- About Us
Your employees are the greatest assets for your organization. When it comes to data security, however, they could also be the weakest links. For that matter, the largest number of data breaches don’t happen because of cyber-attacks as we would normally guess.
The number one cause has appeared to be human mistakes, according to a study conducted by Ponemon Institute.
The following infographics captures the top 10 riskiest employee practices that are listed in this study.
So what can you do to protect your business and reduce these risks? While it is very important to manage and monitor employee privileges and entitlements, it is also crucial to make sure that your employees understand your security guidelines and practices. Don’t assume they know it all. Training employees about IT security policies and procedures empowers then and help them avoid the common mistakes that could occur.
There are things you need to take into consideration when planning your employee IT security training. Here are some great tips that we are publishing with permission from ESET’s blog welivesecurity.
1. Educate your staff about the dangers
Assume that most of your employees will know little about the dangers that exist on the Internet and the threats to your business. Arrange a training session for employees, either all at once or in groups, depending on the size of your business. If you don’t feel you have the expertise in-house to do this, hire a specialist consultant to do the awareness training. However you do it, ensure the training includes essentials such as guarding against malware, protecting passwords, identifying and preventing a phishing attack, protecting company data and safe mobile computing. Assuming you have put the technical resources in place for security, such as endpoint security software and network firewalls, much of the training can focus on soft skills such as not falling for social engineering tricks.
Try and make the sessions as friendly as possible and be realistic about the threats without sensationalizing them. You want your staff to feel motivated about security and protecting the business, not scared into inactivity. People are more likely to be more security aware if they feel they are part of a team and have a shared responsibility for the sustainability of the business.
2. Produce a safer computing guide
A printed set of guidelines on safer computing is highly desirable. This should include information on the threats and data risks that would have been covered in your training sessions. It should also make staff aware of the company’s security policies and the acceptable use of all company IT equipment – this would include not just security measures but also what is not allowed such as visiting restricted sites.
These days, many staff bring their own devices to work and their use should be covered in the guide. It should also make staff aware of their responsibilities to protect company data and equipment. Make it better than the average company booklet. Make it interesting and engaging: use illustrations if possible to highlight security issues and list examples of real life scams. Ensure every member of staff has a copy and that all new staff are given a copy as part of a welcome pack. Finally, because online security changes all the time, the guide should be reviewed and revised as often as needed.
3. Draft an Acceptable Use Policy
Depending on the size of your business it’s important that you get employees to read and sign an Acceptable Use Policy (AUP) agreement. This will outline exactly what is and isn’t allowed when using company IT equipment, networks and email services. It should also make clear what the penalties are for breaking the rules. Remember that the company may well be held responsible for data breaches caused by employee negligence or illegal activities committed on company PCs. If your company is not large enough to have its own HR department then employ an employment law specialist to help you draft an AUP to make sure it is legal, fair and reasonable. Above all, make sure your employees understand that the AUP is a serious legal document, an integral part of their employment agreement, and that by signing it they are bound by its terms.
4. Keep reminding people about security
Threats and types of malware continue to evolve as do the legal obligations on businesses to protect data. Because of this you need to maintain security education to take account of changing conditions. Aim to hold refresher training sessions, as often as every six months, and update your security handbook as and when required. Put up posters. Put reminders on desks. Continue the dialogue with your staff and make them feel part of the process to keep the business secure. Make secure thinking second nature as much as good timekeeping or being professional with customers or clients. Security should not be an afterthought or a chore but a shared responsibility.