Cybersecurity employee training best practices
Earlier this year, Nationwide commissioned Edelman Intelligence to conduct a 20-minute, online survey among 1,000 U.S. business owners with between 1 and 499 employees. They found that while as many as 76 percent of business owners believe it’s important to establish security practices and policies to protect sensitive information, just 47 percent have actually established security practices and policies.
Having best practices and policies in place, properly training employees, and holding them accountable can be the difference between running a successful business and courting disaster in the digital age. Following are some tips to help keep your business safe.
1. Make sure defense of your systems against viruses and other malicious code is a priority for employees.
The number one priority when it comes to employee training should be making sure they understand that they are a part of what keeps business data secure. If they don't follow protocol and ensure that the devices they use are protected, they could be the weak link in an otherwise secure network, giving viruses or other malicious code a backdoor into the system. Make sure they have the proper security software and tools on their machines and that they understand how it works and any efforts required of them.
Ideally, any software in use will receive automatic updates, but employees should be able to spot if there are any issues and know who to talk to (such as someone in the IT department) in the event that something goes wrong.
2. Make sure you have policies in place that keep sensitive data safe.
You need to have formal policies written out, and you need to share these documents with all employees. But it's not enough just to share the documents and expect employees to read them in their entirety and absorb all of their contents. It's a good idea to have discussions about all aspects within during the training process. It may even benefit you to give trainees tests about the content to ensure they really are absorbing it.
3. Be sure employees are aware of threats and enforce accountability.
Employees must understand the serious nature of cyber threats and proceed accordingly. Make sure they understand how cyberattacks can damage businesses and that they know that if they violate protection policies, they will be held accountable for doing so.
4. Require every employee to use strong passwords and to change them on a regular basis.
Everybody knows that strong passwords help to keep accounts safe, but how many people really adhere to this common advice? Go out of your way to ensure trainees know that they must use a strong password, and that they must change their password on a regular basis for increased safety. It may even be best to assign them passwords (on a regular basis). Just instruct them to keep the password safe from public accessibility, both online and off.
5. Enforce policies around payment cards.
The U.S. Small Business Administration says, "Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet."
These are good tips to keep in mind, especially when training employees. Once again, be sure they understand that they are accountable if they use company cards and/or devices on which cards are used.
6. Require backup of all important data.
Trainees need to understand that the data they create and/or deal with belongs to your company, and that this data needs to be kept safe. That doesn't only mean that it needs to be protected from attacks, but it needs to be backed up in case of any type of disaster, including something as simple as hardware failure. Make sure they know how to back up data using methods described in your policies.
7. Only allow devices to be used by authorized individuals.
Any computers, tablets, mobile phones or other electronic devices should only be used by employees who are authorized to use those specific devices. During the training process, stress the importance of obtaining authorization to use any device. Make sure trainees know that they should not use any device without authorization and that they should not let anyone else use their devices without authorization.
8. Ensure anyone creating web content does so securely.
Attackers frequently look for code on websites to exploit, and that means that anyone who may be creating or updating web pages should know how to do so securely and how to avoid allowing any backdoors for cybercriminals to exploit. Of course, only those authorized to do so should be updating any company websites. This is even more important on any pages that connect to sensitive information.
9. Discuss use of unauthorized software.
It should go without saying that unauthorized software should not be allowed on corporate devices, but you may need to make a point to discuss this during the training process, because even if there is no ill intent, employees may not think twice about adding software to their machine. They must be made aware that this is unacceptable.
10. Discuss email use.
Last, but far from least, you should discuss email use. As you know, email is a common avenue for criminals to take. Educate trainees on spam and phishing, and help them understand how to identify illegitimate emails.
For tips on how to prepare for cyberattacks, see this article.
Nationwide commissioned Edelman Intelligence to conduct a 20-minute, online survey between April 9-20, 2018, among a sample of 1,000 U.S. business owners. Business owners are defined as having between 1-499 employees, being 18 years or older and self-reporting as either a sole or partial owner of their business. The margin of error for this sample was +/-3 percent at the 95 percent confidence level. As a member of CASRO in good standing, Edelman Intelligence conducts all research in accordance with Market Research Standards and Guidelines.
Nationwide is providing this information as part of its Business Solutions Center website content and enewsletter. The information included on this enewsletter and the Business Solutions Center website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.