[BreachExchange] 4 Ways Every Employee Can Play a Role in Their Company’s Security

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 26 19:45:01 EDT 2018


http://infosecisland.com/blogview/25048-4-Ways-Every-
Employee-Can-Play-a-Role-in-Their-Companys-Security.html

With what seems like a constant stream of data breach headlines, security
is top of mind for many companies, some of which are having to think about
it for the first time. The truth is, it’s a company-wide commitment to
ensure overall security. While you might ask what role you could play in
that world, there are a number of steps you and your fellow employees can
take to help keep threats at bay.

1. Get familiar with your company’s Chief Information Security Officer
(CISO)

It’s obvious but bears repeating: it is the Chief Information Security
Officer’s job to ensure the security of the company and its employees. Too
often, employees feel the security team is an entirely separate entity, but
this is the type of culture that needs to be addressed and unified.
Security is one aspect that touches every part of a company, and only by
hearing concerns from employees at every level and in every sector can a
CISO effectively develop a strategy that addresses every facet of a
company. Perhaps you recently encountered something that you feel could be
a good learning opportunity for others in the company, or you have
questions about how to properly apply the security procedures in some
particular situation. The constantly evolving nature of security means that
a CISO can use all of this information to build a security strategy that
better educates and protects the employee and the company as a whole.
Whatever is may be, those doors should always be open for discussion.

2. Actively participate in ongoing security trainings

Just as a company would perform drills to prepare for potential disasters,
it also needs to train for security threats. Keeping a steady drumbeat of
these drills will pay off in the event of a potential attack. Each employee
should have a general understanding of where these risks lie and should be
well versed in things like avoiding phishing attacks, creating a secure
password, and properly protecting equipment like laptops and USB drives.

These types of drills might include deploying a company-wide “friendly”
targeted phishing attack using publicly available information. The key
point of this exercise is to create a level of exposure in a safe and
secure environment, as opposed to trial by fire. Human error is
unavoidable, but by simulating an attack, employees can learn how to
quickly and effectively respond as a unified team.

3. Speak up before it’s too late

This is where every single employee in a company needs to take
accountability. No one security agent can oversee every person and every
process in a company, and individuals may even be more aware of potential
gaps in their department than the security team. Being proactive and
raising the concerns you have about the security of your immediate work
environment, team, or department helps the security team address threats
before they evolve into something worse. This brings me back to point
number one. Establish that relationship with your CISO so when you do
recognize a potential threat, those conversations are more likely to happen
before it’s too late.

4. Understand that you are critical to your company’s security

Everyone in the company can be a security agent for their company. However,
the further an employee is from the core business functions of the company,
the less aware they tend to be of the critical role they play in company
security. Someone in HR scanning new hire documents for employee folders
might consider themselves fairly removed from security procedures, even
though they’re handling documents that may contain highly sensitive
information like salaries, social security numbers, or other important
data. A breach that targets this information could be catastrophic and
would put the company in violation of strict regulatory requirements like
HIPAA and GDPR.

While I do understand that learning these measures can feel like an
entirely new job in and of itself, by taking these small and manageable
steps, you can help build and maintain a security system that is intact
from end to end. By keeping these things top of mind, you and your fellow
employees can help your company avoid catastrophic data breaches and
protect your own personal data more effectively.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180326/b0aebb3c/attachment.html>


More information about the BreachExchange mailing list