If (when) your company encounters an IT security incident or data breach, you will need every employee ready to respond quickly and effectively as appropriate for their position. Hopefully you have an incident response plan in place and your IT team is alert and has practiced and prepared to execute that plan when necessary. Do not overlook those outside the IT team. Depending on the nature of the incident or breach, you may need employees to log out of systems, back up or document their work, change passwords, or respond in other specific ways to help you stop the loss of data, recover data, or document details that will be critical to your recovery and regulatory reporting following the incident. It is especially important to prepare and communicate with your less technical employees well in advance of an incident to be sure they understand and are comfortable with their role in your company’s data security plan.
Employees Need to Know the Playbook
Provide IT security trainings for every employee to be sure they know the threats facing your data and their role in prevention and response. Every new employee should be trained before they are given access to data and systems and all employees need regular updates and reminders to stay prepared. Some companies are required by federal regulatory agencies to provide regular training and updates.
Regulatory language such as HIPAA is often vague as to what this training must include and how often it should happen. The ambiguity is inevitable as every organization’s incident response plan must be unique. It is important to determine the appropriate steps your plan must include and the roles that every employee has to play. If you are in a regulated industry such as healthcare (regulated by HIPAA, for example), it is also vital that you document the training and security communications you provide.
Sharing monthly IT Security Tips like this one is one easy way to maintain a constant dialogue with employees about security and to demonstrate, as necessary, to regulatory agencies that you have provided the required ongoing training.
Employees Must Keep their Eyes on the Ball
Preparing your employees to respond when you need them to is critical. But they must also understand that, as end users working with your company’s data day in and day out, they may be the first to catch a threat or data breach. Train them to know what to watch for and how to report anything suspicious they may notice in the system. Be specific about what information they should gather and report to you so that you can respond quickly and implement your plan if necessary. Depending on the nature of the breach, the first signs of trouble could provide valuable data to help you know how to respond and recover. If this information is not captured immediately, it could be lost to you causing greater data loss and recovery costs.
Employees Form a Strong Defense
We see new and more creative cyber tactics every day. But most security incidents still trace back to the basic principles of IT Security. Training your employees to create and maintain secure passwords is one of the best way you can avoid the most common, simplest security breaches. While any loss of data is potentially devastating to your organization, suffering a breach that could easily have been avoided is especially troubling.
Employees Must Stay Vigilant
As an executive or IT manager, data security stays top of mind for you most of the time. Your employees, however, are busy doing many other things. To keep security in their sights and to be sure they are following sound practices within your network or systems, it is necessary that they be reminded constantly. Reminding them once a year or even every few months is probably not enough for your non-technical employees. To create what we often call a “culture of compliance” for regulated companies or simply a secure environment, you need employees to remain aware every day of how important their actions are any time they are working with sensitive data or within critical systems.