Your employees could be the greatest danger when it comes to IT security and protecting your organization’s information.
You have ensured that some of the best technology available has been deployed to protect your organization: firewalls, anti-virus, web filtering and more, but what have you done to educate and empower your staff on information security issues?
While the percentage of data breaches caused by personnel is debated by many research organizations, most agree that in today’s world, the weakest link is generally the employees in your organization.
You have probably heard of Social Engineering, Advanced Persistent Threats and Phishing. These are some of the methods used by nefarious people and organizations to obtain information from your employees about your organization.
How can you mitigate the risks posed by employees?
Here are some steps to take to take that will decrease the likelihood of your staff causing a breach in IT security:
Develop and Implement a Security Awareness Program.
If you are subject to Payment Card Industry (PCI) Compliance regulations, you may already have this in place. If not in place, you should understand that it is mandatory for staff who frequently handle credit card information. Even if you are not under PCI, you still have valuable data that could be stolen or held to ransom.
Ransomware is one of the greatest risks to your organization, especially if you do not have plans in place to deal with it.
Develop and Implement Sensible and Appropriate Security Policies.
Without policies, the responsibilities of staff when it comes to information security may be ambiguous at best.
Policy complexity should be kept to a minimum to enable staff to understand them easily.
Long and complex policies may cause the reader to become bored and not complete reviewing them, or cause confusion that results in a lack of clear responsibility and accountability.
Reinforce Awareness through a Continuous Program.
One time training on Information Security Awareness and security policies is never enough.
Continuous reinforcement is required to ensure your staff remain aware of current threats, maintain diligence when dealing with sensitive information, and know how to manage nefarious attempts to gain access through email attachments, social engineering and other methods.
Would you like to learn more about ensuring your staff are aware of IT security risks and are managing these risks effectively?
Give us a call to discuss how we can help you address what may be keeping you awake at night.
In Part 2, we will discuss some specific topics to be included in an IT Security Awareness Program.
Great article. In my experience, one way to help get employee buy-in is to show them how (and why!) to apply the same IT security to their personal online environment, even to the point of making some aspects an employee benefit to encourage them to develop such a personal IT Sec practice. This has 2 benefits: they see it is important both at home and work, and it provides for a consistent IT experience in both, so they are more likely to be aware and follow corporate IT policy (because they are following it for themselves at home).
Great comment Robb! In fact, Part 2 of this blog (which will be published soon) specifically talks about using the personal aspect of infosec awareness to promote security in the workplace. Thanks!
Thanks, Brian. Just had another thought–the more global the company, the more specialized infosec training has to be. Different cultures’ understanding of property, security, integrity and loyalty are VERY different, and training must bridge those gaps.