We have recently assisted several clients to ensure their technical security measures deployed are commensurate with identified risks such as GDPR, data and cyber security – listening to our clients revealed a forgotten yet crucial tool – staff. Giving your staff the right information and setting parameters of operating through a clear set of processes and procedures is extremely important – it allows everyone to have the confidence to act when necessary.
All staff have a critical role in protecting the organisation – it’s important that security rules and any adopted technology enables users to do their job as well as possible and not put the organisation at risk. This can be supported by a systematic delivery of awareness training that helps establish a security conscious culture and create accountability. Actions and behaviour become second nature – a habit – like the steps you take before setting off in a car. It is just done and takes little thinking.
What are the risks you should consider?
Users must be able to do their jobs effectively. Organisations that do not successfully support staff with the right tools and awareness may be vulnerable to the following risks:
Removable media and personally owned devices:
Without clearly defined and usable policies on the use of removable media and personally-owned devices, staff may connect unsafe devices to the infrastructure. However big or small the device, this might lead to the inadvertent import of malware or compromise of sensitive information.
Legal and regulatory sanction:
If staff are not aware and supported in how they handle sensitive information, the organisation may be subject to legal and regulatory sanction.
Incident reporting culture:
Without an effective reporting culture there will be a lack of quality dialogue between staff and those responsible for the systems (security team). It is essential to uncovering where gaps in technology and processes can be improved, as well as reporting actual incidents for legal reasons. The organisation should promote a security culture that empowers staff to voice their concerns about poor security practices and security incidents, without fear of recrimination for managers.
If the security procedures are not balanced to support how staff work, then security can be seen as a blocker, and thus ignored.
Since staff have legitimate access and rights to the systems, they are usually the primary focus for external attackers and criminals. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.
Changes over time in an employee’s personal situation could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others. Unhappy staff may try to abuse their system privileges or coerce others to gain access to information or systems to which they are not authorised. Equally, they may just steal data.
How can you manage the risk?
Create a staff security policy:
Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A ‘one size fits all’ approach is typically not appropriate for many organisations. Policies and procedures should be described in simple business-relevant terms with limited jargon.
Establish a staff induction process:
New staff (including contractors and third parties on system) should be made aware of their personal responsibility to comply with the security policies as part of the induction process. The terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.
Maintain user awareness of the security risks faced by the organisation:
All staff should receive regular refresher training on the security risks to the organisation. Consider providing the opportunity for staff to ask questions about security risks and discuss the advice they are given.
Monitor the effectiveness of security training:
Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training will allow for a two-way dialogue between the organisation and its staff. Do not be afraid to work together and have difficult conversations about security risks.
Establish a formal disciplinary process:
Staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action. Any sanctions detailed in the policy should be appropriate and enforceable at a practical level. Bringing all the facets of security together (People, Physical and IT) is what the team at TenIntelligence excel in. If you would like to have a conversation about your security posture or assistance in reaching an applied standard, contact us via firstname.lastname@example.org.