When the term “IT security” comes up, many people think about firewalls and warning systems. Technical stuff.
But IT managers and executives know the weakest information security link in an organization is actually its people.
People are, by nature, curious and sometimes gullible. Mixing this with the amount of access ne’er do wells have to our data can be a dangerous combination.
To strengthen your weakest information security link keep the following 9 practices, channels, and knowledge in mind:
- Implement a Security Policy: Create a comprehensive information security policy and be sure all employees understand and comply with it. It should include, for example, data classification and access, explanations of what’s allowed and what’s not, two-factor authentication and more.
- Data Classification and Access: Assign security levels to different categories of company information, such as public/non-classified, internal use, confidential and secret. These varying levels let employees know how sensitive information is and how to appropriately treat it. It also helps managers grant specific employees access to certain information.
- What’s Allowed and What’s Prohibited: Clearly state which actions are allowed and which are not. For example, never send passwords via email, under any circumstances. Instead, call a co-worker and verbally share the password.
- Two-Factor Authentication: Two-factor authentication requires the user to provide two means of identification in order to login to a system. It utilizes (1) something the user knows, like a passcode, and (2) something they have, such as a personal cell phone. For instance, many companies use texting technology as a way to require two-factor authentication.
- Assigning Responsibility: Every member of an organization is responsible for something, so define it. It could be as simple a guideline as “Question everything. If you don’t know, here’s who to contact to ask.” Assign someone to keep up with changes as new threats emerge.
- What to do if a Device is Lost or Stolen: In the event an employee’s device is lost or stolen, instruct employees who to contact. There are applications available that can remotely wipe data off devices. However, these tools should not be used on personal devices without permission, so a strong BYOD (bring your own device) policy is needed first.
- Utilize Social Media: Clearly share the guidelines for using social media platforms like Twitter, Facebook and LinkedIn, including what information can and can’t be shared via this media.
- Incident Response: Develop an incident response plan to ensure appropriate action if security is breached. Have this plan in place before a breach happens.
- Maintenance: Finally, create a process to ensure your information security policy stays current. Information security is ever changing, and you should update your policy regularly.
Contact us to learn more about how you can protect yourself.