This is an actual picture I took in a café of an unattended pile of documents marked “Confidential.” It blew my mind. If only this employee’s C.E.O. or C.O.O. could see this obvious disregard for the material’s confidentiality. Anyone could have grabbed the documents, peaked at the data, or… snapped a photo.
Sometimes the biggest cyber threats come from within an organization in the form of a disgruntled employee or an honest but negligent staff member. According to Ponemon’s 2016 Cost of a Data Breach Study, human error (negligent employees or contractors) was the cause of 25% of the breaches included in the study. No matter how sophisticated the IT security defenses are, an employee’s moment of bad judgment can lead to a costly data breach.
Here are six ways to teach your employees to safeguard your company and client data.
1. Policies and Procedures
Develop written information security guidelines on how to treat company data and property such as documents and mobile devices. Make sure that the information is readily available by posting security tips and tricks around the office or circulating them through e-mail. Update these policies as threats evolve.
2. Employee Awareness Training
Phishing techniques are used to lure employees into clicking on a link that will deliver malware or redirect them to a page running malicious code. Teach your staff how to identify scams, respond when a threat or scam is discovered, and adhere to physical IT security best practices. Use classroom sessions to reinforce your policies and procedures regularly.
3. Phishing Program (Test Runs)
Using a service that simulates a phishing scam will help identify employees or contractors who are susceptible to falling for a scam and also pick out those who need further awareness training.
4. Data Encryption
A lost or stolen device can lead to a breach. Encrypting data will help protect it against prying eyes and since most state breach notification laws still provide “safe harbor” against notification where the devices were encrypted, it is advised that all mobile devices be fully encrypted before issuing to roving employees. However, these laws are changing.
5. Role Based Access
Provide employees with access to data on a need to know basis. This way, if their login credentials are leaked/stolen or if they decide to go rogue, they are only as dangerous as their access level.
6. Password Policies
Enforce the use of strong passwords and ensure they're updated on a consistent schedule.
Employee awareness training is as critical to the organization’s overall information security measures as any firewall or anti-virus software. A staff that's able to recognize threats and respond accordingly will be well guarded against most everyday cyber vulerabilities.