Listen Again
Business Bunker Radio
Channel Radio

01233 220 035

on Air

07392 508 726

off Air

Cyber Xtra

There is never enough time to talk about security. On Friday’s  Business Bunker Xtra Radio Show we started discussions on how to continue to help yourself in your organisation. Co Host Paul Andrews, CEO Jobs in Kent gave some great real-life examples of where not having good processes and procedures in place affected his business or others. 

I have spoken in the past about some of the technical measures that can be deployed, but in this show we start to talk about your most important tool available. Your Staff. Giving you staff the right information and setting the parameters of operating through clear set of processes and procedures is extremely important as it allows everyone to have the confidence to act. 

Your staff have a critical role in protecting the organisation and so it’s important that security rules and the technology enable users to do their job as well as possible and not put the organisation at risk. This can be supported by a systematic delivery of awareness training that helps establish a security-conscious culture and creates accountability.

Where your hoping to get to! – actions and behaviour become second nature, habit. Like the steps you take before setting off in a car. It is just done and takes little thinking.

What is the risk you should consider?

Users must be able to effectively do their jobs. Organisations that do not effectively support employees with the right tools and awareness may be vulnerable to the following risks:

• Removable media and personally owned devices:

Without clearly defined and usable policies on the use of removable media and personally owned devices, staff may connect devices to the infrastructure however big or small, this might lead to the inadvertent import of malware or compromise of sensitive information

• Legal and regulatory sanction: 

If staff are not aware and supported in how they handle sensitive information, the organisation may be subject to legal and regulatory sanction

• Incident reporting culture: 

Without an effective reporting culture there will be no or poor dialogue between staff and those responsible for the systems (security team). It is essential to uncovering where gaps in technology and processes can be improved, as well as reporting actual incidents for legal reasons.

• Security  Procedures:

If the security procedures are not balanced to support how staff work then security can be seen as a blocker thereafter just plainly ignored. 

• External attack:  

Since staff have legitimate accesses and rights, they are usually the primary focus for external attackers and criminals. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.

• Insider threat: 

Changes over time in an employee’s personal situation could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others. Unhappy staff may try to abuse their system privileges or coerce others to gain access to information or systems to which they are not authorised. Equally, they may just steal data.

 How can you manage the risk?

Create a staff security policy: 

Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A ‘one size fits all’ approach is typically not appropriate for many organisations. Policies and procedures should be described in simple business-relevant terms with limited jargon.

Establish a staff induction process: 

New staff (including contractors and third parties on system) should be made aware of their personal responsibility to comply with the security policies as part of the induction process. The terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.

Maintain user awareness of the security risks faced by the organisation:

All staff should receive regular refresher training on the security risks to the organisation. Consider providing the opportunity for staff to ask questions about security risks and discuss the advice they are given. 

Monitor the effectiveness of security training: 

Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training provided will allow for a two-way dialogue between the organisation and its staff. Do not be afraid to work together and have the difficult conversations about security risks.

Promote an incident reporting culture: 

The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents without fear of recrimination for managers. 

Establish a formal disciplinary process: 

All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them. Any sanctions detailed in policy should be appropriate and enforceable at a practical level.

Next month I’ll be sharing how applying a holistic approach to security can further help defend against becoming a target of criminals. Bringing all the facets of security together in People, Physical and IT there is so much that can be done. But we start with a review and identify the risks we are trying to mitigate. I hope you can get involved in the discussion. Until then, be safe and secure. Thanks for listening. 

If you need help with any of the above then contact me at Ten Intelligence [email protected] 

About Richard Bell

Richard is one of our co-hosts of Business Bunker Xtra, you can hear him every month between 11-12 on our show. Specialising in client support for ‘all things security’ in UK, Europe, UAE and US, Richard previously worked for Transport for London (TfL) where he was involved in some of the most significant threats London faced in recent times, including the 7/7 bombings, Olympics and atrocities at Westminster and London Bridge. He led TfL’s strategic and tactical cyber response programme implementation to ensure resiliency. Richard is a Fellow of The Security Institute, Member of the Association of Security Consultants and a Registered Independent Security Consultant. In recent times, he has twice been named within a Global Top 40 List of Security Influencers and is regularly invited to Chair and present at a number of conferences throughout the Europe and beyond. Follow on Twitter @securityspeak 

About Ten Intelligence

With teams in our Kent, London and Dubai offices, our consultants consistently deliver due diligence, investigations, brand protection and security & privacy advisory services. Ten Intelligence prides itself on maintaining an outstanding and consistent reputation for excellence, integrity and success, building long term and rewarding relationships with our clients, associates, consultants and others with whom we do business with. Follow on Twitter @TenIntelligence

  •