Most business managers have concerns about their computer networks getting compromised either due to direct hacking or the inadvertent impact of someone downloading malware. This just makes sense. On the other hand how much time is spent teaching their users about how to avoid problems and what to do if they suspect there is an issue?
Recently, PricewaterhouseCoopers reported in a global study that Canadian information security budgets had a significant increase over 2014 but fewer than 57 percent indicated their organization offered security training and awareness programs. The participants in this study will be larger, more formalized firms so we can safely assume that with so many Canadian companies being SMBs (Small Medium Businesses) the percent taking the time to educate their people will be even lower.
PwC's report indicates that Canadian cybersecurity incidents increased by 160 percent year over year which shows that the problem is not going away. There is some good news in the report in that Canada is actually doing better than other world wide jurisdictions. This means we are not the worst at dealing with this kind of business risk but the percentages indicate there is much more than could be done.
One are identified as being problematic is the impact of connections to in house systems made by partners. This could be the visiting technical or sales person who connects to the office network and introduces a problem by mistake. Simple isolation steps through guest logins and isolated IP ranges can help to mitigate this kind of intrusion and most organizations could have this basic security provided.
Of course the more depth of access a user or guest has the greater the risk to the business so proper security planning and policies (if enforced) can help to protect from these challenges.
Basic to all of this, however, is making sure that employees understand the importance of IT security to the business (it could be a survival issue if the intrusion is serious enough) and that they are trained to be able to identify how they can participate in a protection regime. The solution starts at the hiring stage as IT policies are spelled out, the consequences of violations explained, and the steps to be taken if a problem is experienced outlined.
Continuous followup and refresher training is important. Scheduled components in departmental and all employee sessions should be put in place so that IT security is not left to the back burner when time becomes a challenge. Taking a little time frequently not only is easier to accomplish but also regularly reinforces how important this issue is for the business.
For more details of the reports findings you can reference a summary on the PwC cybersecurity page. It takes a balance for businesses to use their IT and computer resources effectively. Becoming frozen because of concerns over security and intrusions can lead to delays and problems accomplishing the work the network is designed to support, but not taking time to ensure that the knowledge is in the hands of employees can also result in delays and problems. Finding a comfortable balance is something that every business needs to work out.