[BreachExchange] Things employees can do to help with security

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jun 28 21:02:20 EDT 2018


https://it.toolbox.com/blogs/kevinbeaver/things-employees-
can-do-to-help-with-security-062518

Information security is not just an IT thing. Even though executives and
users alike tend to think that IT oversees security, it ultimately requires
the input and actions of everyone sitting behind a computer screen. We like
to talk about security awareness and training and all the benefits it
provides but there's more to employees helping with security. It's about
day-to-day choices – people thinking before they act.

The single best approach an employee can take to protect his organization
against breach is to use common sense. I think it's safe to say that most
adults understand what to do and not do on their computer systems. Most
organizations have a set of documented security policies that’s often
complemented by an employee handbook – both of which lay out exactly what's
expected. The typical worker knows that hackers, malware, and insider
threats create unique risks to the business and that they have a hand in
fighting this fight.

Most security breaches are brought about by simple oversights that someone
comes along and exploits. Employees can use stronger passwords where
possible. They can stop leaving their unencrypted laptops in vulnerable
places such as the front seat of their car when they're running into the
store. They can apply software updates when prompted. They could even
backup their data to a local USB drive or to the cloud. It pains me to
recommend these things because, in most cases, IT and/or security staff
should be taking care of these functions. Still, they're often not so
somebody needs to do it.

Another thing, employees should never be afraid to speak up when they see
something wrong or that seems important to address. I’m not just talking
about basic phishing emails and pop-up windows but also strange behaviors
on the part of their peers, known threats that they have recently heard
about in the headlines, and even security weaknesses they discover in
day-to-day business and dealing with customers and vendors. As much as
those of us working in IT like to think that we’re totally on top of
everything security-related all the time – we're not. Employees don't have
to be technically savvy to understand what a basic vulnerability is and how
it can create business risks. All it takes to prevent an incident or breach
is someone speaking up and informing IT/security staff members of something
that they may not have otherwise known about.

Although it's essential to have open communications between employees and
IT staff, employees should be reminded that they are never to provide any
personal information such as passwords, Social Security numbers or credit
card information to IT staff – or someone posing as them.

A common concern is whether employees need to be more cautious certain
times of year, such as around the holidays, to prevent security incidents
and breaches. I don't think so. I think they just need to apply the same
security knowledge and principles that they’ve learned and continue to be
smart and vigilant in what they're doing and what's going on around them.

Perhaps most importantly, is that if employees don't understand what's
expected of them, they need to ask. If they don't know whether to open an
attachment, click a link, or report suspicious behavior, they need to ask.
The last thing that you need in your business is to let bystander apathy
determine security outcomes. That's when employees sit around assuming that
someone else (IT) is going to take care of things. That's not always the
case.

Don't let security be an IT-centric function within your business. If it
is, it's doomed to fail. Not unlike HR, legal, and operations that require
their own unique actions on the part of employees, security is the same
way. Take an IT-only approach and you’ll get IT-only results. That's not
what your – or any – business needs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180628/b64c74a3/attachment.html>


More information about the BreachExchange mailing list