CIOs are not only challenged with protecting company assets but are also tasked with creating a security aware culture. The aim of this culture is to motivate users to take an interest in security and work in partnership with the IT department. CIOs need to teach employees how to safeguard against the security risks that they may face on a day to day basis so they can handle any issues that may arise.
There are a number of ways you can create a security conscious culture:
Provide data security training to end users
Your employees are your biggest asset but they are also your weakest link in your security chain. To get your employees on board you need to educate them on how their everyday tasks and ways of working can put the company at risk. Although your employees might have seen your data security policy, have they actually read it and furthermore do they understand it?
The most effective way to train your staff is to educate them face to face or via online programmes. When teaching employees it’s good to use real examples that employees can relate to. For example, mobile employees not encrypting their devices or leaving hard copy contracts on their desks. Using examples helps employees to relate to the scenarios and helps them judge what they would do in that situation and make them think about it.
There are a number of important subjects that you should cover within your data security training plan:
- Basic overview of what data security means and how it affects employees
- How to create and keep passwords safe
- Importance of using passcodes on portable devices
- What to do if you receive a suspicious email
- What to do if you think you have a virus or malware on your device
- What do if they notice something strange happening on their computer
- What is a secure Wi-Fi spot
Your employees need to know how sensitive data should be controlled, how it should be handled and who should have access to it. You also need to raise awareness to the fact that there is more to protecting data than sophisticated security software. Staying safe online is becoming a bigger challenge for IT departments, with sophisticated cryptolocker and other ransomware attacks on the rise using a layered approach simply isn’t enough. Employees need educating on how to spot and prevent these attacks from occurring.
It’s not uncommon for employees to think that it is the responsibility of the IT department to take care of data security. However it is hard to get employees to comply and take an interest in something that they might not understand. It important that employees become security conscious and take responsibility for protecting the business, but it is equally important that companies are investing time and resources into educating their employees on data security.
A certain level of judgement must be taken when handling sensitive data and your employees need to be made aware of this. A good way to communicate this is to categorise data into levels of confidentiality and give them examples of each type of data. This will help your employees make the right decisions when handling different types of data.
With the rise in bring your own device (BYOD) the onus on employees to protect company assets has never been bigger. Your employees should not only understand the importance of encrypting their devices but how to encrypt them properly.
Clear Desk Policy
Companies tend to focus on their online data and forget the volume of offline data that surrounds their employee’s desk each day. Creating and managing a clear desk policy helps to prevent the leak of offline data. The Information Commissioners Office reports that the highest type of incident in 2014/2015 was the loss/theft of paper. This statistic highlights the importance of implementing and enforcing a clear desk policy to reduce data loss.
Your clear desk policy should clearly communicate how your employees should leave their working space when they are absent from their desk. It’s important to remember that employees don’t want to feel like they are being restricted, so the policy should be designed and communicated so it enables people to continue to do their job but in a more secure manner.
Consideration also needs to be paid to what should be done with hard copy data that is no longer needed. Does it need to be filed away or shredded? If data needs storing or shredding you will need to provide your employees with the equipment to do this.
An area that requires further consideration is ‘Hot desking’. Due to the very nature of hot desking it means a number of people are sharing desks and might have visibility to personal information. This poses further risks to security. Clear desk policies can be hard to implement and manage but it’s important that you’re company enforces and promotes this policy.
Conduct Regular Security Checks
Despite the fact that you invest a lot of time, money and resources into providing data security training to your employees, there will inevitably be employees that either choose not to follow the rules or misunderstand the guidelines. It’s important to remember that not everyone is programmed to consider security first. Security awareness is more about educating employees it’s about changing their behaviour and attitudes towards data security.
There is little point in enforcing rules and procedures if no one is going to monitor the effects. Conducting regular assessments and spot checks ensure that you are demonstrating that these processes should be followed and will be monitored. It also provides a good opportunity for you to identify those who aren’t following procedures and provide them with further training.