We’ve all heard the cliché that staff are a company’s greatest asset and potentially its greatest risk. And it’s never been more true than now when it comes to data security.

Employees are the first line of defense against cyber-attacks, and also, potentially the company’s most glaring vulnerability.

Seventy-three percent of surveyed U.S. employees indicated that their company provides sufficient training on how to protect sensitive information, according to a report by the data loss prevention firm Clearswift.  However, virtually the same percentage—72%—of IT professionals indicated that their employers are not doing enough to train employees on this topic.

Employees don’t need to act maliciously—their carelessness can be just as detrimental. Companies need to ensure that training, policies, and technology are in place to minimize that risk. A 2015 report by Intermedia found that 93 percent of employees surveyed admitted to engaging in at least one form of high-risk network activity – from sharing account credentials to installing non-sanctioned applications.

In a time when data breach incidents have increased in frequency and sophistication, cybersecurity should be a commonplace topic of discussion in every boardroom.  Critical information needs to be managed at the highest levels or it could jeopardize the reputation and ultimately the future of a company.

In order to prevent these incidents, employees must be trained to be aware of security threats and to follow the internal security procedures you’ve put in place to protect against such threats. Here is a list of topics that should be included in any security training and awareness program.

1) AUTHENTICATION

All employees must use complex passwords, and must never disclose these passwords to anyone. They should be unique (not a rehash of their gmail or amazon credentials), and they should be changed at least every 90 days.

In the event that an employee’s computer, laptop, tablet, or smartphone becomes lost or is stolen, a strong password is the first defense against compromised data and the penetration of your company network.

Organizations in especially value-laden (high-risk) industries should consider using more advanced techniques, like multi-factor authentication. 

2) NETWORK CONNECTION

Public Wi-Fi networks pose a significant risk, as hackers often set up their own Wi-Fi networks in public places, with the sole intent of gaining access to users’ Internet traffic. To the unsuspicious among us, these networks look 100% legitimate. But logging in so you can use their free Wi-Fi provides hackers full access to your passwords and other sensitive information. Employees should be prohibited from using public Wi-Fi on business-use devices.

A relatively low cost method for secure data transmission is a VPN (virtual private network). A VPN creates a secure “tunnel” back to the corporate network.  Within that tunnel you can encrypt your data, essentially scrambling it until it reaches its destination.

3) PHYSICAL SECURITY

Mobile devices should never be left in a car.

They should never be left unattended in public places like conferences, airports, restrooms, public transport, etc.

The devices should be kept with the user the whole time, or stored in a facility with no public access – e.g., a room or an office that is locked when no one is present.

4) BASIC DAY-TO-DAY SECURITY PRACTICES

Anti-virus and anti-malware software should be installed on every machine at the corporate level, with successful updates automatically verified.

Only approved applications should be installed and allowed to communicate with the Internet.

Employees need to be trained that links in emails should be checked before they are clicked. Hovering over a link will display where a click is actually taking them. Suspicious sites are to be avoided.

Clicking on border ads should be avoided. Hovering, and opening seemingly legitimate addresses in a separate browser session, provide rudimentary protection. But common sense should prevail. Your employees should understand that annoying pop-up ads for flatter abs, real estate riches, and bolstered sex appeal are probably just spreading malware. An intelligently deployed and actively managed web filter is a must.

When it comes to protecting a company from its own employees, you need to strike a balance between reasonable access and companywide information security. Contact SLPowers today, and let our security experts help you customize a mix that’s right for your organization, and effectively secure your most valuable asset: your data.

Categories: Data Loss Prevention, Data Security, Employee Security Training, Internet Security