The Importance of Employee Education on Information Security
As a business managing proprietary information, one of the biggest steps you can take to safeguard data and records is to educate the people who are interacting with it daily: your employees. Check out our blog and video which include some easy steps to improve your information security. One of these points is employee education. It’s not just important for your employees to know that there is a policy, but they need to be familiar with what the policies are, why they are in place, and what to do if they suspect an information breach has occurred.
Many of the top studies of data breaches point to employee error as a leading cause of data loss. Breaches can occur through employee error as a result of things as simple as not shredding secure information, clicking a bad link in an email, falling victim to a phishing scam, or even sending secure information to the wrong person via email. Even if these things are done unintentionally, they can still lead to large-scale breaches which can be harmful to your customers and clients, your employees, and your business reputation. As you are educating your employees about the importance of information security and your specific processes, we have put together some good points to cover.
WHAT ARE YOUR INFORMATION SECURITY POLICIES
Employees cannot be active on the front lines of information security if they do not know the policies you have put into place to help them. Ensuring that your employees are familiar with and know how to implement your policies will go a long way in helping to prevent future breaches. As you are educating your employees on these policies, it’s important to highlight items including:
- How to secure digital information
- Best practices for validating security of digital information transfers
- How to secure paper records
- How long to keep items in active files (digital and paper)
- How to securely archive information (digital and paper)
- How long to keep archived records (digital and paper)
- The process for securely destroying secure information (digital and paper)
- Password security and best practices
- Ability to recognize phishing and social engineering attacks
As you begin to make a case for investing in regular information security training for employees, Cox Blue states the importance of getting executives on board. To do this, you need to emphasize the importance in terms they can understand. Be clear about how data breaches and cyber attacks can affect the bottom line. Put a price on everything possible including losing data to the potential liabilities for leaking customer information. For example, in 2018, the global average cost of a data breach was $3.86 million, landing at $148 per stolen record containing sensitive and confidential information.
WHY DO YOU HAVE INFORMATION SECURITY POLICIES IN PLACE
It is equally important for employees to understand WHAT the policies are, as it is for them to understand WHY the policies exist. Share data and information about the rise in data breaches and what is at risk for your organization if a breach occurs. Information security doesn’t just cover client information or payment records, it can also extend to employee records. This includes records such as healthcare benefits information, retirement savings information, and other identifying information in their employee files. Working to protect security across the board helps everyone, both internally and customer-facing.
KNOW THE CURRENT INFORMATION SECURITY RISKS
As they say, the best offense is a good defense and good defenses are built on knowing your opponent and dissecting their plan of attack. In terms of information security, this means staying up to date on HOW breaches are happening and what some of the most common threats are to businesses like yours. A great way to educate your employees on these items is through monthly or quarterly updates and reminders. Keeping information security and security risks top of mind will help your employees stay alert to… “phishy” behaviors.
With the increase of digital information and more employees working from home, the volume of data breaches is higher than ever. Use these ‘Tips for Combating Information Security Risks’ to start protecting your business today. One recent breach that your organization may be able to learn from is the attack of the Colonial Pipeline.
EDUCATE YOUR EMPLOYEES ON INFORMATION SECURITY BEST PRACTICES
In addition to knowing the risks, your employees should know what steps they should be taking in day-to-day operations to protect information. How should they handle paper waste? What files need to be password protected? What are the best practices for creating secure passwords? It’s also important, in our digital age, to remind employees that these best practices don’t just exist for desktop and workstation security, they also extend to mobile devices where you might store or share proprietary information. So, educate them on the importance of securing those devices, only working on secure networks, and always leaving them in a safe place, never out in the open or unattended.
Make sure your employee education includes password security training and best practices, how to recognize phishing and social engineering attacks, and “live fire” practice attacks. For more information about each of these, read more here.
Making cybersecurity awareness a priority is a key to educating your employees. Consider including a section in regular company-wide communications like ‘cybersecurity in the news’. Many cybersecurity attacks are not covered in the media and knowledge of recent attacks may help employees understand the importance and ways they can prevent breaches. According to the Keeper Security and Ponemon Institute 2018 “State of Cybersecurity” report, two-thirds of SMBs have suffered a cyberattack in the past twelve months. In the Keeper Security and Ponemon Institute 2020 “Cybersecurity in the Remote Work Era: A Global Risk Report”, only 43% of respondents say their organizations currently inform and educate remote workers about the risks of remote working. This report also found that US organizations were 2nd most likely to have an attack that specifically leverages COVID-19 as a threat factor and only 36% of US respondents said their organization had the necessary in-house expertise to manage and mitigate cybersecurity risks caused by teleworking. This makes the US a larger target for cybersecurity attacks.
With more employees working from home, it is important to have specific guidelines set for information that is stored or viewed outside of company property. This includes digital records that can be accessed or stored on personal networks and the accumulation of paper files outside of the office. Read more about how remote working affects information security.
HOW TO EDUCATE YOUR EMPLOYEES ON INFORMATION MANAGEMENT POLICIES
Incorporate your cyber security training as a part of the onboarding process. What better way to emphasize the importance of these policies than to cover them at the beginning? Cox Blue states: “Password security, phishing, and social engineering attacks—all of it needs to be covered from day one. Most critically, make sure you’re not just going over the rules but also explaining why these best practices are so important.”
When training your employees on your compliance policies, follow these 5 steps from Navex Global.
Regularly Educate Employees
Make sure to re-communicate policies to employees after the initial education. Micro learning and quizzes are a good way to assess how well employees have retained policy information.
Send Gentle Reminders
Online compliance training programs can be a great way to let employees educate themselves at their convenience. This also gives insights to managers which employees are caught up on training and provides opportunities to share encouragement about staying up-to-date.
Take Action
Be sure to enforce policies or re-train employees if or when policies are ignored or misused. This ensures a stable reputation and encourages employees to remain compliant if they see there are consequences to breaking protocol.
Explain the Steps
Be transparent with your team about the “whys” of policy training and management. Explaining the steps that were taken and why will help employees remember policies. Make sure employees are able to easily find and refer back to original policies and procedures.
Re-Educate Changes
Policies can become outdated or irrelevant quickly. It is important to re-educate employees when changes in policy occur.
WHAT TO DO IF A INFORMATION SECURITY BREACH OCCURS
No one wants to plan for a security breach, but having a plan in place to stop the breach as soon as you can and begin to clean up immediately will go a long way in preventing extensive damage or loss of data in the process. Your employees should know who to contact in the event of the breach and what the steps are to report it and contain it, as well as what steps to take to alert customers when the time comes.
Make sure to use this as an opportunity to educate and inform your employees, not blame them for mistakes. While it may be true that the data breach is from an employee clicking the wrong thing, don’t blame an individual for not having the right knowledge. Instead take responsibility as an organization to better inform your employees.
As a business owner or manager it’s important to know and understand the vital role that your employees play in protecting secure information. They are the front lines of defense when it comes to ensuring that your data is protected since they handle and interact with it each and every day. Keeping them informed and educated on processes, risks, and simple steps they can take to protect secure information will go a long way in maintaining security across your organization.
As a CSRA leader in secure storage and destruction, Augusta Data Storage has been providing off-site storage for your records, and other media storage for over 25 years. In addition, we are equipped to provide secure destruction for your outdated paper records and end of life digital devices to ensure your private information stays private.
Contact us today to learn more about how we can partner with you to develop a secure records management process – 706.793.0186.