Criminals and competitors are who you may think present the greatest threat to your business’ cyber security, but it is in fact your staff. Unsurprisingly, former staff members are your next biggest threat.

Relatively few staff would act with malicious intent to cause a cyber attack.  More common is negligence and accidental disclosure leading to secure information falling in to the hands of cyber criminals.

Maintaining the security of your cyber presence has become a business necessity.

I was heartened to read that 45% of board members are (apparently) involved with cyber security strategy.*

The information held by your business which could be compromised by a cyber attack includes client lists and contact details, financial details of you and your clients, pricing, product design and manufacturing processes.

Mention must be made of the obvious consequential reputational damage which we have seen played out in the media too many times of late.

Foreseeable too are financial costs flowing from the cyber attack including the cost of disruption to trading and loss of actual and prospective clients.  There is also the integrity of your IT equipment and services which could be compromised which and require repair.

With the average cyber security incident costing £1.7m, committing resource to mitigating the risk should not be difficult to justify.

As regards the risk presented by your staff to your cyber security, you may wish to reflect in respect of the following:

  1. Have you identified what financial and information assets are critical to your business which could be compromised by the IT/cyber usage of your staff presence?  This is a moving target so your register of these risks needs to be reviewed and updated in particular as the technology and scams develop.  In assessing the risks, this should include consideration about how your information and assets are stored in cyberspace and to whom access is permitted.
  2. Do you assess whether your passwords (used by staff, contractors and clients – to access IT systems which belong to your business, those of your clients and any third parties such as banks and suppliers) are sufficiently unique, strong and regularly changed, and do you enforce a strict password policy?
  3. Are your staff aware of your security processes and do your staff adhere to them?  Do you monitor your IT systems to detect any unusual and suspicious activity on the part of your staff?  Does your IT system permit staff to download any items (e.g. pirate videos) which could contain malware (hostile or intrusive software such as computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs).
  4. Do you regularly inform your staff of the latest cyber threats in order that they are aware of the dangers to avoid?
  5. If your clients demand or expect a particularly strict approach to cyber security, consideration should be given to contractually obliging your employees to adhere to certain security measures.
  6. In the event of a cyber attack, are your staff well-trained in the effective and speedy implementation of your cyber recovery plan?

In terms of your obligations to your employees, you may wish to consider the cyber threats including whether the personal data about your staff stored and communicated in an encrypted format.

*PwC, Global State of Information Security Survey 2016