Strictly Enforce a Multi-Tiered IT Security Plan for ALL Staff
As new threats arise, it is imperative to keep policies up to date to protect your business. Your employee handbook needs to include a multi-tiered IT security plan made up of policies for which all staff, including executives, management and even the IT department are held accountable.
- Acceptable Use Policy – Specifically indicate what is permitted versus what is prohibited to protect the corporate systems from unnecessary exposure to risk. Include resources such as internal and external e-mail use, social media, web browsing (including acceptable browsers and websites), computer systems, and downloads (whether from an online source or flash drive). This policy should be acknowledged by every employee with a signature to signify they understand the expectations set forth in the policy.
- Confidential Data Policy – Identifies examples of data your business considers confidential and how the information should be handled. This information is often the type of files which should be regularly backed up and are the target for many cybercriminal activities.
- E-mail Policy – E-mail can be a convenient method for conveying information however the written record of communication also is a source of liability should it enter the wrong hands. Having an e-mail policy creates a consistent guidelines for all sent and received e-mails and integrations which may be used to access the company network.
- BYOD/Telecommuting Policy – The Bring Your Own Device (BYOD) policy covers mobile devices as well as network access used to connect to company data remotely. While virtualization can be a great idea for many businesses, it is crucial for staff to understand the risks smart phones and unsecured WiFi present.
- Wireless Network and Guest Access Policy – Any access to the network not made directly by your IT team should follow strict guidelines to control known risks. When guests visit your business, you may want to constrict their access to outbound internet use only for example and add other security measures to anyone accessing the company’s network wirelessly.
- Incident Response Policy – Formalize the process the employee would follow in the case of a cyber-incident. Consider scenarios such as a lost or stolen laptop, a malware attack or the employee falling for a phishing scheme and providing confidential details to an unapproved recipient. The faster your IT team is notified of such events, the quicker their response time can be to protect the security of your confidential assets.
- Network Security Policy – Protecting the integrity of the corporate network is an essential portion of the IT security plan. Have a policy in place specifying technical guidelines to secure the network infrastructure including procedures to install, service, maintain and replace all on-site equipment. Additionally, this policy may include processes around password creation and storage, security testing, cloud backups, and networked hardware.
- Exiting Staff Procedures – Create rules to revoke access to all websites, contacts, e-mail, secure building entrances and other corporate connection points immediately upon resignation or termination of an employee despite whether or not you believe they old any malicious intent towards the company.
“More than half of organizations Attribute a security incident or data breach to a malicious or negligent employee.” Source: http://www.darkreading.com/vulnerabilities—threats/employee-negligence-the-cause-of-many-data-breaches-/d/d-id/1325656
Training is NOT a One Time Thing; Keep the Conversation Going
Employee cyber security awareness training dramatically reduces the risk of falling prey to a phishing e-mail, picking up a form of malware or ransomware that locks up access to your critical files, leak information via a data breach and a growing number of malicious cyber threats that are unleashed each day.
Untrained employees are the greatest threat to your data protection plan. Training once will not be enough to change the risky habits they have picked up over the years. Regular conversations need to take place to ensure cooperation to actively look for the warning signs of suspicious links and e-mails as well as how to handle newly developing situations as they happen. Constant updates about the latest threats and enforcement of your IT security plan creates individual responsibility and confidence in how to handle incidents to limit exposure to an attack.
“Every business faces a number of cybersecurity challenges, no matter the size or industry. All businesses need to proactively protect their employees, customers and intellectual property.” Source: https://staysafeonline.org/business-safe-online/resources/creating-a-culture-of-cybersecurity-in-your-business-infographic
Training Should Be Both Useful Personal AND Professional to Stick
Create regular opportunities to share topical news about data breaches and explore different cyberattack methods during a lunch and learn. Sometimes the best way to increase compliance is to hit close to home by making training personal. Chances are your employees are just as uninformed about their personal IT security and common scams as they are about the security risks they pose to your business.
Expand on this idea by extending an invitation to educate their entire families about how to protect themselves from cybercrime during an after-hours event. Consider covering topics such that may appeal to a range of age groups such as how to control the privacy and security settings on social media, online gaming, etc and how to recognize the danger signs of someone phishing for personal information or money both via e-mail and phone calls. Seniors and young children are especially vulnerable to such exploitation.
Don’t Make a Hard Situation Harder; Remember you WANT red flags reported
Making ongoing security training a priority will greatly reduce repeat errors and prevent many avoidable attacks, however mistakes happen. It can be very embarrassing and a shock to ones pride to acknowledge their error and report involvement in a potential security breach. Your first instinct may be to curse and yell, but this would be a serious mistake. Keeping calm and collected is the key to the trust needed for employees to come to you right away, while they are feeling their most vulnerable.
For this reason, treat every report with appreciation and immediate attentiveness. Whether the alert turns out to be a false alarm or an actual crisis, avoid berating the employee for their mistake no matter how red your face may become.
When situation is under control, take an opportunity to thank them for reporting the situation so that it can be handled appropriately. Remember it takes a lot of courage to step up when you know you were to blame. Help the employee understand what to look out for next time is it was something that could have been prevented such as a user error.
Cyber Training Recap
- Implement a Multi-Tiered IT Security Plan Strictly Enforced for ALL Staff
- Training is NOT a One Time Thing;
- Keep the Conversation Going
- Training Should Be Both Useful Personal AND Professional to Stick
- Don’t Make a Hard Situation Harder; Remember you WANT red flags reported