[BreachExchange] Staying Safe- Easy Ways to Create a Culture of Security in Organization

[Audrey McNeil]

https://www.tmcnet.com/topics/articles/2018/06/04/438360-
staying-safe-easy-ways-create-culture-security-organization.htm

Do you let your employees bring in their own personal devices, including
unsecured laptops? You might say that you are committed to security, but if
you permit these things, you leave your organization wide open to loss of
data. You might think that nothing bad can happen to you, but is it really
worth the risk? While staying up to date on the latest news regarding the
latest malware to attack cell phones, tablets, and more, this is only a
part of the bigger picture. There’s a good chance that there are causes of
data loss and theft that you are completely unaware of. For instance, your
employees could be taking advantage and letting in malware. While some may
be unintentional, many more instances are done with bad intentions. Whether
or not you can trust your employees is one part of the issue. Your major
concern should be with creating a strong security plan that actively works
to keep your organization safe. Here are 5 easy ways to create a culture of
security in your organization.

Get the Tech Right

In order to create a culture of security, it’s essential that your
organization's, and your systems, are secure. Your first step should be to
take an inventory of all devices (professional and personal) that are being
used to access sensitive information, as well as where this information is
being accessed. Personal devices shouldn’t be used to access sensitive
files. Nor should work devices be connected to free wi-fi at the local café.

If you provide your employees with work devices, make sure that they are
encrypted. Mobile device management (MDM) should also be used, which
enables your IT personnel to clear a device in the event it is lost or
stolen. It also enables you to see how employees are using data. And
geofencing provides a way to provide real time protection by restricting
access to work devices when they are taken outside of a specific range.

Lockdown your in-house systems, protecting them from malwares, with web
scanning tools and firewalls. You can also use SSL Certificates in order to
protect communications with customers as well as protect them during credit
card transactions. You should also take a close look at your SDLC (Security
Development Lifecycle) to ensure the best security practices.

Identify the Biggest Security Risks

Creating a culture of security involves identifying your biggest risks to
security in the first place. It might be from unsecured devices coming into
the office, or it could be unsecured backups. It could also be your
employees themselves. Require a screening prior to hiring, as well as a
background check. Look for red flags, such as excessive job hopping, or
someone who continually refuses to set their devices to ask prior to
connecting to a free wi-fi signal.

Password security. Passwords provide a level of protection, but not all
passwords are created equally. Have your employees regularly change their
passwords, but make sure that they do not repeat old passwords. System
generated passwords can help boost strength. Along with regularly updating
passwords, make sure that you block access of former employees immediately
after the employee leaves the company. Otherwise, former employees can
easily access sensitive information. Not only that, but old passwords that
have not been changed in a long time increases the risk that hackers can
get in.

Application Security (News - Alert). How are your employees downloading,
and accessing, personal and professional apps onto their devices? It should
always be done from a qualified source (the App Store or Google (News -
Alert) Play). You may also want to consider a pre-approval process for
downloading apps onto work devices. And, make sure your employees know how
to set up their devices to ask permission before downloading or accessing
anything.

Remotely-Accessed Data. Even if your employees don’t think they are doing
anything wrong by accessing their work email from a personal device on a
free wi-fi connection, it can actually lead to malware attacks. Any device
that accesses information from work, whether it’s email or other files,
needs to be protected. One way to do prevent the proliferation of BYOD,
mobile and remote work access is to leverage the use of cloud email
security solution. It provides real-time threat protection through spam
filtering and phishing detection, an advanced multi-layer anti-virus
solution, cloud based email archiving, secure email encryption and more.
It’s an email security solution designed for your peace of mind. Thanks to
cloud email security, you get real-time protection. Cloud protection is
always up to date with no need to download any virus signature files. It
provides protection to all users the second a virus is detected.

Prepare Documentation

You want your employees to know the security policy, but a heavy manual
will rarely get read. Rather than giving your employees thick packets of
information that are filled with technical terms and no context, provide
them with customized, segmented, documentation along with training.

Skip the one size fits all policy. Employees learn and process information
differently. Try creating security programs that are specific to the
different roles and departments within your company, and make the point
that security is an essential part of your company culture. Even smaller
businesses can do essentially the same thing by catering training and
documentation based on responsibilities, and the needs, of the employees.

Training

Security is essential for everyone in your company, and should be
incorporated into everyday life. In order to help foster this, make sure
that your management team models the behaviors and practices that you want
your employees to follow. Training is also crucial in getting your
employees on board. Make it fun. Turn training into a game. Divide your
employees into teams and have a trivia contest. Not only will your
employees enjoy the experience, they will be more likely to remember the
information and they will build up relationships with their coworkers.

Reward Employee Involvement

When it comes to getting your employees to comply with security, don’t try
to instill fear. Fear tactics can actually work against your goals.
Instead, incentivize. Employees are much more likely to respond to rewards.
While bonuses are one way to reward them, it’s not the only one. Try
offering additional days off, or a lunch with the higher ups. And,
acknowledging employees for their commitments to security can give them the
additional motivation to keep it up.

Creating a culture of security is more than simply its creation. It is
important that you set an example for your employees and stick to the
policy that has been developed as it has severe effect on brand that need
long time to build. And, with some motivation, your employees will work
harder toward mastering security. When it comes to security, it should be
an ongoing process that is high on the minds of your employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180605/588d9621/attachment.html>