As a software vendor, we know the importance of keeping your digital data and information secure. There are plenty of ways to do so, and you may have an in-house or external team who manage it for you. However, the basics can often be overlooked when it comes to cybersecurity, and it can be immediately improved by involving staff in ongoing efforts.
The National Cyber Security Centre reported that the average cost of a security breach is £600K-£1.15m. Whether that’s a deliberate attack by an unknown agent or an accidental mishap from an authorised user, prevention is key.
In this article, we’ve covered some of the easiest ways to improve your company’s cybersecurity.
1. Ingrain cybersecurity into company culture
When was the last time your company provided a crash course in cybersecurity for staff? Regular and updated guidance is required to ensure you have control over how sensitive data is accessed. Employers should never assume an employee’s IT knowledge, and it should be consistent across the business.
Some online attacks come from lack of awareness, for example, email phishing scams. This means it’s vital to ensure all staff are on the same page. How you share knowledge is dependent on your company structure, but it could be worth arranging a team meeting and sending out a formal document to outline how staff can improve their personal management of logins and data. This includes where they store documents and passwords, and the devices they use to access work-related data.
There are also actions managers can take to improve security:
- Restrict user access – unless necessary, provide minimum access levels to staff. Who has access to your admin credentials and is it justified?
- Encourage team members to apply software patches when they become available across your applications (these will be automatically rolled out if cloud-based)
- Provide examples of phishing attempts – attackers are becoming savvier and can disguise emails to look like a colleague has sent it
- Encourage employees to lock their device when not in use, a 5-minute sleep setting is also recommended for those less security conscious
- Put a policy in place for devices that can be used to access work-related data e.g. whether home desktops are suitable for use – or what steps should be taken to protect them e.g. mobile device management (MDM) policy
- If sensitive information is requested, employees should confirm that this is genuine with their manager e.g. a colleague requesting bank details
- Provide regular reminders on cybersecurity and any updates on attacks that are in circulation
Even with the best plan for prevention, incidents can be presented unexpectedly. To be prepared for this eventuality, employers should ensure staff are equipped with the steps to take for reporting and managing a breach.
2. Enforce password best practice
Although it seems obvious, poor password protection is still a leading way for systems to be compromised. In 2019, LogMeIn reported that many employees “still have poor password hygiene that weakens the overall security posture of their company”.
There are several things companies can do to heighten password security, including:
- Strong passwords with a mix of capitalisation, numbers, and special characters – ideally at least 16 characters
- Avoid known words and personal references like pets, spouses, birthplaces, and so on
- Use Multi-Factor Authentication, for example, codes sent to mobile devices
- Advise against re-using and sharing passwords
- Use a password managing service like LastPass to limit the use of passwords required
- Don’t save a password onto a device in case this were stolen or compromised
- If third-party applications and devices are used, ensure the same rules are enforced
Password storage and sharing is another factor to consider, including passwords that provide default access such as social media accounts. Sensitive information shouldn’t be shared across channels, and a password management tool is recommended to store all default company logins.
3. Revoke all ex-colleagues’ access
We’ve all heard the horror stories of disgruntled ex-employees who post hateful tweets on their ex-employer’s profiles. Other similar security breaches aren’t uncommon – in fact, a survey revealed over 50% ex-employees still have access after leaving. This means there must be a checklist in place for ensuring all access is withdrawn when an employee leaves.
Just some example of the systems you’ll need to remove access to include:
- Emails
- Software
- Cloud storage
- Password management
- Devices (to be returned)
- Social media
- Payroll and HR portals
- System ownership
- VPN
If you have reason to suspect an ex-colleague could compromise your company’s accounts, change the password for these immediately. It’s best practice to regularly change passwords, and to only provide them to those who need a login to do their jobs. For example, only provide social media details to the social media team.
4. Achieve trusted cyber/ IT security certifications
Depending on your business’s industry, size, and budget, there are certifications available to showcase your commitment to improving and maintaining your security posture.
Cyber Essentials certification
Cyber Essentials is an effective cybersecurity assessment that businesses can undertake to add an extra level of protection against cyberattacks. It addresses the most common online threats that can cause breaches and damage to computer networks.
See our article here on more information about the scheme.
ISO 27001
ISO 27001 is an internationally recognised certification (part of the wider ISO standards), that‘s responsible for information security best practice. Businesses who achieve certification demonstrate that they safeguard the data of their customers and their internal systems alike.
While useful, the above are simply examples of recognised certifications – it’s important you complete your own research to understand what’s best for your business.
In summary
Your IT or cybersecurity team will provide technical assistance to protect your systems. However, there are simple steps every company should take to reduce common breaches. Although these may seem obvious, many companies fail to treat it as an ongoing company-wide operation.
Codapay’s payroll software is cloud-based, meaning cybersecurity is handled by us with expert assistance. Find out more about our solutions.
