With a recent Wall Street Journal survey, many companies named what was their single biggest security threat was…THEIR EMPLOYEES! Between sharing passwords, installing unauthorized software, adding new devices, interacting with phishing emails, or connecting to unsecured networks, your employees can be unwittingly putting your corporate network at risk. And with more companies relying on remote workers, the risk will only continue to grow.
So, your company has decided it is time to take the bull by the horns and institute an organization-wide IT security policy. After all, you and your security team know how important it is to protect your network. But how do you drive home that importance to the rest of your employees who don’t take cybersecurity seriously and refuse to follow the policies completely? Here are eight ways that can help you with getting your employees onboard with your company’s IT security policies.
1. Explain the Potential Risk to All Groups
All employee groups, whether they are involved with the IT department or not, need to understand the potential risks of not following your company’s IT security policies. Use plain language, not IT jargon to explain the impact of how what they may be doing could make the organization vulnerable to a costly security breach.
2. Educate Employees on How to Identify Threats
An IT person may be able to immediately spot a scam or see that a network is not secure. However, not everyone has these skills. Teach employees how to identify threats and what risky behaviors should be avoided, such as clicking on links to unknown websites, or inserting flash drives of unknown origins into a company computer.
3. Increase Employee Awareness on Best Practices for Passwords
With more employees working remotely and using their own devices, the need for more secure passwords is an imperative. Parameters need to be set and enforced as to what constitutes an acceptable password (e.g., one that is difficult to crack with a minimum of characters, including upper and lowercase letters, numbers and special characters).
4. Get Support from the Top
If the C-suite and upper management are not going to follow the company’s IT security policy, you cannot expect employees to follow either. Appeal to your leaders and remind them that they are role models to the entire organization and set the tone for its culture. If they buy into following the security policies, others will follow along.
5. Test Employees’ Security Awareness
Email threats continue to increase as phishing attempts become more sophisticated. Remind your employees not to let their guard down with phishing emails and test them occasionally to see if they report suspicious emails to the IT team as they should. Make a game out of it and recognize employees who do the right things.
6. Implement Security Training
Security threats will continue to evolve as hackers discover new vulnerabilities and ways to exploit networks. Ongoing security training will help employees stay aware of what they need to do to keep your systems safe.
7. Create and Use a Virtual Private Network (VPN)
While your in-house employees may be directly wired into your network, your remote workers aren’t. Connecting from a personal home network or from a public place like a coffeeshop or library opens the potential to getting hacked. Install a VPN, use multi-factor authentication and require remote employees to use it.
8. Hold Employees Accountable
Unfortunately, there are some employees who will just refuse to follow the rules. Along with disobeying your security policy, they may not even let you know if they know, or suspect, they have been hacked. There should be provisions in your security policies that outline the consequences for refusing to follow the rules.
Remember, IT security is everyone’s business, not just for the CISO or the IT team. For an IT security policy to be effective, everyone needs to do their part. Keep employees informed of the latest threats and what they can continue to do to keep your network safe.