» 

Blog

Posts Tagged with "SECURITY AWARENESS"

The Benefits of Empowered Employees: Why a Good Security Awareness Program Matters

 employee security awareness program

Every organization dreams of how they’d like to implement cybersecurity. It’s perfect in its execution: requirements would be met or exceeded, employees would be fully educated on security risks, and data would never be threatened by renegade phishing scams or careless user errors. But sadly, faced with time and resource constraints, it can be difficult for busy organizations to do more than just check the “high importance” boxes (like creating a data breach response plan and solid networking practices). Especially if today’s ever-changing security needs are hard to keep up with as it is.

Kathryn Anderson of Backbone Consultants argues that this struggle to maintain and surmount cybersecurity needs is exactly why businesses should find time to implement a security awareness program. As a security advocate with over a decade of industry experience, Anderson is passionate about risk and governance. And through her experience, she gained powerful insights on how to inspire awareness, responsibility, and empowerment in an entire organization.

READ MORE: Introducing Kathryn Anderson of Backbone Consultants

Anderson started pushing for employee awareness in her Senior Information Security Specialist role at a Fortune 500 consumer food company. Her manager had already put some groundwork in place, but she was fully responsible for developing a security awareness program that would impact new employees, near-retirees, and everyone in between.

Why spend so much time on employee education? “It’s a way to get people to care,” Anderson said during a recent interview with us, “and to be empowered.” She believes that security should be a part of employee job responsibilities from the moment they start their first day of work. But more importantly, it should be part of their responsibilities in everyday life—not just when they’re on the clock.

So Anderson used her security awareness program to shift the culture at the consumer food company, starting with a focus on modern cybersecurity risks and scams. “I brought in an email phishing tool. Based on the type of security events we were seeing and the questions I received, it was clear that the opportunity at our company and our highest risk area was phishing emails for employees,” Anderson explained. “What was super cool about the anti-phishing program I created was that it actually empowered our employees. Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

“Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

Several great program initiatives kept the momentum going. A fake phishing email sent internally encouraged coworker-to-coworker discussion that filled marketing meetings, finance meetings, and office spaces with excited security chatter. Employees started asking how they could help protect company data during their daily routine and discussing their role in the overall success of the company. It was a huge, and exciting, change from the initial belief that only IT and security were expected to be proactive in keeping data safe.

While Anderson’s work inspired employees to own their part in the consumer food company’s security practices, she also made it a point to talk about the importance of following the same rules at home. “Through the security program, we really focused on how you can help protect your family and keep your personal information safe,” she said. “So one tool that companies can also use is understanding that your employees are holistic beings; they’re not just people who are in the office from 9 to 5.”

The call for organizations to cultivate a vested interest in employee safety is not new. Brad Beatty, Lead Security Engineer at Enterprise Holdings, shared his thoughts on LinkedIn, writing “I had a vested interest in the success of those around me and the company I worked for because I was treated like family. I propose that by empowering employees … those employees will arise to the occasion and not only become your strongest business asset, but your strongest cyber security defense.”

Likewise, Darran Rolls, CTO and CISO at SailPoint, also wrote about employee empowerment: “[Cybersecurity pitfalls don’t] stop with employees. Friends and family are also targets. Because of this, it’s important that employees emphasize the importance of cybersecurity awareness with those closest to them and follow best practices outside of the workplace.”

So, what did the Fortune 500 consumer foods company do? With Anderson leading the initiative, they started having frequent conversations with their employees on how to protect data outside of work. They talked about how to stay protected during tax season, even though it had nothing to do with company data. And by putting time and effort into their employees’ personal lives, employees responded by practicing good security ethics everywhere they went—which ultimately helped lessen the opportunity for user error, both inside and outside of the workplace.

“There’s a lot of synergies between security and personal security. It’s an opportunity for people in my field to reach out and have conversations with everyday people they encounter, like at the library, or at parties. When you start talking about dual authentication at parties, everyone loves you and you’re always welcome back,” Anderson said. “You might even get a second dessert!” she added, laughing.

Are you focused on building a cybersecurity culture for your employees? If not, now is the time. The resources you’ll expend to create a strong security awareness program for your organization will be more than worth the good that follows.

Want to hear more from Kathryn Anderson? Watch our on-demand webinar, Lessons from the Field: 7 Steps to Proactive Cybersecurity. It should interest those who want to learn how to implement a security awareness program or manage resources in their organization.

 


10 Easy Ways to Protect Your Data at Work

In a recent survey of UK workers, over half the employees who participated across 1,000 organizations admitted that they open suspicious email attachments. More than 80% also said they open strange attachments if the sender appears to be someone they know, and “one in five said the business they work for has no policy on how to handle email attachments, or they have not been made aware of it.”

Organizations that operate without a clear cut security awareness plan (for emails, file transfers, or even internet use) open themselves up to huge security risks—risks that are easily preventable with a bit of training and forethought but sadly, often overlooked.

If this sounds like your workplace, never fear. Even without a policy to follow, there are ways you can implement security practices in your current role and workspace to protect yourself, your information, and your company’s data from prying eyes and malicious scams.

Here are 10 easy ways to promote security in your role, without needing permission to do so.

1. Never download unapproved software

That free screen capture application or photo editing software may seem tempting, but don’t download it without approval from your IT department. Free software is rife with malicious code, which can introduce malware, ransomware, and other threats to your computer and company network.

If you aren’t sure whether the software is safe to download, contact IT. And when you’re on your personal computer, check trusted online resources, such as forums or software review websites, for information on the application you want. Most times, if it’s not safe, you can find an alternative application that is.

2. Send files (in and out of network) securely

If you need to send a file to someone in your network or out on the remote network, always make sure to send it securely. Use a managed file transfer solution to protect sensitive company data. And instead of using FTP, email, or other unsecured methods to transfer files, use a secure protocol like SFTP or Open PGP to encrypt the information.

3. Don’t send sensitive information in emails or online messages

Email and online messaging are incredibly fast and convenient methods of sending information to someone, but they’re not secure. A single spear phishing email or instant message containing a bad link can give hackers access to the information on your computer. And if you send sensitive information through messages and your workspace is compromised, you’re doing the work for them. Hackers won’t have to go far to retrieve your private data.

It’s important to also remember that emails and online messages can be forwarded with just a click of the mouse or intercepted during transmission. Once that username/password combination, credit card number, or completed W-2 form is out of your hands, renegade employees can forward the information just about anywhere. So instead of transmitting data across the network, cut out the middleman. Identify situations where you can deliver the information directly, whether by a phone call or in person. Can’t do that? Send the data via an encrypted folder-to-folder transfer or through a secure form with a link and password.

4. Follow security best practices for application passwords

Changing your password every 60-180 days is a standard industry procedure. Even if it gets annoying, following this simple practice can limit the access hackers might already have (for those who come in and quietly monitor business processes without making any sudden moves) by cutting them off after a specific amount of time.

However, when employees do change their passwords, they often rift off their original password, like adding an extra number or switching out the capital letters. In fact, 19% of work professionals use a weak password to protect their data, according to a recent report. And unfortunately, people also use the same password across multiple websites, which is a huge security risk. If hackers access one account, they can access them all.

With all the data breaches happening today, it’s important that you create strong passwords, use a different one for each account, and change them every so often, at work and at home. Your personal data is just as important as company data—and remember, anyone can have their information stolen.

5. Clarify sender intentions if you receive a questionable email or attachment

In general, it’s a good practice to approach your inbox with a critical eye. Be wary of every attachment you don’t recognize or didn’t anticipate, even from senders you trust, and follow up in person, over the phone, or in a separate email thread if you aren’t sure about the contents.

This may add extra time to your day, but it’s worth your thought and attention. Phishing and spear phishing emails are one of the top ways hackers gain access to company accounts. To learn more about phishing attacks, check out our recent blog post: 7 Ways to Protect against Corporate Spear Phishing.

6. Install computer updates whenever they’re available

Depending on what operating system you use, updates and security patches can be frequently available. Microsoft, for example, ships new updates for Windows on the second Tuesday of every month (you can find a list here). Apple’s updates come a little more sporadically but are still shipped often enough to help maintain OS security.

Installing these updates and patches is an important part of keeping your system up-to-date with the latest security concerns and improvements. Some companies automate this process, installing updates in the background so you don’t have to. If you’re not sure whether this applies to you, check with your IT department.

7. Avoid using external flash drives to transfer information

Despite how common it is to use USB flash drives (it seems they’re handed out like candy these days), they’re not secure.  These tiny thumb drives can be loaded with malware or reformatted with tampered firmware (the USBs permanent software). So unless you know where the USB has been before it was delivered into your hands, it’s best not to use it.

But why not just wipe it clean, you might ask? “You can give [the USB] to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’ [but] the cleaning process doesn’t even touch the files [in the firmware],” said security researcher Karsten Nohl in an interview with Wired. Once the firmware has been affected, it’s difficult, if not impossible, for most people to find the corruption and remove it.

Then there’s the obvious danger with USB drives: not being able to control where they go, or who has access to the files, once it leaves your hands. Even if it’s tucked away in your desk, can you be sure no one will take it when you’re not looking, or that extra copies won’t be made of the file while someone else uses it? No. Better safe than sorry.

8. Lock your computer whenever you step away from your desk

This is a seriously simple step you can take to mitigate risk in your workspace. Anytime you leave your desk, even to grab a cup of coffee or hit the bathroom, you should lock your computer. This may not prevent external hackers from stealing sensitive company data, but it can deter renegade employees or “visiting guests” from snooping through your information while you’re away.

If you’re worried you’ll forget in the rush of an ever-busy workday, most computers allow you to set a default lock whenever your session has been inactive for x amount of minutes. Ask your IT department how to configure this, then set it to an amount of time that creates a balance between security and usability. Ten to fifteen minutes is usually adequate (unless otherwise already set by your organization).

9. Ensure your connection is secure if doing work from home

If you’re able to work from home, make sure you set up a secure connection that meets your company’s standards before accessing any sensitive information, including email and user accounts. Avoid working on devices that haven’t been approved by the IT department, such as personal phones or laptops that might be compromised with malware or questionable software. And always use protected WiFi, as open WiFi connections (especially ones in public places) are vulnerable to packet sniffer programs that can read and steal transmitted data.

10. Make security a topic for discussion in your role, department, and organization

Last, but certainly not least, be an advocate for security in your organization. If you recognize the need to protect your data and your company’s data, others will start to recognize it too. Ask leadership or the IT department if they plan to create a security awareness program or document their policies for internal reference. Share what you learn with your coworkers, or bring them into the conversation by asking them how they handle security in their own role. And apply what you do at work in your personal life, because your data is important too.

For further information on how to protect your data at work, check out our blog post on email security: Top Email Security Challenges and How to Solve Them.