Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

The benefits of building a security culture within your business

By Nik Williams, MD of information management company Shredall SDS Group

Not a day seems to go by without news of another high-profile data security breach. They never make for a good read, but they do highlight to businesses the importance of reviewing, maintaining and improving their own infrastructure.

GDPR has made the stakes even higher as there are now larger financial penalties to consider; smaller offences can result in a fine of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). More serious offences can lead to fines that are double this – much larger than the maximum £500,000 penalty the Information Commissioner’s Office (ICO) could previously issue. What’s more, data breaches can be highly detrimental to a company’s reputation and can result in a loss of custom, and ultimately revenue.

With hacker attacks rife, it would be naive for start-ups and small businesses to think that they’ll go unnoticed, with cybercriminals preferring to target bigger, household name brands. The opposite is true – smaller, inexperienced companies often make easier targets because they neglect to allocate enough resources (i.e. budget and training) to offline and online security practices.

Further to this, it’s no longer enough for CEOs, managing directors and senior managers to ‘hold the fort’ and protect their business’ security. Everyone needs to take responsibility for their firm’s data and to be vigilant to suspicious activity, highlighting the importance of creating a company-wide security culture. Here are a few ways you can achieve this:

  1. Take a top-down approach 

Though we said it’s everyone’s responsibility, people can only be expected to lead by example. If their manager isn’t seen to be taking a proactive approach to data security, then why should they?

While there will be someone (or a select group of people) in charge of creating a security culture document or handbook, it must be communicated to everyone across the business in order for it to be effective, perhaps through a dedicated training session. It would be even better if CEOs, managing directors or senior managers can relay what they’ve personally done to improve their own security, even if it’s something as simple as using a password manager such as LastPass.

It’s likely that when implementing a security culture, you’ll make some changes to your business processes. Big changes should be clearly communicated too, for example, if you now require all members of staff to adhere to a clean desk policy.

  1. Stress the importance of security 

Similar to the above, you can’t expect people to get on board with building and maintaining a company-wide security culture if they don’t understand why one is needed in the first place!

Make staff aware of the rise in hacker attacks and the different methods that cybercriminals employ to get their hands on sensitive information. Give them some real-life examples of security breaches too and explain what could happen if your business suffered a similar incident (i.e. fines and reputational damage). Rather than scaremongering, it should help people to feel like they have an important role to play in protecting their company’s data.

  1. Make training integral 

Once you’ve got a security culture document or handbook in place and explained why you’ve introduced the change, it’s time to tell employees how they can help. In-house or eLearning training sessions/courses are a great way to cover different aspects of online and offline security, but they need not be boring! Try and make training as interactive as possible by inviting industry experts in for a Q&A session, or organising a game of security trivia.

Always make training material readily accessible to staff through your company’s intranet; this will serve as useful information to any new employees, or as a refresher. Laws are changing all the time, and new ones introduced, so it’s paramount someone is also in charge of reviewing and renewing the training documents on a regular basis, and then letting staff know the material has been updated.

  1. Recognise great security behaviour 

We recognise and praise good work, so why shouldn’t we recognise good security behaviour too? Ask employees to flag any suspicious emails or activity, no matter how obvious, and thank them when they do so – it’ll go a long way. You could even highlight the example through an all-staff email, or in your company newsletter, to encourage further vigilance and engagement.