5 Ways to Increase Security Among Non-Technical StaffJames Evans
With security threats on the rise, the last thing you need is for your own staff to be unintentionally damaging your business. However, without proper training, that’s exactly what is happening; insider threats are costing businesses billions, and many of the issues stem from accidental rather than malicious actions.
These accidental, but damaging, actions can include:
- Failing to install vital updates to security and anti-virus software, leading to weak security and the potential for one or many machines to be compromised.
- Using weak or reused passwords can increase the likelihood of someone gaining unauthorized access to your network. Additionally, using stronger passwords but writing them down can also damage security.
- Opening zipped attachments from suspicious emails, causing malicious software to be downloaded to your network.
- Giving out confidential or password information in the mistaken belief that they are allowed to have that data (phishing).
- Forgetting or leaving laptops, mobile devices, or USBs where someone could steal them and the data on them.
If you work in a medium or large-sized organization it’s likely that you’ve probably experience some or all of these scenarios. Don’t forget that for each one you know about, there could easily be another potential disaster you have no knowledge about – until it’s too late.
So how can we get non-technical staff to exhibit better security best practice?
We’ve collected 5 top tips:
Employ Effective Security Awareness Training
If you want your employees to be aware of security dangers, you need to provide appropriate training. This training shouldn’t be a last resort, or an afterthought, but something that occurs as part of the onboarding process, and then as regular reminders.
Often the biggest problem with security training is that it is boring, and seemingly irrelevant for most workers. Most security training is old fashioned and outdated in its approach, resorting to long PowerPoints and lectures that that have little chance of grabbing the attention of the average worker.
To be effective you may need to employ some more effective learning approaches: often employees are far more likely to remember what they’ve learnt if a collaborative approach is employed, getting people personally active and involved in the learning process.
You may also need to change your message to suit the different audiences, because not every employee is exposed to the same risks, or requires the same training. By writing the message to suit the audience you can save time and ensure that the lessons each group needs to learn aren’t lost amongst less-relevant parts of the training.
Focus on the Biggest Threats
Overloading employees with training on every aspect of security often results in them remembering nothing. Before starting your training, do a risk assessment on your enterprise security and work out which threats are potentially going to cost your business the most. The biggest threats will vary depending on your industry and the typical behaviour of your employees.
For example, if your employees rarely take business laptops off-site they are less likely to be at risk of losing a machine or leaving it unattended. However, you might have established that your password security is dangerously poor. Focusing on these threats first will deliver the strongest possible result for your security in the short-term, and provide a platform on which you can build for the future.
Establish Security Champions
Your IT team can’t be everywhere at once, and shouldn’t expect them to be. To ensure that security becomes a key part of your business you should consider recruiting security champions from within other departments of your business.
These champions don’t have be security professionals – in fact the whole point is that they aren’t! Instead they are members of these teams who are given the responsibility of championing security by reminding other team members of your security policy, inviting them to training, and keeping them accountable. This brings us to the next point…
Accountability Trumps Awareness
Security awareness programs offer just that – awareness. But awareness doesn’t always breed action. We’re all aware of the health issues associated with smoking, yet according to the World Health Organization 1.1 billion people, a third of adults, still smoke[i].
To change this awareness into action you need accountability.
When someone breaks your security policy you must follow through on disciplinary procedures as you would for any other breach of policy. To ensure this accountability takes place it is essential that both HR and upper management buy in to the importance of enterprise security and are actively involved with helping the organization improve its behaviour.
Help Your Employees Stay Secure
One of the biggest problems with enterprise security is that even with training, employees will still take actions that reduce your organizational security. This will be true regardless of how much time, money, and effort you spend on training.
To reduce this, your responsibility is to minimize the regularity of these temptations. This means ensuring that endpoint devices are properly secured and that users are only given appropriate access rights.
One of the best ways you can do this is by securing your infrastructure and apps with a SaaS security solution like Onion ID. Onion ID provides a wide range of features to help businesses increase their security.
For example, one of the many ways Onion ID can help your employees avoid unsafe behaviour is through the password manager. Instead of requiring users to use and remember a long list of secure passwords (which inevitably results in insecure behaviour), Onion ID creates and remembers secure passwords for you, ensuring that users only need to remember set of security credentials.
[i] Sharecare.com – How many people around the world smoke cigarettes? – https://www.sharecare.com/health/quit-smoking/how-many-world-smoke-cigarettes