According to a study from Kaspersky Lab and B2B International, 52% of businesses identify employee error as the biggest threat to company security. But, with the right education and tools in place, this doesn’t have to be the case. Your workers can become your first and strongest line of defense against breaches. Here’s how you can make that happen.
1. Use layered security.
If you want your employees to take security seriously, you need to demonstrate that it’s a priority for your company. This means investing in layered security – the practice of using multiple security controls at different levels to protect your data.
Don’t put all your trust in SSO, multifactor authentication, or password managers. A single tool simply isn’t enough. Instead, layer these tools on top of one another – use a password manager with multifactor authentication, and if it’s feasible, implement SSO wherever possible. The more safeguards you have in place, the stronger your security.
By layering protective measures, you’ll have backups if one or more of your defenses fail. You’ll also show employees how paramount security is to the company’s daily operations, instilling in them the need to take it as seriously as you do.
2. Encourage good password habits.
A recent report by the Ponemon Institute and Yubico found that 51% of respondents have experienced a phishing attack. Yet, 57% of those people still haven’t changed their password behaviors. Considering that the same survey reports that almost 70% of respondents share passwords without taking proper security precautions, and over half reuse passwords, that’s a huge vulnerability for any company.
It’s important to encourage your employees to practice good password behavior at both home and work. If a member of your team is using a weak password like “Fluffycat123” for their personal accounts, chances are they’ll use them for their professional accounts too. Reusing passwords for multiple sites is a huge security risk because if that password is breached, all of the accounts using that weak password will be compromised.
Everyone should set strong passwords that are long, complex and unique for every online account they use. But, it’s impossible to remember multiple complicated passwords, so use a secure program or password manager to store them.
By encouraging good password habits among employees and providing them with the tools that make it easy for them to put these habits into practice, you will significantly strengthen your company’s security.
3. Educate your employees regularly.
Phishing scams are becoming more and more sophisticated, so it’s important to educate employees on how to identify these messages. It’s crucial to periodically test whether employees can flag suspicious communications and know what to do when they receive them.
By holding regular training, and putting these messages in employee inboxes, you’re keeping phishing at the top of their minds. After all, if they’re on the lookout for these kinds of scams, they are much less likely to fall victim to them.
Remember, if employees fail these phishing tests, it’s important not to shame them. All it takes is a momentary lapse in concentration to click the wrong link, and some people simply find identifying these messages more difficult than others. Instead, provide additional training and only give people access to the data and logins they need.
Keep track of how your teams perform and celebrate progress with them. When employees see results improving, they’re more likely to see the value in the training you’re providing and get on board with what you’re trying to achieve.
4. Make security easy to use.
One of the biggest mistakes that companies make when designing security is creating processes that are cumbersome for employees.
Forcing monthly password resets with long, complicated passwords without providing access to a password manager will only encourage workers to store their passwords in non-secure ways. Or, refusing to provide access to a site that doesn’t support SSO can push employees into creating non-secure accounts that you don’t have visibility of. These workarounds create huge security holes, and it’s important not to put the onus of security on employees.
When security is convenient, your employees are more likely to embrace it. Ultimately, people tend to take the path of least resistance, so choose tools that become part of their everyday workflow and actually make their job easier.
IT departments should make security as easy and seamless as possible, rather than expecting employees to go out of their way to work with frustrating security requirements. Some compromise is often required, but always keep in mind what you’re asking of employees.
5. Keep lines of communication open.
When people don’t feel confident in an area outside of their usual role, there’s a risk that they’ll shy away from it and avoid it altogether. Security can seem like a daunting subject to some, filled with technical language and complicated systems. You need to make security accessible, and that starts with good communication.
Write your security policies in clear language that’s easy to understand and make sure everyone knows where to find them. Your employees are your most important security measure; when they’re informed and feel engaged it fortifies all other layers of your security.
When someone has a security question, they need to know who to approach and feel comfortable in doing so. They mustn’t be made to feel stupid for asking or villainized if they make a mistake. Issues are much easier to resolve when they’re out in the open, rather than hidden out of fear or shame.
Respect your employees as the solution, not the problem. Invite them to share their thoughts and feedback, and act on their suggestions when appropriate. When they see that their contributions matter, they’ll feel empowered and motivated to play their part in securing your business.
6. Make your employees feel valued.
Part of building up your security is ensuring your employees are invested in the company they work for; that way, they take security as seriously as you do.
There’s no superficial way to do this – people can tell when these kinds of actions aren’t genuine, and you need to start from the ground up. It’s about truly embedding positive attitudes into your company culture.
Be fair with your employees and transparent in your communications. Trust the people you’ve hired to do their jobs – respect, support, and empower them. Reward successes and don’t finger-point when people stumble.
Being generous and showing your employees they are valued will mean they actually care about the welfare of the company they work for and become invested in protecting it and maintaining security.
While there’s no way to fully prevent security breaches, taking these steps will go a long way toward increasing your security. Whether large or small, your company should absolutely have a plan in place for dealing with these breaches if they occur, but by taking these steps and investing in your employees, hopefully, you will never have to use it.