Surprising Ways to Improve Cyber Security in the Workplace
Think cyber security is just about putting the right technology on hard drives?
It's actually so much more.
In a sobering commentary on data breach incidents, Sarbjit Nahal of Bank of America Merrill Lynch, said “there are 80 to 90 million plus cyber security events per year, with close to 400 new threats every minute, and up to 70% of attacks going undetected”.
Experts recommend that security be incorporated into all workplace processes, design, and strategy.
Stop making security all about technology.
According to a recent KPMG white paper, technology is just one part of cyber security. The other parts are leadership and governance, human factors, information risk management, business continuity, and legal and compliance. “Our research shows that defending your business is a dynamic, strategic activity,” said Mike Salvin of professional services provider Accenture.
Make security a driver in every department.
Appoint a Chief Information Security Officer (CISO), and create a Security Policy with visible commitment from the top down. Introduce security-driven initiatives in every department. A Clean Desk Policy stipulates that confidential documents are never left unprotected. Physical safeguards such as lockable storage and visitor sign-in are important too. Hire an information destruction partner that provides locked storage consoles (replacing open recycle bins) for discarding documents. Hard drives should also be securely destroyed when no longer needed (rather than stock-piling them). Implement a Shred-it All Policy so employees never have to decide whether a document is sensitive or not.
Information sharing is two way – protect both ends.
So many business processes involve two parties. Think of both ends (people and hard drives) when setting security parameters. Employees, for example, should protect digital and hard copy documents from other people (never open links from unknown senders, change passwords regularly, protect all devices from prying eyes, etc.) External service providers are another avenue for hackers. Audit service providers to ensure they are using safeguards. Limit access to only the data and systems needed to fulfill function.
Be proactive in monitoring and incident response.
“It is becoming increasingly common to use continuous monitoring and responsive measures rather than preventive protection,” according to the Information Security – Trends 2015 white paper. At the same time, a proactive security stance can improve security effectiveness by an average of 53% over two years compared to just 2% for non-proactive companies, according to a Ponemon study. Identify vulnerabilities with a security risk assessment, and have a tested and up-to-date incident response plan (states are constantly amending breach notification laws) at the ready.
Create a ‘human’ firewall.
When IT support service provider Ramsac Ltd., sent a fictitious phishing request for username and password information to 50 employees in a small business, 24 employees did not respond, 10 replied and asked why, and 16 people responded with their username and password. The research is a good example of why employees are often called the ‘weakest link’. It also supports the need for on-going training on data security practices and privacy laws.
Implement data security best practices to protect all the confidential information that your organization manages.