Like schools and home, businesses and community organisations need to establish safe internet environments. Every organisation that uses basic tools like the internet and mobile phones needs to have a robust cybersafety framework in place. If your employees accidentally come across inappropriate material in the workplace or are aware of a breach in ICT security, do they know what to do? Do they even know what counts as a breach? Who should they tell about it?
Breaches can happen in any number of ways. People can accidentally compromise ICT security. Employees can unwittingly aid cyber criminals to reach your networks by bringing in their personal IT equipment which could be infected with malware. Having a policy in place for your employees ensures everyone is using their ICT equipment for the benefit of the company, and that the inevitable risks are minimised.
What is a breach?
A breach in ICT safety and security is any technology-based event that might damage your company. It might be as simple as employees wasting time surfing the net, or as complex as the theft of sensitive data through malware.
Malware has evolved from the self-reproducing viruses made to crash computers in the ‘80s, into the highly technical tools used by gangs of cyber criminals to steal passwords, credit card details and identities of today.
With appropriate internet security systems and policies, employers can avoid malware affecting their networks.
Malware can be brought into company networks with employees’ personal IT equipment – laptops that are used both at home and at work, USB sticks and mp3 players, email attachments and social networking websites. Recent research suggests that three-quarters of data breaches are generated by internal sources.
What’s the threat?
It could be argued that staff members are a bigger threat to company IT networks than cyber criminals. On top of access to passwords and administrator privileges, employees usually know what is worth looking for and sharing with competitors. By making sure your networks are secure and ensuring all your employees have an understanding of ICT policies and procedures, you are lessening the chances of a data security breach both internally and externally.
What should SMEs do?
First and foremost, having an IT policy is recommended by all internet security experts. The Whatsit? is a useful guide to creating your own personalised policy. As with other safety policies and procedures, such a document can help protect your staff and your clients from harm.
Companies from a two-person start-up to big corporations with IT departments should all have IT security policies in place. This will assist in helping staff identify security breaches and understand what to do when they come across one. Any ICT safety or security breaches should be reported and recorded; this is essential in tracing the source of the breach and ensuring it won’t be repeated. Keeping a cyber security log in the same way that first aid reports are kept is an easy way of tracking ICT security issues.
There are two main aspects to implementing an effective cybersafety framework:
- Establishing a safe internet workplace environment for your employees
- Educating staff about their role in the maintenance of a safe cyber environment.
An IT policy should be specific to your organisation’s requirements.
www.thewhatsit.org.nz – a toolkit to help employers create an IT policy specific to their organisation’s requirement. It defines obligations, responsibilities, and the nature of possible consequences associated with breaches and behaviour deemed to undermine the safety and professionalism of the work environment. There are units for staff to complete, and you can create your own IT policy for staff to sign.
www.theorb.org.nz – a cybercrime-fighting website designed to streamline all of New Zealand’s cybercrime complaints and then direct them to the responsible agency.