The number one threat against the security of your information system is the insider threat. Make sure your employees know how to safely operate computers. Failure to do so is a lack of due diligence on your part.
Here’s what employees should know at a minimum:
What type of information does your company process?
What are the basic responsibilities of employees for information security?
What are the components of the organization’s password policy?
What are the security best practices that employees should follow?
What qualifies as a clean work area that supports safety?
What types of threats should employees be on guard against?
What are some common attack methods?
What actions should employees take when an attack occurs?
What are the company email policies?
What are the company’s web browsing and social media policies?
Your employees need to be aware of how raw data is processed to create insights and how your business uses it to make important decisions and profit.
Get it wrong and the company loses.
People who work for you and third parties who come into contact with your system should be viewed as potential threats. That is why there must be an information security plan in place and everyone must be aware of it. Anything less is the equivalent of having your proverbial “ankle-length pants.”
Each employee is responsible for the computer security and guarantee of their digital assets. People who obtain and process company data must be aware of all their responsibilities. Those who work for you must be aware and responsible.
Every person who works in your organization should be security conscious and know what to do in the event of an attempted or actual attack. Anything less and your people will fail.
Everyone should know how to maintain a secure workspace, where sensitive papers are kept out of sight. Workers need to know how to lock their keypads to prevent passersby from viewing screens and accessing terminals.
Everyone in the company must know how to create and maintain strong passwords or multi-factor authentication. Passwords must be complex and be changed regularly. A digital security program for the entire organization should be maintained and regularly evaluated.
Security-related policies should conform to best business and industry practices. They should be part of every employee’s security awareness training. For example, the people who work for you should know that off-site storage media should be properly scanned before entering your information system.
Your people should be aware of common attack methods used by cybercriminals and others. A seemingly innocent request for information over the phone could be the start of a social engineering attack designed to obtain crucial information to break into a company’s system.
Email should be part of the organization’s policies to protect sensitive information. Again, having policies should be part of an organization’s due diligence effort to keep cybercriminals at bay and out of your system. Your workers must know how to handle the various situations that arise. Simply clicking on a malicious link could compromise your entire system.
Using social media platforms and browsing the Internet could open up multiple avenues for malicious users to break into your system. Your employees need to know what is considered an acceptable practice when it comes to using Internet resources. Your company could be held liable, for example, if an employee wrote something derogatory about an ethnic group, or if his assets could even be used for illegal purposes without his knowledge.
Maintaining the confidentiality, integrity, and availability of your company’s mission-critical information requires those who work for your company to have the tools to do so. Having a formal information security plan is a basic necessity. You are in real trouble and you have already lost the battle against cybercriminals if you do not have a plan. And if you have a plan and your employees don’t know about it, the same is true.
You need to start treating computer security as a business process.
