Employees & Your Business Security Program
Last month, we discussed the importance of employee security awareness, and how employees play a major role in your overall business security. With threats like phishing, password hacking and data breaches targeting your business, it’s imperative that your employees are not only aware, but also participating in your business security program.
In Part 2 of our Small Business Security series, we’ll dive into a few key areas of your business security program, ways to implement tools within those areas and how to get your employees up to speed.
Three Parts, One Goal
Approaching your business security program should be thought of in three parts: implementation, reinforcement and engagement.
Implementing the tools needed to support your data security policies is crucial to your overall business security. This step will focus on ensuring proper setup of programs, hardware and networks, as well as identifying levels of security accountability amongst your employees. This will often depend on specific job roles and responsibilities, as well as employees’ needs for access.
Secondly, make sure your employees are aware of the various threats that commonly target them and your company. This step should focus less on specialized roles and more on common security threats to your business. Regardless of role or title, employees should be aware of and encouraged to follow good security habits within the workspace – commonly reinforced through periodic training sessions, educational resources or a variety of company-wide notices.
The final step combines your business’ security plan and employee awareness efforts. Getting your employees involved in your business security efforts can make all the difference. With a little creativity, you can keep good security practices at the forefront of your employees’ minds, and increase employee participation of your business’ security program.
How To: Implement, Reinforce and Engage
In Part 1, we briefly discussed eight areas that should be addressed when building your business security program. Let’s look more closely at some of these areas to see how we can implement processes within those areas, reinforce those processes or ideas within the workplace, and push your employees to engage in your business security efforts.
Authentication is the idea that certain criteria must be met before accessing accounts, networks or sensitive data. We’re familiar with unique login credentials created by users, which are classified as the most common authentication factors in use today – “something you know.”
Another type of authentication that has gained popularity in the last few years are security tokens. These security tokens usually take the form of short, one-time use codes sent by phone or email, or through device recognition to determine whether or not the mobile or special-purpose hardware device is “familiar” or “unfamiliar.” These are the most common examples of a second authentication factor, or “something you have.”
The third and final authentication factor is the newest form to enter mainstream use. It considers biometric markers like fingerprint and retina scans to test for “something you are.” Multifactor authentication simply means authentication requires two or more of these factors before granting the user access.
Implement: Multifactor Authentication (MFA)
Reinforce: Require that all employees enable MFA on any work-related online account.
Engage: Be sure to include training on MFA concepts whenever on-boarding new hires, and include periodic reminders within company-wide notifications about regularly updating passwords and security questions.
Tip: Your business should implement at least two authentication types. Multifactor authentication adds an extra verification step when employees are accessing sensitive business data.
#2: Network Connection & Device Access
Your employees need to understand the role they play when it comes to safeguarding both their work-issued and personal devices. The goal is to layer and compartmentalize access to sensitive data so that ideally, any data loss event – criminal or not – remains isolated to a person, physical area, network or device.
Implement: Layered networks and a BYOD program
Reinforce: Clearly define the network(s) available within your workspace and make that information readily available to employees. Ideally, your business should have multiple secured networks that are used for specified purposes (i.e. internal network vs. guest/employee network).
Engage: Make policies surrounding permitted devices and network connections readily available to employees, as well as requirements or restrictions on using personal devices. Encourage employees to keep an open dialogue with your business’ security team.
Tip: Be ready to answer the following two questions: Who can access each network? Which devices can access which network(s)? If your employees could use personal or work-issued devices outside of your business’ secured network, be sure they are aware of the risks that come with using unsecured Wi-Fi networks – especially when connecting devices that contain sensitive company information.
Data integrity refers to the efforts made in preserving data collected by a business or organization. Encourage your employees to think about data integrity in two parts: avoiding unauthorized exposure and preventing alterations to the data itself. Employees should also be educated on the importance of regular backups.
Implement: Backup service (cloud-based or on-site backup services)
Reinforce: Schedule regular data backups so that you can retrieve important business information if it’s ever lost or stolen. Ideally, your backups should incorporate both cloud-based and on-site services. Be sure to test your backups on a regular basis.
Engage: Ensure that employees are aware of any backups that may disrupt day-to-day operations, or the proper steps they should take when backing up individual devices.
Tip: Backing up data can help avoid data loss in the event of a ransomware or other cryptolocker attack. Back up your data in “snapshots,” or in batches so that you can recover older copies of data should it ever be compromised.
#4: Software Patching
Regular software patching keeps your business on top of its security game. Software patching can help prevent hackers from leveraging known vulnerabilities to breach your company’s networks.
Implement: Policies and requirements surrounding security patches (i.e. must be applied within a certain timeframe, on certain devices, etc.)
Reinforce: Require that all devices within the workspace are using the most up-to-date versions of any software. Reporting and auditing can help your IT/Security team spot devices that are not using the latest versions of software.
Engage: Educate employees on the importance behind regular software patching. Encourage your employees to keep both personal and work-issued devices updated with the latest versions of software.
Tip: For our IT/Security readers, subscribe to the United States Computer Emergency Readiness Team (US-CERT) and Common Vulnerabilities and Exposures (CVE) news and alerts – two great resources to stay up-to-date on the latest security patches and reported software vulnerabilities.
Security-Aware Employees Make Secure Businesses
While your business security program will be different when compared to other companies, your goals remain the same: uphold proper security standards to protect your business’ sensitive personal and financial information.
Keep good security practices at the forefront of your business and implement training where necessary for your employees. Remember, your business security program is much more effective when your employees participate.
Continue following Fighting Identity Crimes to stay up on the latest breach and scam news, as well as find expert ID protection tips to help continue securing your identity.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.