How SMEs can reduce cyber-risk while going digital

Increasingly, we’re seeing the lines between employees’ work and social lives continue to blur, as a result the devices they use in and out of work often become interchangeable. However, this growing connectedness can often put workers on a collision course with their company’s security interests, writes Alastair Pooley.

The size or sector of an organisation does not alter their susceptibility to cyber-attacks, and many small to medium enterprises (SMEs) may not realise they are a target. As the driving force behind New Zealand’s economy, generating more than a quarter of the GDP and employing nearly one-third of the workforce, the data they access and store is too valuable for cyber criminals to resist. However, unlike the largest enterprises, cybersecurity spend is still regarded as a cost centre within SMEs, often leaving them exposed to threats.

Strengthening cybersecurity protections and gaining insight into your organisation is not an overnight process. For SMEs looking to bridge this gap, there are steps that can be taken to mitigate risks and drive value when it comes to cybersecurity. While the initiative must start at the top with IT leaders who can prioritise the issue, it is ultimately about having visibility into and collaborating with your entire organisation to strengthen your defenses without busting the budget. 

Understand your complete IT landscape

In today’s digital economy, IT is no longer the gatekeeper of all technology. Employees procure the applications and devices needed to do their job – even when they don’t have permission from IT. This is a common trend that is accelerating along with the rapid move to the cloud. According to Snow Software’s latest research, 49% of employees in the Asia Pacific region have used work software without IT’s permission, while 55% of APAC employees have accessed work documents on personal computers.

Between the rise of cybersecurity threats and privacy regulations, IT teams and employers need to know where company data is stored, and how that data is used. It is also essential to know that the applications employees have downloaded are up-to-date with the latest patches, or worse still, whether the software is improperly licensed.

Outdated or unauthorised software is a significant challenge for any organisation, creating the potential for security vulnerabilities. Therefore, a first step for SMEs is to attain visibility into the applications in use and the data being stored, in order to help to determine if a potential exposures exist.

Ensure IT policies are understandable for employees

Your people can become one of your strongest assets in defending your business. To protect valuable company assets, SME leaders need to start involving employees in their IT policies. They can start by communicating the implications of an employee’s harmful behaviour to them, whether that’s installing unapproved software or downloading streaming apps onto their work device.

This can be done through a security awareness programme, making IT policies clear yet simple enough to be understood by someone outside the IT department. The communication should begin with employee on-boarding processes and be stripped of technical jargon. The goal here is to communicate the purpose of the framework to employees, helping them understand how their participation ensures their cyber safety, protecting both their personal data along with the companies.

This process should be an ongoing one, with staff continually educated on what potential threats look like as well as any new security policies within the business.

Streamline the processes for all stages of the employee journey

The different needs of employees mean they require access to different company platforms at various stages of their career. This places great importance on a business’ joiner, mover and leaver (JML) process. Leaders need to understand where employees and their IT needs fit in the organisation, to safeguard their data from unauthorised access and ensure they have complete intelligence across their technology ecosystem.

For new hires, businesses need to consider all IT provisions required for new employees, including the devices they will be using, and the access they will be allowed. When an employee moves roles within the organisation, IT teams need to identify the employee’s needs and grant access to any new platforms. On the flipside, when an employee departs from their role , IT should immediately revoke or update their access to company platforms and software to prevent access to proprietary company data.

There are also tools in the market that can help improve efficiency within the management of employee journey, including automation platforms. However, IT leaders should consider what technology and sensitive data resides in their organisation and provide access to employees based on their different roles.

The first step for organisations looking to protect themselves from potential attacks is to first acknowledge that cyberthreats are an ongoing challenge and critical to revenues. Employee access to unauthorised technology should be a signal that communication and new processes need to be put in place within an organisation. Striking the right balance can be difficult but it’s ultimately IT’s responsibility to enable the SME workforce while also mitigating potential risks caused by cyberthreats. Ensuring you have the visibility and intelligence around your technology will allow you to provide the best protection for your organisation while empowering employees to work effectively.

Alastair Pooley is CIO of Snow Software.