Posted on Oct 25, 2017

Create an IT Security Policy Your Employees Will Actually Follow

Almost every day we hear about a new company or industry that was hit by hackers. These data breaches have a significant impact on a company’s bottom line and may result in irreparable damage to their reputation. It’s important for businesses of all sizes to be proactive in order to protect their business and customer information.

One of the biggest security vulnerabilities for businesses to deal with actually comes from within – it’s own employees. So how do you create a security-aware culture that encourages employees to take a proactive approach to privacy. The first step is creating a clear and enforceable IT security policy that will protect your most valuable assets and data. The second step is to educate employees about the policy, and the importance of security.

Make sure your IT security policy and procedures education is part of the on-boarding process for all new employees. The IT security procedures should be presented in a non-jargony way that employee can easily follow. This may mean creating an online or classroom course to specifically cover the requirements, and the possible consequences of non-compliance. Here are some tips on how to get started:

Create a Policy Checklist

Creating a simple checklist of IT security is one of the best ways to develop a standardized policy that is easy for every employee to understand and follow.

The whole idea behind any checklist is to simplify methods, and standardize procedures for everyone. Checklists also make for a smooth and consistent operating policy.  Keep the checklist simple, easy to follow, and readily available at all times for employees to be able to review when they need to.

The policy should include basic hardware security procedures.

    • Always lock down computer
    • Keep current on software updates
    • Secure portable devices
  • Immediately report lost or stolen devices

Set Password Rules

A lot of hacking is the result of weak passwords that are easily obtained by hackers.

Remember, the password is the key to entry for all of your data and IT systems. You simply can’t afford employees using passwords like “unicorn1.”

Today, we all have dozens of passwords to keep track of so you don’t want to create a system so complicated that it’s nearly impossible to remember.  

Develop some simple password rules that are easy for employees to follow and remember.

    • Eight character minimum
    • One upper case letter
    • One symbol
  • Two numerals

Phishing Email Detection

Even though most employees are pretty tech-savvy these days and undoubtedly have encountered phishing or scam emails on their own home computer, at work it could be a different story because it isn’t their own information they’re protecting. It could be more tempting to open or respond to an email from an unknown source if it appears to be work-related. Hackers have become very smart at disguising malicious emails to appear to come from a legitimate source.

Educate your employees on some of the common techniques used to hack and how to detect phishing and scams. Share examples of suspicious emails, and provide clear instructions not to open documents from unknown sources, even if they do appear legit. Make sure you have a mechanism for them to report suspicious email so they can be verified, and the source can be blocked or reported to prevent further attempts.

Define Sensitive Information

Think about what information your company keeps on it’s employees, customers, processes, and products. Clarify for all employees just what is considered sensitive, internal information. Create rules for securely storing, backing up, and even removing files in a manner that will keep them secure.

This should include all customer and supplier information and other data that must remain confidential within only the company.

Teach your employees that they can’t simply just send company information through an email. They must use a secured file transfer system program like Globalscape that will be able to encrypt the information and permit only the authorized recipient open or access it.

Utilize Privacy Settings

Your cyber-security program should include teaching employees to apply and use maximum security settings at all times on any web browser, or social media account.

This also includes Google, which is the one most often taken for granted because most of us use it every day.

Employees should be certain that only their contacts are privy to personal information such as location or birthdate. Limiting the amount of online personal information provides added protection from phishing attacks or identity theft that they would otherwise be vulnerable to.

Remain Proactive

It’s important to remind employees to be proactive when it comes to securing data and assets. Make sure that employees are able to spot all suspicious activity, know how to report it, and to report it immediately to the appropriate individual or group within the organization.

The threat of a breach grows over time. The longer an invasion goes undetected the higher the potential for serious, and costly damage. The sooner an employee reports security breaches to the IT team, even after it already occurred,  the more likely they are to avoid serious, permanent damage.

And you should also be pro-active to regularly update the policies. And provide additional training opportunities for employees. The hackers are always developing new schemes and techniques so it’s important to try and block these new activities before they can infect your business.

Remember, cyber-security cannot be taken lightly and all possible breaches of security must be treated seriously.  In the end, making cyber-security a priority in your training program will only save your company money by avoiding a breach that could possibly wipe your data out.