be the difference between running a successful business and courting disaster in the digital age. These ten tips can help keep your business safe.
1. Make following protocol a priority
The number one priority when it comes to employee training should be making sure they understand that they are a part of what keeps business data secure. If they don't follow protocol and ensure that the devices they use are protected, they could be the weak link in an otherwise secure network, giving viruses or other malicious code a backdoor into the system. Make sure they have the proper security software and tools on their machines and that they understand how it works and any efforts required of them.
Ideally, any software in use will receive automatic updates, but employees should be able to spot if there are any issues and know who to talk to (such as someone in the IT department) in the event that something goes wrong.
2. Have policies in place that keep sensitive data safe
You need to have formal policies written out, and you need to share these documents with all employees. But it's not enough just to share the documents and expect employees to read them in their entirety and absorb all of their contents. It's a good idea to have discussions about all aspects within during the training process. It may even benefit you to give trainees tests about the content to ensure they really are absorbing it.
3. Teach employees about cyber threats and accountability
Employees must understand the serious nature of cyber threats and proceed accordingly. Make sure they understand how cyberattacks can damage businesses and that they know that if they violate protection policies, they will be held accountable for doing so.
4. Create strong passwords and change them regularly
Everybody knows that strong passwords help to keep accounts safe, but how many people really adhere to this common advice? Go out of your way to ensure trainees know that they must use a strong password, and that they must change their password on a regular basis for increased safety. It may even be best to assign them passwords (on a regular basis). Just instruct them to keep the password safe from public accessibility, both online and off.
5. Enforce policies around payment cards
The U.S. Small Business Administration says, "Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet."
These are good tips to keep in mind, especially when training employees. Once again, be sure they understand that they are accountable if they use company cards and/or devices on which cards are used.
6. Require backup of all important data
Trainees need to understand that the data they create and/or deal with belongs to your company, and that this data needs to be kept safe. That doesn't only mean that it needs to be protected from attacks, but it needs to be backed up in case of any type of disaster, including something as simple as hardware failure. Make sure they know how to back up data using methods described in your policies.
7. Only allow devices to be used by authorized individuals
Any computers, tablets, mobile phones or other electronic devices should only be used by employees who are authorized to use those specific devices. During the training process, stress the importance of obtaining authorization to use any device. Make sure trainees know that they should not use any device without authorization and that they should not let anyone else use their devices without authorization.
8. Create web content securely
Attackers frequently look for code on websites to exploit, and that means that anyone who may be creating or updating web pages should know how to do so securely and how to avoid allowing any backdoors for cybercriminals to exploit. Of course, only those authorized to do so should be updating any company websites. This is even more important on any pages that connect to sensitive information.
9. Prohibit unauthorized software
It should go without saying that unauthorized software should not be allowed on corporate devices, but you may need to make a point to discuss this during the training process, because even if there is no ill intent, employees may not think twice about adding software to their machine. They must be made aware that this is unacceptable.
10. Train on proper email use
Last, but far from least, you should discuss email use. As you know, email is a common avenue for criminals to take. Educate trainees on spam and phishing, and help them understand how to identify illegitimate emails.
For tips on how to prepare for cyberattacks, see this article.
Nationwide commissioned Edelman Intelligence to conduct a 20-minute, online survey between April 9-20, 2018, among a sample of 1,000 U.S. business owners. Business owners are defined as having between 1-499 employees, being 18 years or older and self-reporting as either a sole or partial owner of their business. The margin of error for this sample was +/-3 percent at the 95 percent confidence level. As a member of CASRO in good standing, Edelman Intelligence conducts all research in accordance with Market Research Standards and Guidelines.