Dawn Robertson: Cyber security begins with workforce
There is the smell of panic about the recent spate of cyber-security breaches. Major companies, from Talk Talk, British Gas, Morrison’s and M&S, have been hit by breaches in their security systems, with customers and staff files being exposed.
Yet, for most medium-sized businesses, the biggest threat is likely to be a disgruntled member of staff.
Fundamentally, a company’s security is at risk from the moment you start employing staff. The starting point in protection is a robust recruitment process, yet that is difficult to undertake unless you have external vetting of candidates.
Progressive companies issue a mission blueprint which explains what kind of behaviour is expected from an employee. This is part of the induction programme ensuring the business has robust policies relating to IT and use of mobile phones and social media at work.
Other issues include a policy on passwords. The importance of data protection policies in your business should be relayed to staff. These need to be regularly reviewed and updated with staff reminded of their content – and their responsibilities. Then there is the issue of an unsuspecting employee clicking on a bogus link that allows a virus to infect a system. It is the responsibility of the business to update staff on current threats from criminal hackers.
Above all, it is about creating a good organisational culture. Do staff go the extra mile to ensure the safety of your business? If they feel happy, motivated and trusted to do a good job for the business, they will want to protect it. Of course, this will not eliminate the risk of a manager leaving his or her laptop in the pub after a night out, but building a culture where staff are alert to risks and notify management of anything unusual is vital.
Then there is the issue of how you watch your staff without being overtly ‘Big Brother’. Employees need to understand that their emails and work are being properly monitored, and that this is for their protection. Here some give and take about personal usage and personal calls has to be agreed and part of the process.
Staff retention is always the goal of a well-run business, but people do move on, not always of their own volition. Here it is important to manage this in a fair and structured way. So how does the business treat its leavers when they move on? Good password policies and stringent checklists will go a long way towards ensuring security but staff leaving on good terms will minimise the risk that they will use their knowledge of the systems for criminal purposes.
• Dawn Robertson, a solicitor with Edinburgh Employment Law, is also a member of Edinburgh-based United Employment Lawyers, a collaborative network of legal firms in 60 locations across the UK.