Cyber Security is no longer just the domain or sole responsibility of an organization’s IT department. Even if they have both the latest technology and best IT professionals in the business to protect against cyber threats, a company is still vulnerable to breaches if they’re not also educating their employees on not only which data is important to protect , but why.
Though many companies have IT policies in place that employees are expected to follow, they are often broad, referring to protecting a catch-all term of “confidential” data, without attempting to explain which data matters and what losing that data might mean for the business.
The proliferation of employees using their own smart phones, laptops and tablets to access company data, further complicates risk. Without the ability to secure and monitor network traffic as they normally would, IT must rely on employees to act responsibly when accessing, transmitting or storing company data on these devices. Arming employees with information they can transform into practicable behavior is key to ensuring that, whether on company premises, at home or on the go, company AND personal devices are used mindfully.
Here are just a few things to consider when educating employees on data security:
- Not all data is equal
Some data may not require the same security controls as others. Employees should be made aware why data with personally identifiable information (PII) or internal company information - financial records, and intellectual property, for instance - should be treated with more care as the impact to the company , both from a reputational and economic impact should they be lost , is very high.
- Not everyone is who they appear to be
Spear phishing is a planned and executed attack against a specific organization. A credible, often urgent looking email that appears to be from an authorized person in the company - such as IT or HR - or from an outside vendor concerning billing or an invoice, is sent to employees with a link to a web page or attachment that looks authentic, but is actually malicious.
Educate employees to beware of email marked urgent, look at the address to see where the email is coming from, be leery of links, especially if the e-mail requests sensitive information or PII, and check that URLs contained in the email makes sense (websense.com vs. websensse.com. for example).
· If you’re not sure, ask!
Make sure employees know it’s ALWAYS OK to ask whether an email is safe or not.
For more education on cyber treats, visit Raytheon|Websense Resources.