The Human Side of Cybersecurity for Small Business

Cybersecurity is a hot topic these days especially for small business. News articles about data breaches or cyber-attacks are common, but your business is not at the mercy of hackers. Proactive steps will help decrease the probability of a successful cyber-attack.

Technology alternatives are about a third of the solution, but managing the human component is the more crucial aspect. Implementing hardware and software products are the first step, but creating a culture of security by providing your employees with the information and skills to detect and prevent security breaches completes the plan. Establishing a culture of security includes ongoing education as well as developing and adhering to appropriate policies and procedures.

As a business owner, you can lessen the risk of cyber-attacks by partnering with your employees to help mitigate the risk of human error. Here are some tips for addressing the human side of security.

Establish and enforce policies and procedures on the following:


Requiring that a password by entered to use accounts and/or computers/devices provides the most basic level of security. Providing each employee an account to get onto the system with a password as well as password protecting individual computers/devices ensures an initial level of protection. However, that protection is dependent on the security of the password chosen. Developing a policy on passwords and educating employees on the policy increases the level of security.

Select a Strong Password – Define a protocol for selecting a strong password. Strong passwords are more difficult to guess or be broken. There are many recommendations for what makes a strong password; 8-15 characters, mix upper and lower case letters, are not easily associated with the user, and include both numbers and symbols. However, it is commonly thought that the length of the password outweighs the complexity of the password. For example, an 8-character password obeying all the standard rules (%cjrT*2) is less secure than a 26-character password of common words strung together that may be easier to remember (gullantennasnowstormorchid). According to the website How secure is my password, it would take 7 minutes to break the complex password above vs. 5 quintillion years to break the longer password that is a string of four words. Length matters because of entropy. Long, randomly generated passwords can also be among the strongest, but can also be difficult to remember.

How to Remember/Save Passwords – Because strong passwords can be difficult to remember, it is tempting to save passwords to the local computer/device. This can be risky if the computer/device is shared, in a public place, or at risk of being lost or stolen. You may choose to allow employees to save passwords to their computers/devices if they are protected by a strong master password. Or, you can select a password manager that each employee uses to keep a virtual notebook where all passwords are recorded. As a bottom line, passwords should not be written down.

Don’t Share Passwords – Passwords need to be unique to each employee and employees should be reminded not to share passwords.

Change Passwords Regularly – Changing passwords on a regular basis; every 60 to 90 days is a good rule of thumb.

Different Passwords for Different Accounts – Every account should have its own unique password. For example, there should be one password to log onto the device and a different password to access a secured server.


Depending on the location of the computer/device, there are risks other than that of direct access. When out in a public place or an open Internet connection, security can be breached by looking over an employee’s shoulder or by access through an open wifi connection. Outline a policy for access in public places that limits or eliminates access to company information over an insecure, public wifi connection and educate employees on techniques to prevent eavesdroppers from viewing the screen.

Screen – Suggestions for techniques to prevent eavesdroppers include turning the screen away from the open room, positioning the screen so it is blocked from view, using a privacy screen, or selecting a location to work which backs up to a wall. Of course in public, there is always the possibility of video surveillance, so being aware of cameras is important. Locking the screen when stepping away from the device while working from home or in the office avoids unauthorized access or accidental viewing of information.

Wifi – Having access to the Internet over free wifi in any location is very convenient. However, public wifi is generally unsecured which makes security breach fairly easy. When connecting over open wifi, eliminating access to secure information is the safest policy. Because the connection is open, passwords are not secure nor is access to the information once passwords are entered. Establishing a policy where company information is not accessed or shared over an open connection is a best practice. An alternative is to provide employee access through a virtual private network (VPN). Investing in a VPN provides the secure, mobile access to company information required by today’s mobile workforce.

Assurance and Accountability

Once policies and procedures are established and employees are educated, following through to ensure compliance is necessary. For example, assuring that employees change their password every 90 days can be achieved by sending a reminder and requesting verification once the task is complete. Clearly outlining the potential risks through education and then holding everyone accountable for adhering to the policies will lead toward the culture of security.

Other Issues

Virus Scan – Installing virus scan software on all computers is an essential security step, and automatically scanning files and websites provides a level of standard protection. However, there may be some things employees do that may not trigger the auto scan so it’s necessary to have a policy for those situations. Viruses can be downloaded from websites with the installation of software and files received by other methods than email may not be scanned automatically. Establish a policy regarding downloads from websites and for when and how employees need to scan files and devices.

Email – Incoming emails are usually scanned automatically for viruses, but there may be other types of emails that pose a risk. Phishing emails may link to a risky website or emails may look legitimate but may ask for confidential or financial data. Educate employees not to respond to suspicious emails requesting secure information, click on links to websites from suspicious sources, or download software or apps that are not approved.

Software Upgrade – For larger enterprises, software upgrades that eliminate security holes that may exist are frequently done by the IT department. For organizations that don’t have an IT department, staying up-to-date with software is usually up to each individual. Including a procedure and timeframe for ensuring that software upgrades are implemented is recommended. Again, a reminder and response confirming the upgrade was done helps with accountability.

There are security and privacy risks inherent with the use of technology, but there are ways to prevent these risks from affecting your business. There are software solutions for addressing the technical side of risk, but rules are necessary to address the human side. Develop policies and procedures which provide protocols that are workable for your business, educate employees on those standards, and enforce them. Providing clear guidelines for employees to follow can help ensure the security of your technology landscape.

As important as security is, it is only one piece of the overall technology puzzle. A full scope technology strategy will ensure the long term stability and health of your technology tools. Ninestone provides technology assessment and audit services as a first step to developing a technology strategy.


  1. Creating a Culture of Enterprise Cybersecurity – Considering the Human Component, by Allen W. Batteau, Wayne State University
  2. The Human Side of Cybersecurity, by Alec Muthig, University of Wyoming IT Training Program Manager
  3. Cybersecurity’s Human Factor: Lessons from the Pentagon, by James A. (Sandy) Winnefeld Jr., Christopher Kirchhoff, and David M. Upton
  4. Human Behaviour as an aspect of Cybersecurity Assurance, by Mark Evans, Leandros A. Maglaras, Ying He, Helge Janicke

Carmen Mincy, Ninestone Corporation

December, 2016