Your employees are the key to success in business, especially when you use technology to make them more productive. This access to data and applications can also pose dangers, though. An employee using data inappropriately – either maliciously or unwittingly – can incur reputational, legal and financial risk for your business.
In conversations with 304 IT professionals, we found more than four in ten of them viewed employees as their most valuable assets. Yet more than one in five also highlighted employees as the biggest cybersecurity threats. How can companies keep employees on the right side of that equation?
Employee behaviour is a crucial factor, especially when it comes to handling your sensitive data. We have identified a five-step program to keep employee behaviour secure.
Understand your employees
The first step in securing your employees is to understand what they do, and therefore what they need access to. By governing their privileges, you’ll be limiting their ability to do damage with your data, intentionally or unwittingly, without stopping them from doing their jobs.
This begins with understanding who handles what in your organisation, and how. Analyse different employee roles. How many of them are there? Create a list and then assign responsibilities to each role, along with the level of information that they need access to when doing their job. Then, place individual job titles into these roles.
This will be the basis for a least-privilege access model that gives employees access to the data they need on a need-to-know basis.
Create security policies for them
After creating a framework for managing access, you must build security policies that use this framework to define employee behaviour and mitigate information security risk.
A smart company will have policies regarding who can take which data off-site and how, and who can share what files with others. It should cover communication channels ranging from email to social media.
Your policy will cover all potential risks that employees present in your organisation, including social engineering attacks via the phone, and phishing attacks designed to collect their account credentials. How should receptionists deal with urgent calls asking for sensitive information? Do you have a call-back policy that gives employees the chance to check a caller’s credentials?
Also, lend a thought to physical security here. Implement clean-desk policies that prevent employees from leaving sensitive data lying around for third-party cleaning contractors to see or put in the dumpster.
This security policy is a rulebook enabling you to govern the flow of data throughout your organisation by effectively managing your employees’ behaviour.
Enforce your security policy using your technology systems, managing employee access to IT resources. An identity and access management (IAM) system is a good place to start.
You have already categorised your employees by role and responsibility. The IAM is the natural home for this information, along with their access credentials. Tie IAM into a central ‘source of truth’ such as Active Directory that can also feed useful employee data to other systems such as HR and IT service management.
By forcing all employees to access applications through a single identity hub, you can not only control who sees what but also audit that access.
If someone logs into a sensitive application outside office hours, your logs will show you. This is both a useful deterrent to insiders tempted by your valuable data and a paper trail on which to base further action if necessary.
In addition to managing application access, your IAM system can also manage employees’ access to your data. It will map employee privileges against a file’s sensitivity level to determine whether they can access it.
Use a metadata solution that ties information about data sensitivity directly to the file or record itself. By storing information about the file in a set of digital properties or tags that are part of that file, you can effectively code access privileges directly into your data.
When an employee tries to access a file, the file itself will know how sensitive it is, and whether an employee should access it. This data classification is important when securing employee access and behaviour.
As your technical capabilities mature, consider other controls. Data leak prevention software will watch for sensitive data matching specific formats such as names, addresses and credit card numbers. It can catch this data crossing certain boundaries and stop employees copying it to a USB drive, say, or sending to someone via an email account.
Information rights management (IRM) software provides another layer of protection still. Your security policy may allow an employee to access files at a certain sensitivity level, but only to share them with select people outside the organisation, such as your legal firm, say. This technology will stop others reading a file if an employee sends it to the wrong recipient via email.
Train your staff
Any security policy is only as good as the people who implement it. Effective training will prevent your security rulebook from becoming just another piece of shelfware. Train employees in how the policies affect their everyday jobs so that they follow them closely. This includes training them in metadata classification. Your information security initiative will be more effective if employees can assign sensitivity levels and other properties to files themselves.
Proper cybersecurity training as easy as it may sound. Security awareness initiatives fail because simple awareness isn’t enough. Companies must translate it into intention, and action, both inside the training course and beyond.
Relating training material directly to an employee’s own situation is important, and trainers must set realistic expectations in the context of a
worker’s job. If a security measure doubles the time it takes for busy nurses to access a system in a fast-paced emergency environment, they won’t follow it in practice, and may even subvert any technological measures that you put in place.
Any effective security awareness initiative is a two-way conversation, in which employees get the chance to express their own needs. One of the biggest causes of failed security training schemes is a set of incorrect assumptions about people and their motivations.
Measure your training
The other big failing point in cybersecurity training is a lack of measurement. If you don’t monitor the effectiveness of a program, you won’t know how well it is working, and employees will tend to forget its principles.
Use real-world tests to see if employees are following basic cybersecurity principles. See if they fall victim to fake, ‘secret shopper’-style social engineering attacks. Use testing services to send fake phishing emails to employees and see if they bite. Techniques like these can give you quantifiable performance data and will also keep employees alert.
By using refresher sessions and reminders ranging from posters to screensavers, you can help drive home the principles in friendly, even humorous ways.
Keeping employees secure involves a multi-layered approach within your organisation. Technology plays an important part, as does technique and training. The most overlooked part of any employee security programme, though, is understanding. When dealing with human beings, as unpredictable, emotional and sometimes irrational as they are, a little insight goes a long way.