Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets the bad guy into the building. And, unlike the technological safeguards that can cost you thousands of dollars, remedying the issues with employees doesn’t have to cost a lot time or money. However, it can still have the biggest payoff. Here are three easy things you can do to immediately reduce the risk to your sensitive information, and in doing so, truly make “security everyone’s business.”
1. Policies and procedures. Yep, you have to have policies and procedures. How can you possibly expect your employees to do the right thing with sensitive information unless you write it down and tell them? You need to tell them WHY (policies) and HOW (procedures) to properly collect, use, store and share sensitive information. If it is important enough to expect every employee to do it, it is important enough to reduce to writing. That said, nowhere does it say your policies and procedures have to be five binders deep and a hundred pages each. I have yet to see that stipulated in any law or regulation. Indeed, the most effective policies and procedures are short and sweet and provide resources for employees that want to ask questions or dig deeper. Your policies and procedures simply need to address the risks for your business, be accessible and understandable. Better yet, you probably already have some of these in place. So, all you need to do now is make sure they are current and you are ready for step 2.
2. Training. The wisdom in your policies and procedures cannot be turned into reality unless you bring that wisdom to your employees through an effective and regularly administered training program. Again, it doesn’t have to be expensive, time-consuming or complicated. You simply need to find a way to get your employees’ attention, help them learn the WHY and HOW of information security, and set the expectation that protecting information at your company is indeed part of everyone’s job description. At a minimum, you should be training all new hires, and training all employees on a regular interval (i.e. every 6 months, every year).
You can do this training in person yourself, or bring in someone to do it. (Indeed, we in the Data Privacy and Security Practice offer such training for our clients). You can also choose an online solution. There is no set way of doing this. That said, if I had a recommendation it would be for you to do it in person. Why? Well, you will likely find out what I have. Whether training my own employees as a Chief Privacy Officer, or training the employees of a client, I have consistently found that employee training is not a one-way street. You will find out as much about how your company and employees use information as your employees will learn about safeguarding it through your policies and procedures. Better yet, if your training is engaging and you make it personal and useful (privacy and security is not limited to the workplace, after all), your employees will be good stewards of your company’s information and may very well become your “forward sentries” on the lookout for problems and escalating them. I always preferred to hear of a problem from an employee rather than a customer, reporter or opposing counsel.
3. Awareness program. Lastly, it is not enough to train your employees once, or maybe twice a year. If your employees are doing their jobs, chances are they are busy focusing on making widgets or answering your customer’s calls. This is not a bad thing. That is why you have to take steps to keep information security on their mind. You can do this by administering an awareness program.
“What, Scot? Another program? You said this would be easy.” It is. An awareness program can be nothing more than sending a weekly e-mail with three bullets with reminders from your policies and procedures. Or, perhaps you send around an email or post a newsletter or poster in the break room sharing the latest phishing attack or reminding employees not to fall for the W-2 spoof (it is tax time). Everything I just described takes less than 10 minutes a week. Cut, paste and post. Make it simple, but engaging. Not only will your employees take notice, one of them may be the one you need to spot and report an issue before it becomes something worse.
And lastly, make sure you document your efforts. You should always get credit for your efforts, especially when you have a breach and regulators or opposing counsel want to see if your company was asleep at the wheel. As with policies and procedures, having a training program provides documented support that your company places a priority on information security and meeting its commitments to its customers.
And who knows? Following these simple three steps might keep your company from joining the thousands of companies compromised by the “enemy within.”