What Should Your Employees Know About Computer Security?
The number one threat to the security of your information system is the insider threat. Make sure your employees know how to safely operate computers. Failure to do so is a lack of due diligence on your part.
Among what employees should know as a minimum is listed below:
What type of information does your company process?
What are the basic responsibilities of employees for information security?
What are the components of the organization’s password policy?
What are the best security practices for employees to follow?
What qualifies as a clean work area that supports safety?
What kinds of threats should employees be on guard against?
What are some of the most common attack methods?
What actions should employees take when an attack occurs?
What are the company’s email policies?
What are the company’s web browsing and social media policies?
Your employees need to know how raw data is processed to create information and how your company uses it to make important decisions and profit.
Get it wrong and the company loses.
People who work for you and third parties who come into contact with your system should be viewed as potential threats. That is why there must be an information security plan and everyone must be aware of it. Anything less equates to having the proverbial “pants around the ankles.”
Each employee is responsible for computer security and the guarantee of their digital assets. People who obtain and process company data must be aware of all their responsibilities. Those who work for you must be aware and responsible.
Every individual working in your organization should be aware of security and know what to do in the event of an attempted or actual attack. Anything less and your people will fail.
Everyone should know how to maintain a safe workspace, where confidential documents are removed from view. Workers must know how to lock their keyboards to prevent bystanders from watching screens and accessing terminals.
Everyone in the company should know how to create and maintain strong passwords or multi-factor authentication. Passwords must be complex and changed periodically. A digital security program for the entire organization should be maintained and evaluated periodically.
Policies related to security should conform to best business and industry practices. They should be part of each employee’s safety awareness training. For example, the people who work for you should know that out-of-office storage media needs to be properly scanned before being fed into your information system.
Your people should know the common attack methods used by cybercriminals and others. A seemingly innocent request for information over the phone could be the beginning of a social engineering attack designed to obtain crucial information to enter the company’s system.
Email should be part of the organization’s policies to protect confidential information. Again, having policies should be part of an organization’s due diligence effort to keep cybercriminals at bay and out of its system. Your workers must know how to handle the various situations that arise. Simply clicking on a malicious link could compromise your entire system.
Using social media platforms and browsing the internet could open multiple avenues for malicious users on your system. Your employees need to know what is considered acceptable practice when it comes to using Internet resources. Your company could be held liable, for example if an employee wrote something derogatory about an ethnic group or their assets could even be used for illegal purposes without their knowledge.
Maintaining the confidentiality, integrity, and availability of your business mission-critical information requires that those who work for your business have the tools to do so. Having a formal information security plan is a basic necessity. You’re in real trouble and you’ve already lost the battle against cybercriminals if you don’t have a plan. And if you have a plan and your employees don’t know about it, the same is true.
You must start treating computer security as a business process.