As a business owner, it’s important your team understand the technology they work with and how to use them. It’s also very important to train them on how to identify threats to your business including business email compromise, encrypting ransomware infections, data security and who to contact if something goes wrong. Outlined below are some of the key things business owners should think about training their team on.
Common threats to consider and act on
- Review the types of confidential business information stored on your network, computers and mobile devices. Check who has access to it and consider what would happen if staff were able to take it out of the building and it was later lost.
- Determine if all staff need full access to the customer database or day to day accounting information? If no, then restrict access to this information and tell staff what they can and cannot do with confidential or business-critical data.
- Avoid disciplinary procedures by educating your workforce about acceptable internet use. You may want to consider establishing a social media policy that clearly spells out what staff should not publish on popular social media sites.
Train your team to protect your business
Many small New Zealand businesses face a range of online threats every day. Even a simple virus infection can have an impact of the day to day running of a business should systems be affected.
Even if you prioritise investment in IT software and services, training your staff to recognise phishing emails or faked request for payments and getting them to use strong passwords can be an excellent way to improve your business security.
Most people use technology at home. A lack of knowledge or technical ability at home will only affect their own devices and data – a mistake at work could affect the entire company so investing in staff training is key and can pay dividends at home too.
When should I train my team?
The perfect opportunity to start training any employee is when they join the business. As well as explaining health and safety information, showing them where the bathroom and fire exits are, new staff members should also be provided with:
- The company’s acceptable internet use, privacy and IT security policies and how they apply to company provided equipment such as mobile devices.
- Procedures on how they set up and when they should change account passwords.
- Guidance on any physical security steps such as closing up the building or locking laptops out of sight.
- Information on who to contact about security incidents.
- Guidance on specific business risks or policies around dealing with contractors, visitors or media enquiries.
As well as this initial training, staff can take part in regular company wide sessions that are designed to remind them why information security is important and the impact that data breaches or ransomware infections can have on business continuity.
If an incident occurs or a new threat is identified, this can also be a good opportunity to train staff on new issues as they emerge.
Training can be face to face, classroom or computer based or make use of videos, posters or regular email or intranet messages that reinforce the company’s approach to security and privacy.
The approach to training can be tailored for your business and doesn’t have to be dull. Learning by doing may be the most effective way for staff to develop awareness – perhaps by undertaking a phishing exercise that tests who opens a suspicious email, who lets visitors into the building without identity passes or who gives out information over the phone.
There may also be online tools or products that you can subscribe to that allows staff to set their own pace of learning, perhaps as part of a professional certification.
Building security into your business
It is important to create a business culture that values security and encourages staff to acquire knowledge in their day to day role where bad habits are not repeated due to poor practices that are widely copied, for example, the sharing of passwords.
Employees should be aware of the risks to the business they work in, be observant of business controls and feel able to recommend policy and procedural changes that may better protect both physical and information assets.