If (when) your company encounters an IT security incident or data breach, you will need every employee ready to respond quickly and effectively as appropriate for their position. Hopefully you have an incident response plan in place and your IT team is alert and has practiced and prepared to execute that plan when necessary. Do not overlook those outside the IT team. Depending on the nature of the incident or breach, you may need employees to log out of systems, back up or document their work, change passwords, or respond in other specific ways to help you stop the loss of data, recover data, or document details that will be critical to your recovery and regulatory reporting following the incident. It is especially important to prepare and communicate with your less technical employees well in advance of an incident to be sure they understand and are comfortable with their role in your company’s data security plan.
Employees Need to Know the Playbook
Provide IT security trainings for every employee to be sure they know the threats facing your data and their role in prevention and response. Every new employee should be trained before they are given access to data and systems and all employees need regular updates and reminders to stay prepared. Some companies are required by federal regulatory agencies to provide regular training and updates.
Regulatory language such as HIPAA is often vague as to what this training must include and how often it should happen. The ambiguity is inevitable as every organization’s incident response plan must be unique. It is important to determine the appropriate steps your plan must include and the roles that every employee has to play. If you are in a regulated industry such as healthcare (regulated by HIPAA, for example), it is also vital that you document the training and security communications you provide.
Sharing monthly IT Security Tips like this one is one easy way to maintain a constant dialogue with employees about security and to demonstrate, as necessary, to regulatory agencies that you have provided the required ongoing training.
Employees Must Keep their Eyes on the Ball
Preparing your employees to respond when you need them to is critical. But they must also understand that, as end users working with your company’s data day in and day out, they may be the first to catch a threat or data breach. Train them to know what to watch for and how to report anything suspicious they may notice in the system. Be specific about what information they should gather and report to you so that you can respond quickly and implement your plan if necessary. Depending on the nature of the breach, the first signs of trouble could provide valuable data to help you know how to respond and recover. If this information is not captured immediately, it could be lost to you causing greater data loss and recovery costs.
Employees Form a Strong Defense
We see new and more creative cyber tactics every day. But most security incidents still trace back to the basic principles of IT Security. Training your employees to create and maintain secure passwords is one of the best way you can avoid the most common, simplest security breaches. While any loss of data is potentially devastating to your organization, suffering a breach that could easily have been avoided is especially troubling.
Employees Must Stay Vigilant
As an executive or IT manager, data security stays top of mind for you most of the time. Your employees, however, are busy doing many other things. To keep security in their sights and to be sure they are following sound practices within your network or systems, it is necessary that they be reminded constantly. Reminding them once a year or even every few months is probably not enough for your non-technical employees. To create what we often call a “culture of compliance” for regulated companies or simply a secure environment, you need employees to remain aware every day of how important their actions are any time they are working with sensitive data or within critical systems.
August Security Tip
We prepare reusable monthly security tips like this to help you make employees aware of common security threats and their role in avoiding threats and, as necessary, responding to any incident that may arise. Feel free to share this latest security tip with your colleagues. To be sure that you don’t miss next month’s tip, click here to join our email list.
Four Ways to Share this Tip
- Social Media: Share this article on social media.
- Email: Share this article with your colleagues.
- Print: Post this tip in your break room for employees to see.
- Newsletter: Download this full image to be included in your next internal employee newsletter. There is also a smaller image here that may fit better in your newsletter format.
We only ask that you use the images intact and unaltered. Thank you.
When your IT leaders create incident response plans and as the environment within your systems evolves, do not leave your non-technical employees out of the loop. Every employee is a valuable player on your incident response team. It is up to you to make sure they are ready to take the field when you need them.