Creating Value

Training your staff

Even with the best policies and technical controls in place, the security of your IT systems can still be breached by your employees.

Most breaches are caused by a user's lack of understanding of basic IT-security issues. Therefore, you should at the very least carry out some general awareness training in order to ensure that your staff:

• understand the importance of effective security to your business
• are aware of the need to work responsibly and not do anything that might cause a security threat, such as opening an email attachment from an un-named source
• understand how they are to respond in the event of a security incident such as a virus infection

The better trained your staff are, the less likely you are to have a security breach. For some IT-related positions, more advanced training may be necessary.

Certain users, such as network operators or system administrators, have privileged access to your systems. Such people are uniquely placed to damage or misuse your systems, either accidentally or maliciously.

Therefore, you may want to take special precautions when appointing such people. For example, you might want to carry out extra checks on them over and above the usual written references by actually telephoning previous employers to confirm their reasons for leaving.

Business continuity planning

Information security breaches may threaten the entire operation of your business. Therefore, it's important that you have a business continuity plan (BCP) in place.

The aim of a BCP is to enable your business to restore business-critical systems and infrastructure as soon as possible after a 'disaster' event takes place. The plan should encompass all systems used within the business, not just IT, as well as facilities and resources for staff.

Organisations constantly evolve and recovery strategies must evolve with them. This means you need to monitor your BCP and make changes to it as and when necessary. For example:

• Business processes change and people join, transfer and leave organisations on a regular basis. Plans should be updated to reflect changes in recovery teams.
• New IT systems are introduced to support business activities. As these may be essential to your business, before you implement them you should consider your ability to recover them following a systems failure.

There are real business benefits to be gained from having a BCP. These include:

• Regulatory requirements - in some industries, eg financial services, regulators stipulate that organisations have sufficient continuity and security controls. Failure to have such controls - and have them tested - could result in heavy fines.
• Positive marketing - if you have a BCP to show to potential customers, this may help you win - and retain - business.
• Insurance - having a BCP demonstrates to insurers that you are proactively managing risks to your business - and may help reduce your insurance premiums.