As an IT security leader, you understand the importance of having and following corporate policies to protect and defend your systems and the assets that they retain. You and your security team work diligently to know the latest threats, prepare for possible intrusion, and harden your network. Despite all of your efforts, a lot of holes remain until the rest of the workforce understands one essential truth: Security is everyone’s business.
Why? Because according to a recent survey conducted by the Wall Street Journal, companies have identified employees as the single biggest cybersecurity threat to an organization[1]. Whether using insecure networks, sharing passwords, or falling victim to scams, employees can allow access to your system without even being aware of it.
The growing reliance on remote workers has only increased this risk. By adding new devices and personal networks into the system, there are more places to attack. Add to that the lack of oversight that comes with not being able to are doing and your company may be in a challenging position.
With all of these added hazards, it is critical that employees receive training on how to avoid putting the organization at risk. As an IT leader, it is up to you to get them ready. You will need to train staff on how to behave, make clear what to do (and what to avoid), and enforce these behaviors.
How can you ensure that policies are followed? Create a security culture.
Make sure that employees are aware of the issues, know how to respond, and prioritize security in their everyday behavior. We will discuss some of the top steps that you should take immediately to prepare your employees and protect your organization.
Share the Risks with Every Employee Team
The first step that you should take is to identify the potential risks and let the everyone in the organization know about them. Many employees simply don’t know or understand what they are doing to make the organization vulnerable.
Explain to them in clear language why it is important that they follow the policies. Be sure to include the impact to both your company and to them and their colleagues. A message such as “the costs of dealing with these types of breaches can lead to layoffs” may resonate more than “we all need to keep the company safe.”
Help Employees Identify Threats
While you may be able to quickly spot a scam or identify that a network is unsecure, your employees may not. Give them examples of what malicious behavior might appear to be and how to respond if they see things that don’t seem right. Employees may not know what a phishing email looks like, for example, but they should be able to identify misspellings, basic grammatical errors, strange-looking links, low-resolution or improper logo images, and other hallmarks of these types of emails.
Likewise, you wouldn’t dream of taking a flash drive that you found in the parking lot and inserting it into a company computer, but in a study conducted by CompTIA that is exactly what nearly 20% of individuals did. In fact, they followed this by performing a number of risky behaviors, including following links to unknown websites and clicking on unfamiliar text files.
Educate Employees on Password Best Practices
Another significant threat is a connected device that isn’t properly protected falling into the wrong hands. With the expansion of the Bring Your Own Device (BYOD) movement, employees are carrying a greater number of varied devices that access sensitive company files, systems, and data. One tablet carelessly left behind at an airport or coffee shop can expose your organization to a number of dangers.
To help mitigate the risks, don’t leave it up to employees to decide whether or not to utilize passwords to protect their phones, tablets, or laptop computers. Require that all devices be password-protected and set parameters for these passwords to make them harder to crack (such as using a combination of uppercase and lowercase letters, numbers, and special characters). To avoid arguments or excuses from team members, automate this process. Do not allow devices to be connected until this policy is met.
Consider restricting devices with access to those owned by the company and not the employees. This will enable you to set them up so that they can be immediately and remotely wiped clean should a device be lost or stolen.
Get Leadership Buy-in
One common challenge to organizational security is C-suite team members trying to bypass policies themselves. As leaders, they are used to being able to set the rules (and create exceptions) when they believe that there is a need to do so.
Appeal to their position as leaders and role models to the entire organization. Explain to them the importance of the policies and ask them to be an example that you can share with the employees. This simple appeal to their positions as leaders could be the difference between top executives who model good behavior and protects the organization and ones who endanger it.
The leaders can also be brought in to remind employees of the policies. Through internal communication or demonstrations, C-suite executives can share policies and let everyone in the organization know that you treat these policies seriously.
Leadership is critical in developing an organization’s culture, and security is an important part of this culture. An employee will be far less likely to believe that flaunting policies is acceptable if they see the proper behavior modeled for them at the highest level.
Test Employees
Phishing is becoming more and more sophisticated. Unfortunately, that is because it continues to be successful. CSO Online reports that phishing attacks account for more than 80% of reported security incidents.
Even if employees are prepared, bad habits have a way of creeping back in. Regular practice can help them to maintain the good behaviors that they have learned. Use a number of different techniques to help them to identify the various phishing options that they may encounter.
Want to increase participation? Make a game of it. For example, the first one to notice a phishing email is recognized and earns the “cybersecurity award of the week.” You can call attention to people for identifying the malicious emails, but also for taking the proper steps once they do. Do they inform the IT team? Delete the email? Remember that identifying and responding to these attacks are both desired responses.
Following the test, send “best practices” to all employees, showing them how they could have detected the phishing scheme themselves and what to do the next time they encounter it.
Encourage Training and Reward Success
Security should be a part of your company culture from day one. Make it part of the onboarding process, letting new employees know what is expected of them and that security is a part of their job description. For example, your receptionist should not just be a receptionist, but a receptionist who acts as a first line of defense - always vigilant for vulnerabilities.
Continue this training on a regular basis. Update employees on any new or particularly prevalent threats. Rewards do not have to be limited to individual accomplishments. Consider a reward for the entire team after a number of days have gone by without an incident
Has it been a month in which no one has succumbed to any threats? Offer each a small gift card. Rewarding the entire team as one unit encourages them to work together and hold one another accountable.
Use a Virtual Private Network (VPN)
Virtual Private Networks (VPNs) are essentially secure tunnels through which a user’s behavior passes encrypted so that it cannot be accessed by unauthorized people. True IP addresses, activity, and location are all hidden, protecting against identification.
If you have workers who are remote, they are likely accessing your organization’s system via a personal home network or one at a public place. Without a VPN, both can create security risks because they are probably not as secure as the network that you have at your office.
For example, public networks like those found at a coffee house or hotel lobby may not actually be provided by those locations. Malicious actors can simulate a local network by extending their own WiFi networks into these spaces using names that sound legitimate, such as “coffee house internet service” or “hotel network.” Using these networks can enable these nefarious people to monitor your behavior, potentially learning passwords or other critical information.
Even if all of your employees typically work from the office, it is likely that they will at least occasionally rely on an outside network. Travel for business, commuting issues (e.g., if weather or other conditions prevent travel to the office), working over the weekend, etc. can each cause a team member to have to login remotely.
Install a secure VPN and have employees use it to connect to your organization. Require multifactor authentication when employees log on so that you know that only authorized users have access. This will help keep your information private even when operating over a less secure network.
Build Security by Elimination
It is the unfortunate reality that some employees just will not follow security protocols. They will not only disobey policies but may not even let you know when there is a breach. SailPoint’s 2018 Market Pulse Survey revealed that 13% of employees would not tell the IT department immediately if they had been hacked.
According to the same survey, 15% employees would be willing to sell their workplace passwords to a third party. These are not team members mistakenly giving away secrets. They are employees who are open to compromising their organization on purpose.
Have a strict policy in place for those who refuse to follow security policies. Be sure that they are trained and that they have been given every tool to enable them to do their jobs securely, then hold them accountable.
Security Is Everyone’s Business — Not IT’s Alone
You already know that is imperative for you to follow corporate policies when it comes to protecting and defending your IT system and these assets. You have implemented processes to secure your organization and its assets. You need the same passion from those in other departments.
Security is everyone’s business. It is not confined merely to those with “security” in their job title. Empower team members by keeping them informed of the latest and recurring threats and reminding them why security procedures are important to the entire team.
Require them to use complex passwords and refresh them regularly. Reduce the risks posed by third-party applications by limiting access to them and tracking which are being uploaded and used.
Use a VPN for those operating remotely. Periodically test them to keep their knowledge fresh, making a game of it and encouraging them to work together for the betterment of everyone. Finally, get rid of anyone who refuses to make security a priority.
For these policies to be most effective, everyone needs to follow your security policies. Implement these recommendations and your organization will be that much more prepared when threats appear.