The weakest link: how your employees use software and how this could impact your business

Could your employees be the weakest cyber security link within your organisation? It’s a question that’s dogged SME leaders for decades, as technology and user behaviours have continued to evolve and present opportunities, but also challenges.

Our own research has found, for example, that the majority of UK SME employees (60%) do not think using an unauthorized device (i.e. USB) would pose a threat, while 57% do not think installing an application without administrator permission is a risk. Worryingly, over half (53%) do not think downloading music or films illegally could present a security threat.

This comes within the context that cyber breaches and attacks continue to cause havoc for businesses. The 2019 Cyber Security Breaches Survey issued by the UK government, for example, states that businesses are, on average facing a cost £4,180 from lost data or assets after breaches. Indeed, 80% of companies reported phishing attacks, while 27% suffered from viruses, spyware, malware or ransomware in the last 12 months.

What many companies fail to consider is that their personnel are just as important as the software they use using when it comes to resilience against cyber threats. While many business leaders associate insider threats with rogue employees, the majority of the cyber incidents involving employees are completely involuntary.

Why is this happening? Recent research suggests that two thirds (65%) of UK professionals working across all industries were not given mandatory IT training during their first month of employment and that 74% of them had never received any IT training in their current or more recent role.

The resulting lack of cyber and IT awareness is a major contributing factor to cyber breaches, exposing organisations to significant risks. So how can businesses cope with this challenge?

• Ensure you have a comprehensive cyber security strategy in place. First thing first, fighting cyber security threats requires a holistic strategy that tackles all potential vulnerabilities – from insider threats and human errors through to managing access to important documents and protecting software assets. Every box must be ticked.

• Embrace SAM (Software Asset Management): SAM is critical to the success of every cyber security strategy because it allows you to understand what software assets you’ve got available and control the use of applications that can present a security risk. By auditing your software, you will be able to identify outdated applications that may not have the latest security protection installed and remove them before it’s too late.

• Don’t use unlicensed software: While some of your employees could be tempted to download free software, this could cost you dearly further down the line. Using software unlawfully creates major security issues for the business as it can store hidden malware and, even if it doesn’t, illegitimate software doesn’t have the latest security updates that can protect against the cyber threats.

• Establish effective security policies with clear roles and responsibilities: To mitigate the risk of your employees downloading unlicensed software, you need to establish processes and policies to ensure that no one purposefully installs unlicensed products. These policies should also include rules for the wider use of IT systems and business applications. As part of this process, it’s important to assign clear roles and responsibilities across your IT teams and the wider workforce. Every employee should feel responsible for their digital footprint in the workplace. This could be enforced by asking each employee to sign a written policy about software usage and having a SAM ambassador who has the responsibility to monitor how software is acquired, deployed and used within the business.

• Train your employees: This is probably the most obvious but the most overlooked side of minimising the risk of cyber threats resulting from human errors. Once you have your strategy, SAM and security policies in place, you need to put this into action by providing every employee with IT and cyber security training. Quite often we assume that employees have sufficient understanding of cyber threats but you’d be surprised by how many people make simple mistakes such as clicking on links or opening attachments from unknown senders.

• Work only with certified partners: If you want to ensure that the software deployed within your business is safe to use, procure software only from publisher-certified partners. This will help guarantee that the software you buy is legitimate and properly licensed. Moreover, this will help you build long-term relationships with reputable technology partners who can support your business as it grows.

As SMEs are becoming increasingly connected, getting cyber security right is critical for the success of their business. While employees can pose a security risk, they can also be used to galvanise the workforce and mitigate cyber risk by acting responsibly when it comes to their digital footprint in the workplace. Having a robust cyber security strategy, underpinned by comprehensive security policies and awareness training, can help SMEs achieve this and ensure they are well-prepared to fight cyber threats.